Segregation of Duties Assessment

Pull the user-permission report from QuickBooks Online or Sage Intacct. The employee opening the mail and logging checks on the daily cash receipts log must not also have rights to post deposits to the customer subledger. Common breach: a small office where the AR clerk both opens the mail and applies cash.

Trace three random deposit slips from the mailroom log to the bank deposit. The person walking the deposit to the bank (or scanning remote deposit) should not be the one who logged the receipts or who applies cash to AR. Document who performed each step on the daily deposit summary.

The bank rec preparer must have no cash-handling, deposit, or journal-posting access. Pull the last three months of bank recs and confirm the reviewer signature is a different person than the cash receipts clerk. Aging reconciling items over 30 days are a red flag — note any in the workpaper.

Small offices often cannot fully segregate cash duties. Acceptable compensating controls include: owner reviews the bank rec monthly with a signed checklist; daily deposit slip is photographed and sent to the controller; surprise cash counts. Describe the specific compensating control and who performs it.

The employee who creates a purchase requisition cannot also be the approver in Bill.com, Ramp, or NetSuite. Pull the approval-matrix report and verify limits — common pattern is $0–$2,500 manager, $2,500–$25,000 controller, $25,000+ CFO. Anyone listed as both originator and approver is an exception.

Three-way match (PO + receiving report + vendor invoice) requires three independent inputs. Confirm the receiving clerk does not have edit access to the vendor master file or AP entry. Anyone who can add a vendor and approve their bill can run a fictitious-vendor scheme.

The person tying AP aging to the GL control account must not enter bills, cut checks, or run ACH batches. Pull the last AP aging tie-out workpaper and verify the preparer and reviewer are different roles. Any reconciling difference over $500 needs a documented memo.

Where roles cannot be split, document the mitigating controls: positive pay on the disbursement account, dual-signature requirement on checks over $10,000, monthly vendor master change-log review by the controller, or quarterly fictitious-vendor scan against IRS TIN match.

Three roles, three people: invoice generation, cash application to customer accounts, and posting to the GL revenue accounts. A single person controlling all three can run lapping schemes — applying customer A's payment to customer B's prior balance to hide a theft.

Bad-debt write-offs and credit memos must require approval one level above the AR clerk. Pull the last quarter's credit-memo log; any memo over $1,000 should have controller or CFO sign-off attached. Frequent small write-offs to a single customer are a fraud indicator.

A monthly aging review by someone outside the AR function catches lapping and stale receivables. Confirm the reviewer documents the 60+ and 90+ buckets with collection notes. The bookkeeper running aging without partner follow-up is the most common SMB weakness.

In Gusto, ADP, or Rippling, the person adding employees, changing pay rates, or adjusting tax withholding must not be the same one who runs the payroll batch. Pull the change log for the last quarter and trace each rate change to a signed authorization form.

Before each pay date, a reviewer outside payroll processing compares the register to the prior period for new hires, terminations, and rate changes. Watch for ghost employees and unusual bonus or commission spikes. Reviewer initials the register copy in the workpaper file.

The employee who keys bank account numbers into the payroll system must not also approve the payroll batch. Confirm the provider sends a change-confirmation email to the employee and to a second approver. Direct-deposit redirection fraud is the most common payroll attack vector.

The warehouse manager or operations lead with physical custody of assets must not maintain the fixed-asset subledger or the depreciation schedule. Pull the FA roll-forward and confirm the preparer's role does not include receiving or asset tagging.

Cycle counts and the annual physical must use teams independent of the perpetual inventory system administrator. Variance investigation and shrink adjustments require controller approval, not warehouse self-adjustment. Pull the last variance log and trace adjustments over $1,000 to a signed memo.

Asset disposals (sales, scraps, write-offs) need approval from someone outside operations and accounting. Trace last year's disposal entries to authorization forms and to the cash receipt or scrap dealer ticket. Unauthorized disposals are a common asset-misappropriation pattern.

Assemble the control matrix, user-access reports from each system, sample selections, and finding memos into a single PDF. Cross-reference each exception to its compensating control or remediation item. This is the artifact external auditors and the audit committee will request.

The controller or engagement partner reviews findings, approves the compensating-control plan, and signs off. Any open exceptions roll into the management letter and the next quarterly remediation tracker. File the signed package in the engagement binder under the SOD tab.