Separation of Duties

The separation of duties is a powerful internal control. Its objective is to ensure that duties (roles) are assigned to individuals in a manner so that no one individual can control a process from start to finish. The question of who should do what becomes extremely important in a web-enabled and/or distributed environment where on-line system pre-approval does not exist and central control is not apparent to the user.

Everyone occasionally makes mistakes. Separation of duties provides a complementary check by another individual. It allows an opportunity for someone to catch an error before a transaction is fully executed and/or before a decision is made based on potentially erroneous data. In addition, having adequate separation of duties reduces the ‘opportunity’ factor that might encourage an employee to commit fraud or to embezzle.

Guidance is given below for the separation of duties in the following areas:

HCM and OPTRS

HCM (Human Capital Management) is used for all actions that formerly required a Personnel Action Form (PAF). OPTRS (On-line Payroll Time Reporting System) replaces the paper forms used to submit positive time, additional pay, exceptional pay and payroll transfers. In order to ensure true separation of duties, a department should analyze these systems together when assigning roles, because HCM sets up an employee to be paid and OPTRS pays them, particularly those on “positive pay” status (positive time reporting classified employees). If the role assignments are made for each system in isolation, the possibility exists that one individual could end up controlling the entire process.

Looking at both systems at the same time when assigning responsibilities can reduce errors and prevent or detect inappropriate transactions, such as:

Distributions to unauthorized employees
Improper changes to personnel files resulting in misappropriation of funds
Incorrect hours submitted for payment
Theft of payroll checks

Things to think about when assigning HCM and OPTRS roles

If staffing levels allow, employees should not have the ability to update data in both HCM and OPTRS. Ideally, no one individual should be in a position to set up employees in HCM and then pay them through OPTRS. The risk is greatest in a unit that is almost exclusively positive pay employees.
Notifications should be routed to individuals who will actually look at them and can understand what the information on the notification means. This is especially important in very small units where the same person does have update access to both systems. For departments that have mostly “exception pay” employees, prompt review of the HCM transaction notifications and reports is critical in order to prevent inappropriate payments.
Reports should be used to indirectly review transactions since HCM and OPTRS do not provide for approvals within the system.
Someone outside the personnel/payroll function should distribute checks and Surepay envelopes. In addition, the distribution process should require each employee to sign, acknowledging receipt. Unclaimed checks and Surepay envelopes should be sent to the Cashier’s Office after 10 days.
Reconciliations should be performed by someone who does not have update access (HCM Administrator or PPS Preparer) to the system data, perhaps even someone outside of the personnel/payroll function.

Because departments no longer rely on central offices to perform data entry functions, the review and reconciliation process has changed. Instead of looking for data entry errors, the reviewer/reconciler should be looking more at the appropriateness of the action and the accounting activity associated with it.

Some questions to ask while reconciling the data:

Are time sheets and other pre-approval documents signed and filed in a location that is accessible only to those with a need to know?
Do the rates of pay appear consistent for people in similar roles?
Are there any unusual trends in the number of hours worked for particular employees?
Since there are no post authorization notifications (PANs) for “pre-list” on-line roster time reporting actions, how do I verify that the entries tie to the time and rate submitted by the employee, and that the hours were actually worked?
What is the reason for most of the payroll expense transfer (UPAY) transactions? Is there something that can be done in the department to reduce the volume?
Are employees appearing on the report with whom I am not familiar?

In order to illustrate how adequate separation of duties can be achieved, the following matrices have been developed:

Separation of Duties Matrix: Large Business Office (pdf)

Separation of Duties Matrix: Two-Person Business Office (pdf)

Please direct any questions regarding the above matrices or separation of duties concepts to the Office of the Controller at controller@berkeley.edu.

Campus Deposit System and General Ledger Reconciliation

The Campus Deposit System (CDS) is used by departments to process the cash and cash equivalents (i.e., checks, credit cards, etc.) that they receive for deposit to the bank. In addition, CDS submits the initial credit entry of the funds to the general ledger.

To maintain adequate controls, departments should ensure the separation of duties between the CDS deposit preparer and the individual responsible for reviewing the deposit information in the general ledger. These two roles should be administratively independent and performed by more than one individual. Independent review of posted deposits is important to help ensure that expected income, based on general knowledge of operations, is actually received.

Please direct any questions regarding separation of duties concepts to the Office of the Controller at controller@berkeley.edu.

Property Management/BETS

Departmental Equipment Custodians are responsible for tracking their department assets. Separating duties in a small department may be very difficult. However, the following guidelines should mitigate risks to an acceptable level:

The Equipment Custodian should not be the unit’s BFS Reviewer. The Equipment Custodian can be the Preparer and/or the Approver.

The Equipment Custodian’s supervisor should review and sign-off on the bi-annual inventory report (BETS 920).
The unit should be monitored (“audited”) by Property Management at least bi-annually.
The “audit” and the inventory report process should not occur in the same year.