You are here:
- Home
- Business
- Corporate Law
- Auditing
- Separation of Duties
Auditing/Separation of Duties
Advertisement
Question
I work for a non-profit organization in New York. What is the auditing practice as it relates to separation of functions/duties. Our finance office wants to have access to our donor database which houses all donation data. My understanding is that there has to be a clearcut separation to allow for checks and balances between the departments.
My second question - how does CFO oversight work in this case if their primary function is to manage the finance department? If they have access to the donor database, should it be a read only or reports only access?
Thanks.
The concept of separation of duties is that of an internal control designed to ensure that no single person has full control of a transaction. For example, if a donor sends in a check, there should not be a single person that receives the mail, opens the mail, receives the check, records the check, deposits the check, and updates the financial system. Obviously, this is to prevent someone from stealing any money… not to imply that anyone would but many people cannot resist the temptation if they know there is no oversight or visibility of their actions.
In your case, merely having access to the database of donors and the amount donated might actually be a good thing in that there is visibility to the donations entered which might prevent someone from ‘not entering’ that nice cash donation of $500 that came in an envelope from an anonymous source (because knowing there is visibility… they know it could be a test by a board member or the auditor).
Of course, without knowing the business process you use in receiving, recording, and depositing donations, it is hard to give an opinion.
The only downside I would see is that the donor database would be considered proprietary information and the more people that have access to it; the more difficult it is to keep it from leaking. However, that said, any access granted other than to those who actually update the database should be read/report only.
Having read access allows for strategic analysis of donations that could be used to plan a new campaign of fundraising efforts.
I would ask your external auditor for guidance as there may be other considerations,
Related Articles
Don Sadler
Expertise
I can answer regarding Internal Auditing - especially operational audits, audit management, and how to revitalize a dysfunctional audit department. Also give advice to "auditees" on how to deal with auditors.
I DO NOT ANSWER HOMEWORK OR CLASS PROJECT QUESTIONS. For those answers, I suggest you scan previously asked questions and search on your favorite search engine.
I ALSO DO NOT ANSWER TAX QUESTIONS AS THIS IS NOT WITHIN MY EXPERTISE.
NOTE: I am not an accounting expert although i will try to help if I can... ask at your own risk.
Experience
I have worked in the public and private business management arena with experience in OMB, Resource Management, Internal Auditing and consulting. I am a former President of the Inland Empire Chapter Institute of Internal Auditors, previously held Director positions in the Orange County Information Systems Audit and Control Association and the Northern Telecom International User's Association. I am a Certified Fraud Examiner and a Certified Information Systems Auditor.
Organizations
Institute of Internal Auditors, Association of Certified Fraud Examiners, and Information Systems Audit and Control Association (ISACA)
Education/Credentials
MBA, CISA, CFE
Founder and Principal of Applied INTEGRITY Management Consulting Group
©2012 About.com, a part of The New York Times Company. All rights reserved.