Duties

Audit Segregation Of Duties

Duties Avatar
Duties

Audit Segregation Of Duties: Why It Matters and How to Apply It in South Africa

Audit segregation of duties (SoD) is a core internal‑control principle used to prevent fraud, error, and conflicts of interest within organisations. In South Africa, the concept is anchored in governance and oversight expectations under frameworks such as the King IV Report on Corporate Governance, as well as professional audit and accounting standards.

This article explains what audit segregation of duties is, how it fits into broader governance expectations, and how organisations can implement it in practice.

What Is Audit Segregation Of Duties?

Segregation of duties is the practice of separating key responsibilities so that no single individual controls all phases of a critical transaction or process. The International Federation of Accountants (IFAC) describes segregation of duties as a key internal control component, designed so that “no one person has control over all aspects of a financial transaction” and to ensure that different people are responsible for authorising transactions, recording them, and maintaining custody of the related assets (IFAC – Internal Control System Framework).

In the audit context, segregation of duties is both:

  • An object of the audit: auditors assess whether the client has adequate SoD in place across its key processes.
  • A requirement for auditors themselves: for example, audit firms must separate roles linked to audit performance, quality management, and client acceptance, as reflected in the International Standard on Quality Management (ISQM 1) issued by the International Auditing and Assurance Standards Board (IAASB – ISQM 1).

Governance Context in South Africa

Although segregation of duties is a general control principle, it is reinforced in South African governance expectations. The King IV Report on Corporate Governance for South Africa 2016, issued by the Institute of Directors in South Africa (IoDSA), emphasises that governing bodies should ensure an effective system of internal control and internal audit. King IV highlights the importance of controls that reduce the risk of fraud and error, including appropriate allocation of responsibilities and oversight (IoDSA – King IV Report).

King IV is not a statute but operates on an “apply and explain” basis for entities such as JSE‑listed companies, and it is widely referenced as a benchmark for corporate governance and control design in South African organisations.

Public‑sector entities are also expected to maintain internal control systems that embody segregation of duties. The National Treasury’s “Framework for Managing Programme Performance Information” refers to maintaining effective internal control measures, which typically include segregation of key functions to ensure the credibility and reliability of information used for accountability and audit purposes (National Treasury – Framework for Managing Programme Performance Information).

Core Elements of Audit Segregation Of Duties

From an internal‑control and audit perspective, three functional categories are commonly separated:

  1. Authorization (Approval)
    • Responsibility for approving transactions, such as purchases, payments, journal entries, or changes to standing data, is assigned to specific roles or levels of management.
    • IFAC notes that proper authorization is a core type of control activity, ensuring only valid transactions are processed (IFAC – Internal Control System Framework).
  2. Custody (Asset Handling)
    • Physical or logical control over assets—cash, inventory, fixed assets, or sensitive data—is kept distinct from those who approve or record transactions.
    • This reduces the opportunity for misappropriation without detection.
  3. Recording (Accounting and Reporting)
    • Individuals who maintain ledgers, process accounting entries, or prepare financial reports should be different from those who authorise or have custody of related assets.
    • Segregation here supports accurate and reliable financial reporting, a goal embedded in the International Financial Reporting Standards (IFRS) framework overseen globally by the IFRS Foundation (IFRS Foundation – About IFRS Accounting Standards).

Auditors evaluate whether these three categories are adequately separated in high‑risk cycles such as revenue, procurement, payroll, inventory, and cash management, as part of their risk assessment and control testing under the International Standards on Auditing (e.g., ISA 315, which deals with identifying and assessing the risks of material misstatement) (IAASB – ISA 315 (Revised)).

Why Audit Segregation Of Duties Matters

1. Fraud Prevention and Detection
Segregation of duties is one of the most widely recommended anti‑fraud controls. The Association of Certified Fraud Examiners (ACFE), in its “Occupational Fraud 2024: A Report to the Nations,” identifies lack of internal controls and override of existing controls as key factors enabling fraud, and highlights well‑designed internal controls such as SoD as effective fraud‑mitigation tools (ACFE – Occupational Fraud 2024: A Report to the Nations).

2. Reliable Financial Reporting
IFAC’s internal control guidance stresses that control activities such as segregation of duties contribute directly to the reliability of financial reporting and safeguarding of assets (IFAC – Internal Control System Framework). When auditors assess internal control over financial reporting, they look at whether incompatible duties are effectively separated.

3. Regulatory and Governance Expectations
For listed and regulated South African entities, the application of King IV expectations around internal control is frequently scrutinised by boards, audit committees, and investors. The JSE’s listing requirements make specific reference to compliance with King IV and its governance principles (JSE – Listings Requirements), indirectly reinforcing the need for robust segregation of duties.

4. Audit Efficiency and Scope
Well‑implemented segregation of duties can allow auditors to place more reliance on internal controls, potentially affecting the nature, timing and extent of substantive procedures, consistent with ISA 330, which deals with the auditor’s responses to assessed risks (IAASB – ISA 330).

Segregation Of Duties in IT and ERP Environments

Modern South African organisations frequently rely on enterprise resource planning (ERP) and other IT systems. The Information Systems Audit and Control Association (ISACA) notes that segregation of duties is a fundamental control in IT environments, especially to manage access rights, ensure change‑management integrity, and protect data (ISACA – Segregation of Duties in Information Systems).

Key IT‑related SoD practices include:

  • Separating system administration from transaction processing.
  • Ensuring that developers do not unilaterally migrate code into production.
  • Implementing role‑based access controls so that conflicting permissions (e.g., creating and approving a vendor) are not assigned to the same user.

Auditors performing IT‑related control testing (such as under ISACA’s COBIT framework) will examine these aspects as part of the overall assessment of audit segregation of duties.

Practical Steps to Implement Audit Segregation Of Duties

Based on international internal‑control guidance and professional governance expectations, organisations can approach audit segregation of duties systematically:

  1. Map Processes and Identify Key Risks
    • Document major processes (procurement, revenue, payroll, financial close, IT change management).
    • Identify where a single role currently initiates, approves, records, and has custody over assets, drawing on internal‑control frameworks such as COSO’s “Internal Control – Integrated Framework,” which emphasises control activities including segregation of duties (COSO – Internal Control Integrated Framework Overview).
  2. Define and Document Roles and Responsibilities
    • Establish clear role definitions and delegations of authority.
    • Link each role to specific approvals and system permissions, consistent with the concept of accountability and clear lines of responsibility in King IV (IoDSA – King IV Report).
  3. Use System Controls Where Headcount Is Limited
    • Smaller organisations that struggle to separate duties manually can rely more heavily on system‑enforced controls, such as automated approval workflows and role‑based access.
    • ISACA points out that automated controls and logging can partially compensate when full physical segregation of duties is not feasible (ISACA – Segregation of Duties in Information Systems).
  4. Introduce Compensating Controls
    • If full segregation is impossible, compensating controls—such as enhanced management review, independent reconciliation, or periodic internal audit checks—are essential.
    • IFAC’s internal‑control guidance acknowledges the role of monitoring activities to detect and correct control weaknesses (IFAC – Internal Control System Framework).
  5. Align Internal Audit Work with SoD Risks
    • Internal audit functions in South Africa, operating under the International Standards for the Professional Practice of Internal Auditing issued by The Institute of Internal Auditors (IIA), are expected to evaluate the adequacy and effectiveness of internal controls, including segregation of duties, as part of their risk‑based audit plans (IIA – International Standards for the Professional Practice of Internal Auditing).

Role of Audit Committees and Boards

Audit committees, as described in King IV, are responsible for overseeing the quality of financial reporting, the effectiveness of internal controls, and the work of external and internal auditors (IoDSA – King IV Report). Effective oversight includes:

  • Approving or reviewing internal‑audit plans that focus on high‑risk SoD areas.
  • Reviewing significant control deficiencies reported by internal and external auditors, including any breakdowns in segregation of duties.
  • Ensuring that management implements and tracks remediation plans to close SoD gaps.

Conclusion

Audit segregation of duties is a cornerstone of sound internal control and good governance. In South Africa, it aligns with the expectations of the King IV Report, public‑sector control frameworks, and international auditing, accounting, and IT‑governance standards. By clearly separating authorization, custody, and recording functions, and by leveraging both organisational design and IT controls, entities can reduce the risk of fraud and error, strengthen the reliability of their financial reporting, and support more efficient and effective external and internal audits.

For organisations seeking to enhance their control environment, reviewing process maps, role definitions, and system access – and aligning these with recognised frameworks such as IFAC’s internal‑control guidance, COSO’s principles, and King IV – provides a practical starting point for robust audit segregation of duties.

Other Posts