270 likes | 475 Views
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice”. Kevin Kobelsky, University of Michigan – Dearborn. Motivation. The Problem: Stealing (intentional) Loss (unintentional). Motivation. The Solution: “Independent Review"
E N D
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn
Motivation The Problem: Stealing (intentional) Loss (unintentional)
Motivation The Solution: “Independent Review" (underlying principle)achieved throughSegregation of Duties (SoD)
Segregation of Duties • An employee should not be in a position to both1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors. • Control Approach: • All asset handling is reviewed by independent person, inappropriate action is acted on • Division of a process into subtasks is not enough if no independent review, follow-up action
Segregation of Duties Model Objective: Reduce risk that assets will be stolen/lost/wasted Solution: At least three people required
SoD in Literature - Agency Tirole(1986) examines costs of lack of segregation of Agent from Supervisor
SoD in Literature - Agency Secondary Review has benefits – Beck (1986), Barra (2010) – peer agentsKofman and Lawarée (1993) – peer supervisor
SoD in Literature – Practitioner Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.
SoD: Agency vs Practitioner Agency vs. Practitioner 1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model
SoD: Agency vs Practitioner Agency vs. Practitioner ?? 2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability.
SoD: Agency vs Practitioner Agency ?? vs. Practitioner 3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency.
SoD: Agency vs Practitioner Agency vs. ?Needed? Practitioner 4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses.
SoD: Practitioner vs Reality Practitioner 5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?
SoD: Ambiguity 3 domains diverge: Agency-based model Practitioner model Business practice Opportunity:Integrate these models to rigorously evaluate internal controlfor theory, evaluation, training.
Primary SoD PrimarySoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability
Secondary SoD Secondary SoDreflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)
SoD: IT Aspects – Primary SoD Data Programs Auth’n Job Control Promo’n Control InputChecks Testing Review Custody Master FileChgs Oper’ns Program’g Maint’ce Trans’nInput Copy toProd’n New Technology, Different Process Steps But same approach Each Custody duty is evaluated independently No need for segregation across columns!
SoD: IT Aspects – Primary SoD Data Programs Auth’n Job Control Promo’n Control InputChecks Testing Review Custody Master FileChgs Oper’ns Program’g Maint’ce Trans’nInput Copy toProd’n Access Control Access Control is a precondition SoD, akin to procedure definition in manual system. Must segregate from all other duties.
SoD: IT Aspects – ProgChgs Auth’n Job Control Promo’n Control Testing PCC w2 people Custody Program’g Maint’ce Copy toProd’n Oper’ns Emp 1 Emp 2 Unconventional segregations more cost-effective?
SoD: IT Aspects – ProgChgs Auth’n Job Control Promo’n Control Testing PCC w2 people Custody Program’g Maint’ce Copy toProd’n D Oper’ns Emp 1 Emp 2 Unconventional segregations more cost-effective?
SoD: IT Aspects – Data Control Data Auth’n InputChecks Review Custody Master FileChgs Trans’nInput No need to segregate Master file changes from Transaction initiation
IT Aspects – Secondary SoD Primary SoD has elements of traditional requirements, but some differences: Access control with authentication Data input controls, but… master file changes can be done by transaction initiator Program change control, but…don’t need 3 separate roles (Program, Test, Operations) for PCC, only 2 Overall, need at least 3 people for Primary SoD(2 for PCC + 1 for Access Control)
IT Aspects – Secondary SoD Secondary SoD requires: - Secondary review of the above to ensure all are operating effectivelyYet rarely addressed! An inconsistent standard vis-a-vis manual processes?
Implications, Contributions Integration of Agency Theory model, Practitioner model, and Practice identifies limitations in the two models. Insights allow for unconventional duty combinations in manual and IT processes. Not all segregations are equal – Primary vs Secondary Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.