Organizational independence exists where no one person in an organization is in a position to both perpetrate and conceal, in the normal course of their duties, a misstatement. It is achieved through the separation (or segregation) of incompatible functions. If organizational independence does not exist within an organization, there is an increased risk of fraud, for example lapping. For further backgound about this topic, refer to COSO's Internal Control over Financial Reporting - Guidance for Smaller Companies. Volume 1, Executive Summary.
Functions are incompatible if their combination may permit the commitment and concealment of intentional or unintentional misstatements or where the duties of one function can bypass, by accident or intent, the controls which should exist on the other. The following are examples of incompatible functions:
Functions that are typically segregated are access to assets (the custody function), execution of related transactions (the operational function), and the recording of related transactions (the accounting function). For example, organizational independence is achieved when the following functions are segregated:
Thus, a person having custody of an asset, such as cash, should not also be responsible for accounting for transactions affecting that asset otherwise the person may create and/or conceal shortages in the asset by incorrectly accounting for the asset. (The recording of a transaction is the equivalent to accounting for the transaction). Similarly, a person who has custody of an asset, such as cash (e.g. a cheque signatory) should not be responsible for authorizing transactions affecting that asset, otherwise the person may create and/or conceal shortages in the asset through the incorrect authorization of a transaction. Finally, a person responsible for the operations of, for example, a cost/profit centre, should not be responsible for accounting for that centre otherwise the person may be tempted to bias results to improve reported performance. Additionally, organizational independence requires that there be segregation of each of these three functions (custody, accounting and operational) from both the authorization and supervision functions.
Job rotation helps achieve organizational independence by ensuring that one employee never has indefinite responsibility for a particular control procedure. Although this may require additional training, job rotation does have the additional benefit of facilitating the taking of leave by employees on a regular basis.
In a computer environment, organizational independence requires the separation of the information processing function from other organizational functions (which is no more than segregating the accounting/recording function from the operational function). In addition, organizational independence requires separation of incompatible duties within the information processing function. For example, within the information processing function a data input operator should not have authority to authorize data input; a computer programmer should not have unrestricted access to current production versions of software. In a database environment, incompatible functions include system design, data base design, administration and operation.
For another view, refer to SANS Technology Institute's Separation of Duties in Information Technology.
Auditors plan reduced (or no) reliance on specific control procedures affected by ineffective organizational independence.
Copyright, Australian Educational Research Pty Ltd. Any person accessing this site agrees to the Terms of Use.