Embed Size (px)
DESCRIPTION
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice”. Kevin Kobelsky, University of Michigan – Dearborn. Motivation. The Problem: Stealing (intentional) Loss (unintentional). Motivation. The Solution: “Independent Review" - PowerPoint PPT Presentation
Citation preview
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice”
Kevin Kobelsky, University of Michigan – Dearborn
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
The Problem:Stealing (intentional)Loss (unintentional)
Motivation
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
The Solution:“Independent Review"
(underlying principle)achieved through
Segregation of Duties (SoD)
Motivation
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
Segregation of DutiesAn employee should not be in a position to
both1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors.
Control Approach:• All asset handling is reviewed by independent
person, inappropriate action is acted on• Division of a process into subtasks is not
enough if no independent review, follow-up action
Objective: Reduce risk that assets will be stolen/lost/wasted
Solution: At least three people required
Segregation of Duties Model
SoD in Literature - Agency
Tirole (1986) examines costs of lack of segregation of Agent from Supervisor
SoD in Literature - Agency
Secondary Review has benefits – Beck (1986), Barra (2010) – peer agentsKofman and Lawarée (1993) – peer supervisor
SoD in Literature – Practitioner
Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.
SoD: Agency vs Practitioner
Agency
Practitioner
1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model
vs.
SoD: Agency vs Practitioner
Agency
Practitioner ??
2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability.
vs.
SoD: Agency vs Practitioner
Agency ??
Practitioner
3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency.
vs.
SoD: Agency vs Practitioner
Agency
Practitioner
4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses.
?Needed?vs.
SoD: Practitioner vs Reality
Practitioner
5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?
SoD: Ambiguity
3 domains diverge:1)Agency-based model2)Practitioner model3)Business practice
Opportunity:Integrate these models to rigorously evaluate internal controlfor theory, evaluation, training.
Primary SoD
Primary SoD reflects 1. Agency – Initiation of trans’n in Custody3. Practitioner – Recording for efficiency4. Agency – All Asset types included in Custody5. Practice – Recording and Custody not segregated6. Reconciliation added to ensure Record reliableBut lacks Secondary Review to ensure repeatability
Secondary SoD
Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on:3. Practitioner – Recording for efficiency6. Reconciliation to ensure Record reliable.Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)
SoD: IT Aspects – Primary SoD
Auth’n
Custody
New Technology, Different Process StepsBut same approachEach Custody duty is evaluated independentlyNo need for segregation across columns!
Trans’nInput
InputChecks
Data Programs
MasterFile
Chgs
Review
Program’gMaint’ce
Testing
Copy toProd’n
Promo’nControl
Oper’ns
Job Control
SoD: IT Aspects – Primary SoD
Auth’n
Custody
Access Control is a precondition SoD, akin to procedure definition in manual system. Must segregate from all other duties.
Trans’nInput
InputChecks
Data Programs
MasterFile
Chgs
Review
Program’gMaint’ce
Testing
Copy toProd’n
Promo’nControl
Oper’ns
Job Control
AccessControl
SoD: IT Aspects – Prog ChgsAuth’n
Custody
Unconventional segregations more cost-effective?
Program’gMaint’ce
Testing
Copy toProd’n
Promo’nControl
Oper’ns
Job Control
PCC w2 people
Emp 1 Emp 2
SoD: IT Aspects – Prog ChgsAuth’n
Custody
Unconventional segregations more cost-effective?
Program’gMaint’ce
Testing
Copy toProd’n
Promo’nControl
Oper’ns
Job Control
D
Emp 1 Emp 2
PCC w2 people
SoD: IT Aspects – Data Control
No need to segregate Master file changes from Transaction initiation
Auth’n
Custody Trans’nInput
InputChecks
Data
MasterFile
Chgs
Review
IT Aspects – Secondary SoDPrimary SoD has elements of traditional
requirements, but some differences:- Access control with authentication- Data input controls, but… master file
changes can be done by transaction initiator
- Program change control, but…don’t need 3 separate roles (Program, Test, Operations) for PCC, only 2
- Overall, need at least 3 people for Primary SoD(2 for PCC + 1 for Access Control)
IT Aspects – Secondary SoD
Secondary SoD requires:- Secondary review of the above to ensure all are operating effectivelyYet rarely addressed!
An inconsistent standard vis-a-vis manual processes?
Implications, Contributions1. Integration of Agency Theory model,
Practitioner model, and Practice identifies limitations in the two models.
2. Insights allow for unconventional duty combinations in manual and IT processes.
3. Not all segregations are equal – Primary vs Secondary
4. Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.
