1 / 19

X-Raying Segregation of Duties Support to Illuminate an Enterprise’s Immunity to Solo-Fraud

UWCISA University of Waterloo Centre for Information Systems Assurance 5 th Symposium on Information Systems Assurance Information Integrity and Business Systems. X-Raying Segregation of Duties Support to Illuminate an Enterprise’s Immunity to Solo-Fraud. Computational Auditing Philip Elsas

giza
Download Presentation

X-Raying Segregation of Duties Support to Illuminate an Enterprise’s Immunity to Solo-Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UWCISA University of Waterloo Centre for InformationSystemsAssurance 5thSymposiumonInformationSystemsAssuranceInformation Integrity and Business Systems X-Raying Segregation of DutiesSupport to Illuminate an Enterprise’s Immunity to Solo-Fraud Computational Auditing Philip Elsas October 12, 2007 - Toronto, Canada

  2. Introduction • Since 2003: Company, Netherlands, Canada • 1988-2003: Deloitte. Principal & Chief System Architect, inventor of Smart Audit Support. Since 1994 key in Deloitte’s worldwide audit practice. Currently part of “The Deloitte Audit” • 1990-1996: PhD “Computational Auditing”,chapter 5: Smart Audit Support Computational Auditing

  3. X-Raying SoDAgenda • What’s the Challenge? • Solution Claim: 5 Perspectives • “Look & Feel”: Input & Output • What’s in it for the Auditor? • Support Status Computational Auditing

  4. 1 What’s Auditor’s SoD Challenge? SoD in Client’s Body of Authorizations, Voluminous, Automated (more systems) & Non-Automated, MutuallyDifferent Systematics SOx section 404, ISA 315, SAS 70, ISA 240, §17-20, excl. Collusion & Overriding:Potential Solo-Fraud,for all Officials Audit Budget Effective & Efficient: - Assess/Diagnose SoD Tooling: - Advise on SoD Improvement - Best/Worst Practice Database: Quality & Tailoring: Ongoing - (ERP) System-Oriented SoD Analysis: Critical Combinations of Transactions Crossing system border? Computational Auditing

  5. 2 What’s Auditor’s SoD Challenge? SOx section 404, ISA 315, SAS 70, ISA 240, §17-20, excl. Collusion & Overriding:Potential Solo-Fraud,for all Officials SoD in Client’s Bodyof Authorizations, Voluminous, Automated (more systems) & Non-Automated, MutuallyDifferent Systematics Effective & Efficient: Audit Budget - Assess/Diagnose SoD - Advise on SoD Improvement NEEDED IS: INTEGRATING TOOL. ENTERPRISE-WIDE. UNIFYING. Computational Auditing

  6. X-Raying SoDAgenda • What’s the Challenge? • Solution Claim: 5 Perspectives • “Look & Feel”: Input & Output • What’s in it for the Auditor? • Support Status Computational Auditing

  7. 3 Solution ClaimWhat is it?Auditor’s Perspective The SoD Support is software that: • detects Weaknesses and Reparation Opportunitiesin an organization with respect to SoD, in Design and Implemented • delivers Crucial Information to the auditor, that up to now he had to find in a difficult and “ad hoc” way • hunts down the weaknesses Systematically, and thus Completely With thanks to Prof. Hans Blokdijk RA for a first summarization, 2005 Computational Auditing

  8. 4 Solution ClaimWhat is it?IT Perspective The SoD software package: • gives an Overview of all potential single-employee frauds, so-called Solo-Frauds • indicates which Measures areminimallyrequired to create an SoD in which Solo-Fraud is impossible • and, as the crowning touch: it Proves the Absenceof Solo-Frauds From: Interview in ‘de Accountant’, February 2006, by Nart Wielaard RA Computational Auditing

  9. 5 Solution ClaimWhat is it? Usage Perspective It is a powerful tool to assess SoD in systems: • by getting an overview of all User Profiles in (ERP) Systems, with special attention to record-keeping account-chains • and deriving Authorization Tablesfrom it • and readingthis into the SoD Support + intercept Authorization Change Requests for analysis: Continuous Control Monitor Feedback from Peter Waas RE RA, 2005, National Coordinator Financial Auditing and EDP Auditing, Dutch Tax Office Computational Auditing

  10. 6 Solution ClaimWhat can it?Audit Practice Perspective - SRA The SoD Support is in SRA’s audit practice: • a very good instrument for the auditor to compare the MinimallyRequiredSoD with the Current SoD • a good advisory productwith which you can Demonstrate the Risks that are present to the businessman, so that he can assess them himself From: Interview in ‘de Accountant’, 2006 with Harold Kinds RA, Technical Auditing Director, SRA SRA: 6000 auditors, 370 offices, Dutch member firm of the International Network of Accountants and Auditors Computational Auditing

  11. 7 Solution ClaimAudit Practice Perspective - Ernst & Young The SoD Support: • offers Added Value in both:Output: Diagnosis & Remediation, andInput: Guiding the Input Preparation Procedure by a Systematic Framework (50%) !!Dedicated EditorA Top-down, Leveled Process Diagram Top-Level is: One-Level-Up & Connecting Cycles Fits in a Modern Audit Approach: 1. Focus on Client’s Processes 2. Risk Analysis & 3. Items in Financial Statements • is Feasible in Practice • is to be Adopted by Preferred Audit Software SupplierFrom: Ernst & Young Pilot Study Evaluation Report and Discussions, Dr. Hans Verkruijsse PhD RE RA & Huub Lucassen RE RA & Team, 2006-2007 Computational Auditing

  12. X-Raying SoDAgenda • What’s the Challenge? • Solution Claim: 5 Perspectives • “Look & Feel”: Input & Output • What’s in it for the Auditor? • Support Status Computational Auditing

  13. 8 Example Input: Top-Level Business Process Enterprise-wide: Unifying Authorizations Buffer - Static - Balance Items Transaction - Dynamic - Profit & Loss Items Top-down, Leveled Diagram Top-level: Connected Cycles Cycle is Top-level Transaction Executable Business Model Systematic All Enterprise Sizes Large: SME’s + Hat Computational Auditing

  14. 9 Observation The SoD support allows you to model authorizations existing in reality. You’ll then be encumbered with the following hunting question: Is reality properly represented in this model? However, this question is vaporizing. Today authorizations are more and more specified in systems.So what is then left of this difference between authorizations in reality and a model of them, in case both are specified in systems? The only remaining difference is something like a “pragmatic status”: what is a specification used for? For authorizations “model” and “reality” coincide more and more: model becomes reality and reality becomes model, and showing whether or not a model represents reality becomes absurd. Instead mathematical proofs of model properties - correctness, integrity, etc. - gain scope, namely: reality, and thus win importance. Computational Auditing

  15. One Potential Solo-Fraud 10 Example Output: Solo-Fraud Base Computational Auditing

  16. X-Raying SoDAgenda • What’s the Challenge? • Solution Claim: 5 Perspectives • “Look & Feel”: Input & Output • What’s in it for the Auditor? • Support Status Computational Auditing

  17. 11 What’s in it for the Auditor?In comparison with other SoD Conflict Resolution Methods Quality Cost-Efficient Effective Consistent Application area + + + Input Preparation SoD Design- Diagnose- Remediation + + o Implemented SoD- Diagnose- Remediation + + o + – + SoD Change Management Computational Auditing

  18. X-Raying SoDAgenda • What’s the Challenge? • Solution Claim: 5 Perspectives • “Look & Feel”: Input & Output • What’s in it for the Auditor? • Support Status Computational Auditing

  19. 12 Support Status • Software: • Diagram Editor: desk top  downloadable • Analyzer & reporter: desk top  Web • SoD Change Management:  Web • Positioning; converging to combining: • What’s wanted by CA’s audit firm clients: Product adoption by Preferred Software Supplier What can CA do to arrange? • What’s wanted by CA: Affiliation with University, Auditing Faculty What can CA do to arrange? Computational Auditing

More Related