As a result of the current economic environment, most organizations are realizing that they not only need to continually find ways to do more to enhance their competitiveness – such as providing a greater level of service, or offering a more innovative manner of delivering that service - but, they also need to do it with less resources. As we all look for ways to contain our costs, one of the obvious avenues is to limit our hiring – as with most service organizations, the cost of staffing the operation is often the single highest financial statement line item. So when university units are faced with the decision of how to accommodate retirements or staffing vacancies due to employees moving on to other jobs, often the decision is made to not re-staff the position and to simply absorb the corresponding roles and responsibilities into other currently staffed positions.
While this approach can often lead to realized efficiencies as individuals design new processes for getting the same (or more) work done with a smaller-sized staff, it can also easily result in incompatible functions (from an internal control standpoint) being performed by the same individual, thereby resulting in a compromised segregation of duties for which no mitigating or compensating strategy has been implemented.
“Segregation of Duties” is an internal control activity that is very important for achieving a strong internal control environment. Having a robust segregation of duties between important functions can help to ensure that errors and/or inappropriate activity is detected quickly and corrected.
The underlying concept of segregation of duties is that no employee should be in a position to both perpetrate and to conceal errors or fraud in the normal course of their duties. The incompatible duties to be segregated are (1) custody of the assets, (2) authorization or approval of related transactions affecting those assets, (3) recording or reporting of related transactions, and (4) reconciliations. The same person should not be responsible for more than one of these functions. Segregation of duties is effective because in order for an individual to commit fraud or intentionally conceal an error another individual in the process would need to be recruited (i.e., collusion) as a conspirator, which is risky for the perpetrator as they might be discovered by an honest co-worker.
Some examples (and truly this is just a sampling) of functions that need to be segregated include:
Individuals responsible for collecting cash (“custody”) should not also prepare the deposit (“recording”), and reconcile the account ledgers (“reconciliation”).
Individuals responsible for placing orders (“authorization”) (i.e., transacting P-card purchases, Invoice Payment Forms) should not also be reconciling those transactions in the ledgers (“reconciliation”).
Individuals responsible for tracking (i.e., “recording”) student progress through their academic career at RIT should not also be certifying (i.e., “authorizing”) the student for graduation.
Individuals responsible for developing/programming new systems/changes to systems (“custody”) should not also be responsible for migrating those system/changes to systems to production (“recording”).
Individuals who “record” their own time in Kronos should not also approve (“authorize”) that time record.
If segregation of duties cannot be achieved due to staffing constraints, a mitigating/compensating control needs to be implemented. For example, the individual’s supervisor would need to exercise a greater degree of oversight and monitoring over the process.
As with any internal control, there are good reasons for implementing a strong segregation of duties –the control benefits RIT as it serves to deter fraud or identify errors; however, it is just as important for each of us –employees of RIT –as it puts into place a process that will afford us an avenue to avoid unwarranted scrutiny, thereby protecting our own personal integrity of which the benefit is priceless.
So we challenge you now to examine your processes and determine if a compromised segregation of duties exists. If so, either develop a process to segregate the functions or mitigate the risks. If you are uncertain how to do this, just give us a call. We are happy to be a resource for you.
Contributed by Gregg Despard, Senior IT Internal Auditor, IACA
Green Auditing? With many things in our lives going ‘green’, such as organic foods and environmentally safe cleaning products, it is only logical that eventually the green revolution would impact the discipline of audit. ‘Green’ is a term used to refer to goods, services, and practices aimed at reducing, minimizing, or not harming, ecosystems or the environment. It is also referred to as being environmentally friendly, eco-friendly, or nature friendly. 
In response to this ‘green’ trend, as well as environmental laws and regulations, ‘Green Auditing’ was born. ‘Green Auditing’ is the process of assessing the environmental impact of an organization, process, or product. This includes everything from auditing food labeled as organic to monitoring the chemical byproducts of a manufacturing process such as carbon emissions.
Green Audits enable companies and other organizations to identify their environmental impacts, define a strategy to efficiently reduce these impacts, and assess their compliance with applicable laws and regulations. Contrary to the popular belief that implementing a ‘green’ business approach will increase costs, Green Auditing can actually help organizations to discover opportunities to save money, improve work quality, and better employee health and safety. A Green Audit also reduces liabilities by identifying key risks that need to be addressed in order to meet regulatory compliance.
RIT is a leader in ‘green’ technologies, not only for implementing green business practices and guidelines throughout the campus, but also through the work performed in the Golisano Institute for Sustainability, or GIS. GIS is a multidisciplinary academic unit at RIT whose mission is to undertake world-class education and research programs in sustainability with major foci on sustainable production, sustainable energy, sustainable mobility and ecologically friendly information technology systems. 
Within the Internal Audit, Compliance, and Advisement (IACA) department at RIT, we observe RIT’s ‘green’ sustainability initiatives, such as double sided printing to use less paper and recycling office supplies by way of the RITchie’s List. IACA also uses a ‘green’ process approach to our audits by working collaboratively with those we are auditing to organically find solutions or mitigating controls to resolve observations or findings. 
Finding collaborative, organic solutions to observations and findings fosters more participation from contributors, which results in a better solution, tailored to the environment, with individual buy-in. A ‘green’ audit process literally “grows” cost effective holistic solutions using existing expertise.
Going ‘green’ isn’t a fading fad, as some may think, but something that continues to change the way things are made, what they are made of, and even how people think. So the next time you see an ‘organic’ label or other ‘green’ product, remember that Green Auditing, if part of a good ‘green’ process, helps ensure what we call ‘green’ it is truly ‘green’.
* Illustration by G. Despard; May 2013.
 "Nature-friendly". Webster's New Millennium Dictionary of English, Preview Edition (v 0.9.7). Lexico Publishing Group, LLC.
 “Green to Gold: How Smart Companies Use Environmental Strategy to Innovate, Create Value, and Build Competitive Advantage” by Daniel C. Esty and Andrew Winston; Yale University Press, January 2009.
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.
Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.