Taking A Closer Look At Segregation Of Duties Helps REITs Prevent Fraud

As a company grows, so does the roster of people who have access to its general ledgers and accounting information. Failing to re-examine the permissions that these individuals have within these processes creates an environment where fraud and errors can occur.  

Real estate investment trusts, which rely on remote teams to manage properties away from their central accounting offices, are especially susceptible to these risks. 

“Due to the decentralized nature of REITs, there is always an opportunity to commit fraud, whether it is through kickbacks with vendors or collusion with tenants,” Baker Tilly partner David Jamiolkowski said. "That’s why REITs are a business where leadership needs to keep segregation of duties top of mind.”

Segregation of duties is an internal control method that divvies up the critical functions of a process and access to the data associated with the functions across multiple employees or departments. Rather than one individual having the ability to authorize a transaction or Automated Clearing House payments and enter invoices, for instance, key processes are separated. Under a system with strong SOD established, fraud risks and the potential for errors are reduced. 

Monitoring relationships between managers and vendors is a concern for REITs. Whether the vendor is performing a tenant build-out or capital project work, controls can ensure that REITs are getting the best pricing for quality work by obtaining multiple bids. By ensuring that someone independent of the vendor manager is approving the final bid, fraud risks can be mitigated.

Jamiolkowski and Baker Tilly partner Monica Dalwadi work with REITs to conduct enterprise risk assessments, perform internal audits and evaluate segregation of duties. Conducting an in-depth segregation of duties analysis is one of the first steps they take to find potential conflicts and fraud risks. While REITs have been using SOD as an internal control method for years, more companies are turning toward a risk-focused and comprehensive approach. 

“For REITs, SOD is not a new concept,” Dalwadi said. “It’s been one of the principles of an internal control environment for a long time, but the sophisticated way a company could look at this or what a third party can do with analytics is what is making this change significant. Third parties can now systematically look for SOD issues in IT systems and flag issues that, if not found by the company, could cause [problems].”

The Baker Tilly team recommends REITs undergo a functional and system-driven analysis of segregation of duties. The two-step process evaluates functions performed by employees across an entire company, both inside and outside financial and management applications. Jamiolkowski and Dalwadi create a risk-based functional evaluation of segregation of duties conflicts to identify all potential risks.

The second step is to perform a system-driven analysis to evaluate all individual users and roles within financial and management applications to determine if an individual user has conflicting permissions. If so, they determine whether to remove incompatible duties or implement monitoring controls. 

Technology has improved the process for identifying segregation of duties conflicts, allowing both companies and external auditors to identify conflicts faster. After these analyses are completed, clients can use data analytics to look at and evaluate whether someone used a flaw in the system to commit fraud.

“Companies want to get smart," Jamiolkowski said. "They need to get ahead of the regulators, their auditor and particularly the fraudsters to ensure that they are looking at things from a design perspective. It’s not just that they are reviewing access, but that they fully comprehend what types of conflicts exist and that no one within their system has those conflicts.”

Investing in this discovery process yields long-term benefits, as the functional analysis becomes a tool companies can return to as they grow their businesses. 

“You keep that functional analysis, and every time an employee needs new access to a system, you can look at that access and determine whether adding this additional permission creates a segregation of duties conflict,” Dalwadi said. “It’s an exercise that allows a company to expand without creating additional risk.”

To learn more about this Bisnow content partner, click here.