Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | mohamed-shahien |
View: | 242 times |
Download: | 0 times |
of 16
7/30/2019 S33 - Segregation of Duties
1/16
S33 - Segregation of Duties
Scott Mitchell and Colin Wallace
7/30/2019 S33 - Segregation of Duties
2/16
Scott Mitchell, Senior Manager (503) 478-2193
SegregationSegregation
of Dutiesof Dutieso n a ace, en or anager -
Our ObjectivesOur Objectives
Clarify the role of Segregation of Duties (SOD)
emons ra e ow o mp emen e ec ve
Clarify the evaluation process of current useraccess
Demonstrate that management is alwayssurprised after evaluating their SOD
7/30/2019 S33 - Segregation of Duties
3/16
AgendaAgenda
Discuss fraud and risks of fraud
e ne
Demonstrate a method for evaluating SOD
Considerations for maintaining SOD
Examples of findings
Fraud examples in the newsFraud examples in the news
SocieteGenerale
renc an oses . ue ounau or ze ra ng
SiemensAG
Fraudulentconsultingcontracts($500M)
NEC
Invalidrevenue($18M)andkickbacks($4.2M)
NBCUniversal,
Inc.
Treasurerchargedwithwirefraud($813K)
7/30/2019 S33 - Segregation of Duties
4/16
The Fraud TriangleThe Fraud Triangle
Pressure/Incentive
Opportunity Rationalization
What is Segregation of Duties?What is Segregation of Duties?
Howdoyoudefineit?
Whatisthegoalof
segregationofduties?
Areall
SOD
conflicts
equalinimportance?
7/30/2019 S33 - Segregation of Duties
5/16
What is Segregation of Duties?What is Segregation of Duties?
COSO:Dividingorallocatingtasksamongvar ous n v ua sma ng tposs etore uce
therisksoferrorandfraud.
Containsfourcomponents
Custody
RecordKeeping
Reconciliation
What is Segregation of Duties (cont.)?What is Segregation of Duties (cont.)?
Ideally,asingleindividualwouldhaveresponsibility
Benefitsinclude:
Safeguardingofassets
Accuratefinancialreporting
Reducedriskofnoncompliance
(e.g.,SOXandexternalaudit)
7/30/2019 S33 - Segregation of Duties
6/16
What is Segregation of Duties (cont.)?What is Segregation of Duties (cont.)?
SODconflictsarenot equallyimportanttoeverycompany:
Safeguardingofassetsvs.financialreportingrisks
Relativeimportanceofinformationconfidentiality
Reducedriskwhenthechainofaccessisbroken
SODrisksarecompanyspecific
Evaluating Your SODEvaluating Your SOD
Createapolicy
Includeastatementthatmanagementisresponsibleforenforcingthepolicyand
maintainingproperSOD
Ultimatelyincludesalistofincompatibleduties
Identifythe
core
tasks
performed
at
your
company
7/30/2019 S33 - Segregation of Duties
7/16
Evaluating Your SODEvaluating Your SOD
Identifyincompatibilities
Riskbasedforyourbusiness
Considersensitivedutiessuchaspostingofournal entries erformin reconciliations and
VendorMaster
Example SOD MatrixExample SOD Matrix
r y/Edit
roval
/Edit
val
Entry/Edit
pproval
entEntry
Sensitive Activities CustomerMaste
SalesOrderEntr
SalesOrderApp
ShipConfirm
VendorMaster
RequisitionEntr
RequisitionAppr
PurchaseOrder
PurchaseOrder
Receiving
InventoryAdjust
Customer Master 1 0Sales Order Entry/Edit 0 1 0 0Sales Order Approval 0 1Ship Confirm 0 1 0 0
Requisition Entry/Edit 1 0 0Requisition Approval 0 1Purchase Order Entry/Edit 0 1 0 0Purchase Order Approval 0 1Receiving 0 0 1 0Inventory Adjustment Entry 0 0 1
7/30/2019 S33 - Segregation of Duties
8/16
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
Translaterequirementsintoapplications
Definemenusorobjectsgrantinguseraccess
Identifythesensitiveobjectsassociatedwithconflictin duties
Timeconsumingdependingonthesystem
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
Rolesforkeyresponsibilitieswithwelldefined
Shipping/Receiving
Purchasing
AccountsPayable
AccountsReceivable
7/30/2019 S33 - Segregation of Duties
9/16
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
Object Description Area
P0012 Automatic Accounting Instructions AAI
P0022 Tax Rules Tax
P0030G G/L Bank Accounts Accounting
P03013 Customer Master Customer Master
P03B0001 Speed Receipts Entry Receiving
P03B0002 Invoice Revisions Vendor Invoices Entry/Edit
P03B102 Standard Receipt Entry Receiving
P03B11 Standard Invoice Entry Vendor Invoices Entry/Edit
P03B11SI Speed Invoice Entry Vendor Invoices Entry/Edit
P03B11Z1 Batch Invoice Revisions Vendor Invoices Entry/Edit
Receiving
P03B121 Work With Electronic Receipts Input Receiving
P03B123 Electronic Receipt Entry Receiving
P03B305 Credit Granting / Management Customer MasterP03B42 A/R Deduction Activity Master Maintenance Customer Master
Role
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
Determinetheexistingroleaccessrights
Identifybuiltinconflictsprovidedbyeachrole
Documentdesiredchangestoroles
Determinetheusersassignedtoroles
ofuserconflictsallowed
7/30/2019 S33 - Segregation of Duties
10/16
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
Role Object Description
GL P0012 Automatic Accounting Instructions
GL P0030G G/L Bank Accountsser o e
User1 Receiving
User2 Receiving
User3 AP
User4 AP
User5 AR
User6 AR
User7 GL
AR P03013 Customer Master
AR P03B305 Credit Granting/Management
AR P03B42 A/R Deduction Activity Master Maintenance
Receiving P03B0001 Speed Receipts Entry
Receiving P03B102 Standard Receipt Entry
Receiving P03B121 Work With Electronic Receipts Input
Receiving P03B123 Electronic Receipt Entry
Tax P0022 Tax Rules
AP P03B0002 Invoice Revisions
AP P03B11 Standard Invoice Entry
AP P03B11SI Speed Invoice Entry
AP P03B11Z1 Batch Invoice Revisions
Tables such as the above will provide informationof user access to sensitive transactions
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
User RoleTransType
ConflictTransType
Role User
Role ObjectTransType
TransType
Object Role
e a ove grap c ep c s ow user con c scan be identified using lists of:
Users/roles
Roles/objects/transaction types
Conflicting pairs of transaction types
7/30/2019 S33 - Segregation of Duties
11/16
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
AddedRequirements
o ess ou notconta n u t n con cts
Additionalissuesandcomplexity
Usersassignedtomultipleroles
Usersassi nedaccessri htsbUserID
Usersaccessing
multiple
systems
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
Doesthissolveallissues?Notlikely.
ma groupso users
Systemconstraints
Manualactivitiesoutsidethesystem
Detectivecontrolshavearole
Audittrails
Exceptionreports
7/30/2019 S33 - Segregation of Duties
12/16
Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)
OthersourcesofSODconcern:
Applicationadministratoraccess
Securityadministratorandusersetup
Programmeraccesstoproduction
Powerfulutilities
Sharedpasswords
Accesstoedit/changeaudittables
Maintaining SODMaintaining SOD
Prevention
Toolsforgrantinguseraccessrights ITbecomesagatekeeper
Conflictsraisedforaddedapprovalormitigation
Roleanduserchangecontrols
Maintainstrong
authenticationrequirements
7/30/2019 S33 - Segregation of Duties
13/16
Maintaining SOD (cont.)Maintaining SOD (cont.)
Detection
nterna au t
Periodicevaluationandmonitoring
Exceptionreporting
AutomatedMethods
Automatedmonitoring
ERPsystem
tools
and
workflow
SOD ObservationsSOD Observations
WhathaveyouseeninSODfindings?
Whatconflictsaremostconcerningtoyouandyourcompany?
7/30/2019 S33 - Segregation of Duties
14/16
7/30/2019 S33 - Segregation of Duties
15/16
Management is SurprisedManagement is Surprised
3,100KRONOSuserscouldauthorizetheirownpayro
1,100werehourlyemployeeswhocouldapprovetheirownovertime
All3,100couldchangetheirvacationaccrualsandapprovepaymentinlieuofvacation
Key PointsKey Points
SegregationofDutieshelpspreventfraudanderrors
ompan ess ou en y e r r s san con ro s
Detectivecontrolscanbeeffective
AprocessisneededtocorrectineffectiveSOD
MaintainingeffectiveSODrequiresprocessesandtools
Managementisalwayssurprisedaboutcurrentaccess
Withoutperforming
an
analysis,
SOD
issues
are
apparent
aftersomethingbadoccurs
7/30/2019 S33 - Segregation of Duties
16/16
Questions and AnswersQuestions and Answers
Thank You!Thank You!
(503)4782193
(503)478
2185
Thematerialappearinginthispresentationisforinformationalpurposesonlyandisnotlegaloraccountingadvice.Communicationofthisinformationis
notintendedtocreate,andreceiptdoesnotconstitute,alegalrelationship,including,butnotlimitedto,anaccountantclientrelationship.Althoughthese
materialsmayhavebeenpreparedbyprofessionals,theyshouldnotbeusedasasubstituteforprofessionalservices.Iflegal,accounting,orother
professionaladviceisrequired,theservicesofaprofessionalshouldbesought.