180 likes | 330 Views
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice”. Kevin Kobelsky, University of Michigan – Dearborn. Motivation. The Problem: Stealing (intentional) Loss (unintentional). Motivation. The Solution: “Independent Review"
E N D
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn
Motivation The Problem: Stealing (intentional) Loss (unintentional)
Motivation The Solution: “Independent Review" (underlying principle)achieved throughSegregation of Duties (SoD)
Segregation of Duties • An employee should not be in a position to both1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors. • Control Approach: • All asset handling is reviewed by independent person, inappropriate action is acted on • Division of a process into subtasks is not enough if no independent review, follow-up action
Segregation of Duties Model Objective: Reduce risk that assets will be stolen/lost/wasted Solution: At least three people required
SoD in Literature - Agency Tirole(1986) examines costs of lack of segregation of Agent from Supervisor
SoD in Literature - Agency Secondary Review has benefits – Beck (1986), Barra (2010) – peer agentsKofman and Lawarée (1993) – peer supervisor
SoD in Literature – Practitioner Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.
SoD: Agency vs Practitioner Agency vs. Practitioner 1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model
SoD: Agency vs Practitioner Agency vs. Practitioner ?? 2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability.
SoD: Agency vs Practitioner Agency ?? vs. Practitioner 3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency.
SoD: Agency vs Practitioner Agency vs. ?Needed? Practitioner 4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses.
SoD: Practitioner vs Reality Practitioner 5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?
SoD: Ambiguity 3 domains diverge: Agency-based model Practitioner model Business practice Opportunity:Integrate these models to rigorously evaluate internal controlfor theory, evaluation, training.
Primary SoD PrimarySoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability
Secondary SoD Secondary SoDreflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)
IT Aspects Primary SoD has traditional requirements: Data input controls Access control with authentication Program change control Independent review of master file changes(note not segregated from initiation) Secondary SoD requires: - Secondary review of the above to ensure all are operating effectivelyYet rarely addressed! An inconsistency with manual processes?
Implications Integration of Agency Theory model, Practitioner model and Practice identifies limitations in the two models. Not all segregations are equal – Primary vs Secondary Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.