Segregation of Duties Assessment

Pull the user-permission report from QuickBooks Online or Sage Intacct. The employee opening the mail and logging checks on the daily cash receipts log must not also have rights to post deposits to the customer subledger. Common breach: a small office where the AR clerk both opens the mail and applies cash.

Trace three random deposit slips from the mailroom log to the bank deposit. The person walking the deposit to the bank (or scanning remote deposit) should not be the one who logged the receipts or who applies cash to AR. Document who performed each step on the daily deposit summary.

The bank rec preparer must have no cash-handling, deposit, or journal-posting access. Pull the last three months of bank recs and confirm the reviewer signature is a different person than the cash receipts clerk. Aging reconciling items over 30 days are a red flag — note any in the workpaper.

The employee who creates a purchase requisition cannot also be the approver in Bill.com, Ramp, or NetSuite. Pull the approval-matrix report and verify limits — common pattern is $0–$2,500 manager, $2,500–$25,000 controller, $25,000+ CFO. Anyone listed as both originator and approver is an exception.

Three-way match (PO + receiving report + vendor invoice) requires three independent inputs. Confirm the receiving clerk does not have edit access to the vendor master file or AP entry. Anyone who can add a vendor and approve their bill can run a fictitious-vendor scheme.

The person tying AP aging to the GL control account must not enter bills, cut checks, or run ACH batches. Pull the last AP aging tie-out workpaper and verify the preparer and reviewer are different roles. Any reconciling difference over $500 needs a documented memo.

Three roles, three people: invoice generation, cash application to customer accounts, and posting to the GL revenue accounts. A single person controlling all three can run lapping schemes — applying customer A's payment to customer B's prior balance to hide a theft.

Bad-debt write-offs and credit memos must require approval one level above the AR clerk. Pull the last quarter's credit-memo log; any memo over $1,000 should have controller or CFO sign-off attached. Frequent small write-offs to a single customer are a fraud indicator.

In Gusto, ADP, or Rippling, the person adding employees, changing pay rates, or adjusting tax withholding must not be the same one who runs the payroll batch. Pull the change log for the last quarter and trace each rate change to a signed authorization form.

Before each pay date, a reviewer outside payroll processing compares the register to the prior period for new hires, terminations, and rate changes. Watch for ghost employees and unusual bonus or commission spikes. Reviewer initials the register copy in the workpaper file.

The warehouse manager or operations lead with physical custody of assets must not maintain the fixed-asset subledger or the depreciation schedule. Pull the FA roll-forward and confirm the preparer's role does not include receiving or asset tagging.

Cycle counts and the annual physical must use teams independent of the perpetual inventory system administrator. Variance investigation and shrink adjustments require controller approval, not warehouse self-adjustment. Pull the last variance log and trace adjustments over $1,000 to a signed memo.

Assemble the control matrix, user-access reports from each system, sample selections, and finding memos into a single PDF. Cross-reference each exception to its compensating control or remediation item. This is the artifact external auditors and the audit committee will request.