We are currently being criticized for not auditing segregation of duties for operations and admin functions.

Does anyone have any suggestions or audit plans for how to do this?

I look at segregation of duties in just about all of my audits. I'm looking to make sure there are at least 2 people involved in a transaction. I like to see the following areas seperated into as many different parties as is reasonable for our bank: Authorization, recording, and reconciling. Example: Teller authorizes transaction on account, operations department records the transaction and finance reconciles. If segregation is a challenge I look for supervisory review of the transaction.

Thid can be a challenge depending on your bank size. What is the asset size of your bank?

We review segregation of duties for all of our bank owned accounts - we have a form that has to be completed whenever a new one is opened that states who has authority for what and a SVP signs off on it. We verify that there is not conflict on who does transaction and who reconciles it.

We absolutely review segregation of duties in our audits. At times it does happen as our accounting office is two employees and our operations department is only 6. If duties cannot be segregated, the CFO or President has to sign off on what was done. And Audit reviews those situations heavily to make sure it was handled appropriately.

We also review segregation of duties in all of our audits. One way we do this is various reports we are able to obtain from our IT department which states which employees have what level of access to different computer systems. For example certain employees have maintenance capabilities and some have inquiry only access. Based on the department size and the procedures we note if the set up makes sense or if one employee has to much access.

When a department experiences turnover this can get a little hairy but for the most part we only see a breech on rare occassions. Most of the time, employees that changed positions and should have had the access removed aren't aware they still had the access.

Admin functions are system-related. Operations can include system operations or just plan operational duties within the job function. We audit all of our systems each year to ensure there is no conflict of duties between the system admin & their operational duties. In addition, management is required to conduct an annual system review to ensure access capabilities are 'shut down' as much as possible. Also, while conducting any audit, we review segregation of duties as it pertains to the audit (not necessarily system-related), i.e. preparing (or online entry)of G/L ticket vs review of G/L posting. Alot of the segration of duties are identified within our 'key controls'. Twice a year, management must review/certify the 'key controls' are still applicable & then they are presented to the Audit Committee.