Segregation of Duties - SP+ University€¢ Describe the Sarbanes-Oxley Act (SOX) • Define Segregation of Duties (SOD) • Describe the benefits of Segregation of Duties • Demonstrate

Segregation of Duties | Version 2.0 2014

▪ SP Plus Corporation ▪ 200 E. Randolph Street, Suite 7700, Chicago, IL 60601 ▪

Segregation of Duties The Basics of Accounting Controls



Segregation of Duties The Basics of Accounting Controls

© 2014 SP Plus Corporation. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the express written permission of SP Plus Corporation.

These materials are intended only to provide information to the attendees of SP Plus Corporation training programs. SP Plus Corporation, its employees, trustees and agents, disclaim all responsibility and liability whatsoever for any use or non-use of the information contained in these materials and all obligations and liabilities whatsoever, whether for damages or otherwise, including without limitation, for consequential damages, arising, or alleged to arise, in any manner, out of or in connection with the use, or inability to use, these materials or any information contained herein.



Table of Contents

MODULE 1: INTRODUCTION................................................................................................... 1

SP PLUS CORPORATE MISSION ............................................................................................... 1

ROLE, ACCOUNTABILITY AND PROFESSIONAL EXPECTATIONS ..................................................................... 1

WE NEED YOUR HELP! ...................................................................................................................... 1

MODULE 2: SEGREGATION OF DUTIES .................................................................................... 3

OBJECTIVES FOR THIS COURSE: ............................................................................................................ 3

BENEFITS OF SEGREGATION OF DUTIES.................................................................................................. 4

RESPONSIBILITIES WITHIN SEGREGATION OF DUTIES ................................................................................ 4

Incompatible Duties ................................................................................................................. 4

MODULE 3: IMPLEMENTING SEGREGATION OF DUTIES .......................................................... 6

MITIGATING AND COMPENSATING CONTROLS ........................................................................................ 7

DEFINITION OF JOB FUNCTIONS ........................................................................................................... 7

Facility Manager Responsibilities ............................................................................................ 8

MODULE 4: COMPLETING APPLICATION WORKSHEETS ........................................................... 9

Cashier Receipts Application Worksheet ................................................................................. 9

Monthly Parker Application Worksheet ................................................................................ 11

GLOSSARY ........................................................................................................................... 15


1 ▪ SP Plus Corporation ▪ 200 E. Randolph Street, Suite 7700, Chicago, IL 60601 ▪

Module 1: Introduction

SP Plus Corporate Mission The mission of our company is:

"To achieve our clients' goals through excellence, innovation and integrity."

Role, Accountability and Professional Expectations It is the responsibility and obligation of each level of management, to maintain the integrity of the Company and the Client. One of the main responsibilities of managing day to day facility operations is to maximize revenue control, while minimizing the Company’s liabilities, through adherence to instituted policies and procedures. When policies and procedures are not followed, Client relations and the Company’s success are at risk.

Through your training process, you will learn about these policies and procedures, and how they are used to maximize revenue control and minimize liabilities. You will also learn about situations that require written documentation in the place of a policy or procedure; however, it is not our preferred means of doing business. Mitigating controls can be used as a secondary solution for instances when an audit requirement cannot be met at a location.

It is your obligation as a Facility Manager to maintain the highest standards of revenue control, in order to ensure the continued success of the Company.

We Need Your Help! In order to continually improve this program and the documentation we depend on you and your opinion on what should be added or deleted and what sections need more or less detail. If you have any thoughts on how to make this document better, please email the training department at [email protected] or take notes and give them to the Trainer or Fax to 312-640-6170.



SP Plus U Material or Course Available

Term

Important Note

Policy

On SPin



Module 2: Segregation of Duties

Objectives for this Course: At the end of this module, the participant will be able to:

• Describe the Sarbanes-Oxley Act (SOX)

• Define Segregation of Duties (SOD)

• Describe the benefits of Segregation of Duties

• Demonstrate how to implement Segregation of Duties

• Define and discuss Mitigating and Compensating Controls

• Define the job functions of Segregation of Duties

• Demonstrate how to complete the SOD Worksheets

• Achieve accurate and effective Segregation of Duties at your location

Business Metric: To achieve an ideal score on these audit questions:

• II.B.07: Is there proper segregation of duties between processing transactions, recording transactions, depositing cash receipts, recording revenue and reconciling bank accounts?

• II.C.17: Is there proper segregation of duties between collecting applications, collecting cash receipts, access card maintenance, data entry of customer information, invoicing, reconciling payments received and customer maintenance?

• II.D.18: Is there proper Segregation of Duties for Pay Station locations?

• II.H.6: Is there proper Segregation of Duties for this Special Event location?

After the demise of the Enron Corporation, the Sarbanes-Oxley Act or SOX was enacted as a United States Federal law. The law was created to ensure that public companies were reporting revenue accurately, and the revenue that was reported was being deposited in the bank. In order to comply with the requirements set forth by the Sarbanes-Oxley Act, the Company needed to initiate accounting controls known as Segregation of Duties.

Segregation of Duties (SOD) is a basic, key internal revenue control process. It is used to ensure that errors or irregularities such as fraud are prevented or detected on a timely basis.

Segregation of Duties applies to all locations. So it is important that everyone understand and know how SOD works, and that guidelines are established and followed by everyone.



Segregation of Duties is not the responsibility of one person; it is the responsibility of everyone.

Benefits of Segregation of Duties At the most basic level, Segregation of Duties means that no single individual should have control over two or more phases of a revenue control process. Managers should properly staff their locations and assign responsibilities to ensure a crosscheck of duties. Managers should also emphasize the importance of audit expectations in regards to SOD.

Segregation of Duties provides two benefits:

1. Deliberate fraud is more difficult because it requires conspiracy of two or more persons.

2. It is much more likely that innocent errors will be found.

On the opposing side of SOD there are some key risk factors in the Operations Revenue process that lead to revenue losses or theft, including:

• Fraudulent activity in reporting all types of revenues.

• Incomplete revenue postings.

• Mathematical errors.

Responsibilities within Segregation of Duties There are four general categories of responsibilities that are executed when Segregation of Duties is properly implemented:

• Authorization - The process of giving permission to access systems such as the AS400 system for Standard Parking locations, and the CARS system for Central Parking locations.

• Cash Handling - The act of collecting payments and making cash deposits.

• Record keeping - Performance of daily tasks such as paperwork audits, and inputting data into the AS400 Revenue system for Standard Parking locations, and into the Telerev and DCR Reporting system for Central Parking locations.

• Reconciliation - Verification and reconciliation should be added to the AS400 for Standard Parking locations, and to the CARS system for Central Parking locations.

Ideally different employees should perform each of these four major responsibilities; no one person should have control of two or more of these responsibilities. There is greater need for proper Segregation of Duties when dealing negotiable assets such as cash, checks and inventory.

Incompatible Duties

When a single person has control over two or more of the SOD responsibilities, they can carry out and conceal errors and/or irregularities in day-to-day activities. This type of situation is known as Incompatible Duties, and puts the Company at risk for fraudulent activity, revenue errors, or incomplete revenue posting. Some examples of Incompatible Duties are listed below:



1. Making the daily cash deposits (Cash Handling), completing the daily revenue reports (Record Keeping), and auditing the tickets and daily revenue reports (Reconciliation).

2. Receiving checks (Cash Handling), and approving write-offs or adjustments (Authorization).

3. Depositing cash (Cash Handling) and reconciling bank statements (Cash Handling).

4. Approving time cards (Authorization) and having custody of pay checks (Cash Handling).



Module 3: Implementing Segregation of Duties

There are three key concepts when determining if Segregation of Duties exists in a facility.

1. If someone has access to cash, that person cannot input into the AS400 Accounts Receivable System for Standard Parking locations, and into the CARS system for Central Parking locations.

Exception: Although it is preferable and recommended to have segregation of duties where the individual that records revenue does not have physical access (i.e. cashiering, counting the funds, or making the bank deposit), it is not always feasible. It is considered acceptable if a Facility Manager has access to cash and enters revenue into the respective Standard and Central systems, as long as an Independent Reviewer audits 7 consecutive days once per month, reviewing a different 7 days each month. For Standard Parking locations, the Audit Bookkeeper/Revenue Auditor needs to verify that the AS400 Daily Sales Input matches the AS400 Revenue Summary Report and deposit after the revenue for the month has closed. This is to ensure that the Facility Manager (or person making the entry) doesn’t manipulate the AS400 Daily Sales Input amount and change the data in AS400 to commit fraud. This is a bare minimum level of Segregation of Duties –where possible we would want to have a higher level. For Central Parking locations a comparison of validated deposit slips (or courier pick-up logs), revenue equipment report totals, and the revenues reported on the DCR (or Telerev) system should be completed and documentation maintained on file for possible future reviews by Audit. (For Sales Audit locations, the independent review is not as critical, but emphasis should be placed on a documented review of exception type tickets (price changes, replacement tickets, voids, etc.) that are subject to being manipulated and not detected on the daily automated Sales Audit pull of revenues.)

2. The person performing the audit cannot report to the person they are auditing. An example is: A Facility Manager does a review of a Ticket to Tape Audit, to ensure the revenue is reported



accurately. The Audit Bookkeeper then reviews the same Ticket to Tape Audit paperwork and verifies the cash receipts were deposited in the bank. Because the Audit Bookkeeper is verifying the cash receipts to the completed paperwork, the Audit Bookkeeper cannot report to the Facility Manager.

3. For monthly Segregation of Duties, all source documents for Key Cards audits must be kept in on file. Source documents include, Active Item Listing from the AS400 Accounts Receivable System, the active Key Card listing from the location’s access card system or CARS system, and completed Key Card Reconciliation paperwork. The Key Card Reconciliation paperwork should include variances identified during the Key Card audit and the resolutions for those variances. A copy of all documents used in the reconciliation must be kept as backup for the completed audit. It is ok to keep electronic copies of these source documents.

Mitigating and Compensating Controls In those instances where duties cannot be fully segregated, Mitigating or Compensating Controls must be established. Mitigating or Compensating Controls are additional procedures designed to reduce the risk of errors or irregularities. For instance, if the Manager makes the daily cash deposits and performs an audit of the daily revenue reports. A Supervisor or Audit Bookkeeper could perform and document a more detailed review of the Manager’s audit. Another good mitigating or compensating control is to have an Independent Reviewer of the revenue paperwork at the facility. This provides additional control over the assignment of incompatible functions.

Segregation of Duties is more difficult to achieve in a centralized environment where only one individual has control over all the location’s duties. In a case such as this Mitigating and Compensating Controls should be implemented, which could include passwords, inquiry only access, logs, dual authorization requirements, and documented reviews of input/output.

Definition of Job Functions In order to fully understand Segregation of Duties for transient revenue control, the various job functions involved must be defined.

• Cashier - The person who operates the Cashier booth for a shift.

• Manager - The person who manages the Cashiers.

• Audit Bookkeeper - The person independent of the Manager (does not report the Manager) who is assigned to perform certain control functions. By definition this person has no access to cash receipts.

The Segregation of Duties for monthly revenue control job functions are a bit different and also need to be defined.

• Cashier/Receptionist – The person who operates the cashier booth for a shift, or works in the facility office doing various functions. Some of these functions could include general bookkeeping, customer service and receptionist.

• Manager – the person who manages the facility and is responsible for activating/deactivating Key Cards in the facility’s Key Card system.

• A/R Clerk – the person independent of the Facility Manager (does not report to the Facility Manager), and who has access to make changes, additions or deletions in the Parker AR System for Standard Parking locations, and the CARS system for Central Parking locations. They may also be able to post payments.

• Senior Manager – The person who supervises the Facility Manager.



Segregation of Duties is determined by job function not job title.

For example: If a Manager is performing the functions of a Cashier, the job position would be that of a Cashier on the SOD application forms. Although that person is technically a Manager, he/she would be listed as the Cashier since that is the actual function that is being performed. .

Facility Manager Responsibilities

As a Facility Manager, these are your key responsibilities:

• Review and follow the policies and processes that are identified in the Revenue Control process in the Revenue Reporting and Management section of the Facility Manager Job Plan reference guide, as well questions specific to Segregation of Duties in the Standard Operating Procedures (SOP) document.

The SOP document can be found in Google Drive or on SPin.

• Document and sign-off for each control that is performed.

• Monitor controls on a regular basis to ensure they are operating effectively and consistently.

• If as a Manager you input revenue into the AS400 for Standard Parking locations, and into the CARS system for Central Parking locations.

• Complete the SOD Worksheets to maintain a record of who is doing what at the facility. This information will be needed to answer question III. J. Misc. 2 if you are audited or questions related to SOD on the Control Self Assessment (CSA).

• If a policy or procedure cannot be followed at a location, ask a member of the Internal Audit Department for permission to implement a mitigating control.



Module 4: Completing Application Worksheets

Cashier Receipts Application Worksheet

This worksheet should be completed if a location collects cash receipts (transient revenue), and will help display the functions and duties of those responsible for handling the cash. This ensures that one person does not control or perform all functions within a process. There must be segregation of responsibilities between processing transactions, recording transactions, depositing cash receipts, recording revenue and reconciling bank accounts.

An independent review must be performed if any of the positions on the worksheet overlap. An independent review is when the revenue reporting documents (shift tape, cashier reports, deposit slips, etc.) are reviewed and confirmed by another employee. This employee should not have access to the cash, and does not have a direct reporting or personal relationship to the employee they are reviewing.

To complete the worksheet:

1. Review the list of functions in the far left column.

2. Write the name of the position (not the person) whose duty it is to perform that function in the Duties section.

3. If any of the positions overlap into other columns, then there should be a Mitigating Control in place.

The sample SOD worksheet shown below has been completed with positions that do NOT meet the Segregation of Duties guidelines. In this example the manager and the cashier are performing functions that should be completed by a separate person.



The sample SOD worksheet shown below has been properly completed with positions that meet the Segregation of Duties guidelines. This includes the premise that the Manager does not perform the function of the Cashier, and the Bookkeeper has no access to money and does not report to the Manager. If you cannot complete your worksheet utilizing those guidelines, there must be an independent review which would satisfy the guidelines of having a Mitigating Control in place.



Monthly Parker Application Worksheet

This worksheet should be completed if you collect monthly parker receipts (monthly revenue) at your location. This ensures that one person does not control or perform all functions within a process. There must be Segregation of Duties between the person who collects parker applications, collects monthly parker or validation payments and maintains the card access system; from the person who maintains the AS400 Monthly Parker A/R System for Standard Parking locations, and into the CARS system for Central Parking locations (including adding parkers, deleting parkers, changing customer information, maintaining parker billing rates, posting payments and applying adjustments to parker account balances).

To complete the worksheet:

1. Review the list of functions in the far left column.

2. Write the name of the position (not the person) whose duty it is to perform that function in the Duties section.

3. Make sure that positions do not overlap into other columns.

The sample SOD worksheet shown below has been completed with positions that do NOT meet the Segregation of Duties guidelines. In this example the manager and the cashier are performing functions that should be completed by a separate person.

The sample SOD worksheet shown below has been properly completed with positions that meet the Segregation of Duties guidelines. This includes the premise that the Manager does not perform the



function of the Cashier, the Bookkeeper has no access to money and the Bookkeeper does not report to the Manager. As per the Standard Operating Procedures document, even if your location is operating as per the Segregation of Duties guidelines, the Senior Manager for the location must conduct a surprise Key Card Reconciliation twice a year, or every six months. The surprise Key Card Reconciliation will satisfy the requirement of an independent review of the monthly revenue process. The active key cards should be reconciled to the current billing records. This review must be random, and the actual date and time should be a surprise to the Manager. The Senior Manager cannot request the files by phone or email in advance of the surprise visit.

The Segregation of Duties (SOD) Worksheet files can be found in Google Drive or on SPin.



Examples of scenarios for transient parking revenues: If the Cashier . . . . Then the Manager . . . . Then the Audit Bookkeeper . . . .

Turns in cash deposit to Manager, to count and deposit in bank…

Cannot perform the daily paperwork audit, or input data into the AS400 Revenue and the Telerev and DCR Reporting Systems.

Must perform the daily paperwork audit.

Turns in cash deposit in a sealed bag for Manager or armored car to deliver to the bank…

Can perform the daily paperwork audit and input revenue into the AS400 Revenue and Telerev and DCR Reporting Systems.

Must verify that the tear-off strips from the cashier deposit bags are accounted for and can perform the daily paperwork audit.

Makes a cash deposit directly to the bank…

Can perform the daily paperwork audit or input data into the AS400 Revenue and Telerev and DCR Reporting Systems.

Can perform the daily paperwork audit.

Also serves as the Manager…

Cannot perform the daily paperwork audit or input data into the AS400 Revenue and Telerev and DCR Reporting Systems.

Must perform the daily paperwork audit.

Also serves as the Manager and inputs revenue into the AS400 . . . .

Can perform the daily paperwork audit or input data into the AS400 Revenue and Telerev and DCR Reporting Systems.

Must verify that the AS400 and Telerev and DCR reports match the deposit after the revenue for the month has closed.



Examples of scenarios for monthly parking revenues: If. . . . Then the Manager . . . . Then the Audit Bookkeeper . . .

The Cashier, Receptionist, Supervisor and/or Assistant Manager collects monthly parking payments and provides the payments to the Manager for counting and deposit…

Cannot have access to perform additions, deletions or changes to the Parker A/R billing and CARS systems. Manager is able to activate/ deactivate keycards in the keycard system.

Can post payments and make additions, deletions and changes in the Parker A/R and CARS systems. Under no circumstance, can the A/R clerk collect parking payments.

The Cashier, Receptionist, Supervisor and/or Assistant Manager collects monthly parking payments and provides the payments to the Manager in a sealed bag for deposit…

Can post payments and make additions, deletions and changes in the Parker A/R and CARS systems. In addition, the Manager is able to activate/ deactivate keycards in the keycard system. Audit Bookkeeper must verify the tear-off strips from the cashier deposit bags are accounted for.

Can post payments and make additions, deletions and changes in the Parker A/R and CARS systems. Under no circumstance can the A/R clerk collect parking payments.

The Cashier, Receptionist, Supervisor and/or Assistant Manager collects monthly parking payments and deposits payments directly to the bank…

Can post payments and make additions, deletions and changes in the Parker A/R and CARS systems. In addition, the Manager is able to activate/ deactivate keycards in the keycard system.


The Manager collects the payments…

Cannot have access to perform additions, deletions or changes to the Parker A/R and CARS systems. Manager is able to activate/deactivate keycards in the keycard system.

Can perform the daily paperwork audit.

The monthly parker payments are made via the Lockbox, EFT or AS400 credit card system…

Can make additions, deletions and changes in the Parker A/R and CARS systems. Manager is able to activate/deactivate keycards in the keycard system.




Glossary

A/R Clerk The person independent of the Facility Manager (does not report to the Facility Manager), and who has access to make changes, additions or deletions in the Parker AR System. They may also be able to post payments.

Audit Bookkeeper The person independent of the Manager (does not report the Manager) who is assigned to perform certain control functions. By definition this person has no access to cash receipts.

Authorization The process of giving permission to access systems such as the AS400, activating/deactivating Key Cards in the Key Card system, and making additions, deletions, or changes to the A/R billing system.

Cashier The person who operates the Cashier booth for a shift.

Cash Handling

The act of collecting payments and making cash deposits.

Incompatible Duties When a single person has control over two or more of the SOD responsibilities, they can carry out and conceal errors and/or irregularities in day-to-day activities.

Manager The person who manages the Cashiers

Mitigating or Compensating Controls

Additional procedures designed to reduce the risk of errors or irregularities.

Receptionist The person who works in the facility office doing various functions. Some of these functions could include general bookkeeping or customer service.

Reconciliation Verification and reconciliation should be added to the AS400 for Standard Parking locations, and to the CARS system for Central Parking locations.

Record Keeping Performance of daily tasks such as paperwork audits and inputting data into the AS400 Revenue system for Standard parking locations, and into the Telerev and DCR Reporting system for Central Parking locations.



Sarbanes-Oxley Act A law that was created to ensure that public companies were reporting revenue accurately and the revenue that was reported was being deposited in the bank.

Senior Manager The person who manages the Facility Manager.

Segregation of Duties Is a basic, key internal revenue control. It is used to ensure that errors or irregularities are prevented or detected on a timely basis. It is used at all locations and is the responsibility of all employees.

Documents

Segregation of Duties - SP+ University€¢ Describe the Sarbanes-Oxley Act (SOX) • Define Segregation of Duties (SOD) • Describe the benefits of Segregation of Duties • Demonstrate