60 likes | 245 Views
Module 2 Segregation of Duties Case Study Individual Assignment. Accounting Information Systems. Primary Learning Objectives. Investigating how the SAP system assigns authorizations to users Understand how to implement segregation of duties controls
E N D
Module 2Segregation of Duties Case StudyIndividual Assignment Accounting Information Systems
Primary Learning Objectives • Investigating how the SAP system assigns authorizations to users • Understand how to implement segregation of duties controls • Begin to understand the role of risk assessment in implementing controls • Applying the principles of segregation of duties to a case study • Determining how segregation of duties can be applied to a computerized system Accounting Information Systems
Segregation of Duties • Segregation of duties is one of the strongest controls within an accounting system • The following duties should be segregated: • Authorizing the transaction • Recording the transaction • Custody of assets involved in the transaction • Independent verification and reconciliation of the transactions Accounting Information Systems
Risk Analysis • All control assessments, including the segregation of duties, should be based on the analysis of risks • Control should then be applied in order to mitigate those risks • Risks have two components • Threats • Vunerabilities – • Wikidefines vulnerability as the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. • ENISAdefinesvulnerability as the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved. Accounting Information Systems
Steps Involved in the Case • The case deals with the revenue cycle (sales to cash business process) of a hypothetical company • The case consists of four parts • Examine how the SAP system assigns authorizations to users – completed outside of class. • Risk assessment – analyze the threats to the company‘s revenue cycle • Allocate tasks to employees to properly segregate duties • Develop an authorization matrix for segregating duties on a computerized system Accounting Information Systems
Steps Involved in the Case • The case is divided into four parts. • The first three parts deal with assessing risk, assigning tasks to achieve proper segregation of duties, and completing a matrix to assign authorizations in a computerized environment. • The fourth part must be done outside of class, as we have been warned SAP writes all the authorizations to the archive log. A class as small as 40 students has crashed the entire instance. • This part deals with investigating how SAP sets up authorizations for users. Accounting Information Systems