Sometimes a small department has a limited number of employees, making it difficult or impossible to establish adequate separation of duties. If this is the case, the unit needs to establish compensating controls – controls designed to compensate for the increased risk. Compensating controls are typically less desirable than separation of duties, because compensating controls typically occur after the transaction is complete. In addition, it takes more resources to investigate, correct errors, and/or recover losses than to prevent the errors in the first place. Therefore, compensating controls should be viewed as a “last resort” and should not take the place of separation of duties, when the staffing exists to make the separation possible.
Examples of Compensating Controls
Most compensating controls take the form of an additional or more in depth review. For example, if a unit does not have a Tier 2 (Reviewer), then the Tier 3 (Leader) would need to perform the detailed review.
Here is an example of when a compensating control would be required:
A single employee has the duties of accepting cash payments, recording the deposit, and reconciling the monthly financial reports. To prevent errors and/or fraud, additional oversight is required. This means we need a compensating control, such as the leader performing a review of the reconciliation or another unit performing the reconciliation. In some cases, two small units have “swapped” reconciliation duties to provide the needed separation of duties that are not possible within the unit.
Requirements for Compensating Controls
No matter the format the compensating control takes, all compensating controls should:
- Meet the intent of the original control requirement
- Provide a similar level of assurance
- Go above and beyond the original control requirements
Why is #3 important? As discussed above, a compensating control is never as good as creating a control up front, so the compensating control has “more to prove.” This means it needs to go above and beyond the original control to provide the same level of assurance.
03/31/2023: reviewed content
University Controller’s Office: (352) 392-1321
Office of Internal Audit: (352) 392-1391