XI-A. Purchasing

Guide to Financial Operations

XI-A.1.A Separation of Duties

Section Overview and Policies:

According to the Standards for Internal Control in New York State Government, separation of duties is a basic internal control activity that separates key tasks and responsibilities among various employees and subunits. This separation helps to reduce the risk of error, waste, or wrongful acts pertaining to various functions within an agency.

The procure-to-pay (P2P) cycle is an area where separation of duties is essential to minimize the risk of inappropriate, unauthorized or fraudulent activities. Specifically, the various activities related to the P2P cycle (e.g., initiation, purchase approval, ordering, receipt, and payment approval) should ideally be done by different employees or subunits of an organization.

For example, one employee at an agency may issue a purchase order for 24 cases of 20 pound weight copier paper at a specific price. A second employee would receive the paper, verify it is the 20 pound weight, count the number of cases received, and record the number in the agency’s financial management system. A third employee would receive the vendor invoice for the paper and compare the information on the invoice to the purchase order and receiving information. If all the information agrees, the third employee would approve the invoice for payment. Separating these key functions helps ensure the agency orders what it needs, gets what was ordered, and only pays for the correct goods for the volume received.

Agencies must consider separation of duties when assigning users to various roles within their financial management systems. Agencies using the Statewide Financial System (SFS) should access References and Resources in SFSSecure for guidance on managing system roles, assignments, and access to data.

In some cases, agencies may not have the number of staff to effectively separate key tasks. When this occurs, management should perform a risk assessment to determine the agency’s risk of inappropriate, unauthorized or fraudulent activities given the lack of separation of duties. As part of this process, management should establish compensating controls in cases where the agency is unable or unwilling to accept the risk, and document officials’ willingness to accept the residual risks where the agency will not establish compensating controls. Compensating controls often include a post-transaction review to ensure compliance with requirements.

Guide to Financial Operations

REV. 07/09/2018