Professional Documents
Culture Documents
Translate
Translate
SEGREGATION OF DUTIES
An analysis of the cycles shows where segregation of duties should be employed. Specifically, within
a cycle, the steps in that cycle (initiating, authorizing, recording, reviewing, etc.) should be
segregated as much as possible. When not possible or feasible, the compensating control of formal
supervision and monitoring is necessary to help mitigate the risk of fraud. The illustration of sending
bank statements directly to management or internal audit for their review is one type of formal
supervision that could be used.
Essentially, there are three basic elements in an accounting information system that is automated as
opposed to manual:
2. Computer hardware: physical equipment that includes processing and communications units
(mainly various types of servers, network devices, and personal computers) and peripheral devices
from keyboards to laptops, mobile phones and PDAs
3. Computer software: programs or instructions that enable the computer to perform a business
function (including protecting and managing other computer systems and data) using the data input
by personnel
It is important to note that these elements are over and above those in conventional (manual)
accounting systems, where the normal procedures are presumed to be in place. The major
difference is fewer personnel are directly connected with the actual use of data in a computerized
system, since programs and stored data are used to automate manual processing. From a risk
perspective, it is important to note automation may shift risks in the environment to a degree, while
basic risks such as unrecorded or inaccurately entered transactions cannot be eliminated. Auditors
and accountants have to understand the technology, the process, and the control to prevent, detect,
and investigate fraud. As many users have access to data through applications, the process for
granting user access to software is quite important. However, many applications in today’s market
are intranet, extranet, or Web applications, especially intranet applications. Often user access to the
network automatically grants access to the software Program, which again authenticates the user
and authorizes the person to have certain privileges or permissions in the given application. When
this scenario is the case, access to the network almost completely reduces the possibility of users
who were removed from the network gaining access.
This situation is just one example of how the systems infrastructure can affect
security over data; each system is unique. Fraud auditors need to truly understand
the process and controls in order to effectively conduct a fraud audit using the
Specifying the typical information systems, or information technology (IT),department is difficult, but
some generalizations can be made. While some decentralization usually exists, most organizations
have a centralized IT department servicing the entire organization. The employees in that
department aretechnology specialists of some kind, with regards to security, administrators,
databases, software, or systems projects. The IT department develops, maintains, and supports
systems and data for the rest of the organization especially end (systems) users and business
owners. This section briefly describes the jobs in the IT department.
4. Management
Both systems and business management over the accounting system are important in regard to
fraud for two reasons:
5. Security
The gatekeepers to networks, systems, applications, and, most important, data, are security
personnel. Besides managing physical access, they manage user access (adding, editing, and
removing) to systems (logical access). Controlled physical access, except in unique industries and
government, is not normally as essential to security as controlled logical access.
Depending on the information system infrastructure (hardware, software, data, and communications
devices), different areas of physical and logical access are high risk. Defining access can be difficult,
due to several reasons including lack of security concerns by business management requesting
access and lack of business knowledge by security staff, complex access permission options, and
access groups (profiles) or privileges that are not well defined or periodically reviewed. Even if
defined properly, keeping user access up to date is critical and study after study has found neglecting
to do so greatly increases the possibility of fraud.
Periodic reviews of user access, especially when aimed at high-level and terminated users, are the
best single control related to unauthorized access when done thoroughly; reviews should reconcile
access privileges with user responsibilities and consider segregation of duties. To maintain access to
data, an effective line of communication must exist, well-defined processes and procedures must be
in place, and personnel responsible for reporting changes to user access must understand the
importance of this area and act accordingly.
Security personnel also manage parameters, settings, and technology related to security. Parameters
and settings refer to the options available to customize security in infrastructure components. For
example, security management software has parameters and settings for the use of password
requirements.
Experienced security personnel know best practices for passwords—such as length (requiring six to
eight characters), complexity (including a capital letter and a number or special character),
expiration (enforces a change of password after a set number of days), and lockout (after a set
number of failed attempts to access the system, the user will be locked out for a set time
period).Experienced security personnel also know that end users have to be aware of the
importance of passwords and know how to protect them, especially by not leaving them in the
drawer right beside the computer or, even worse, written on a sticky note attached to the computer
screen. It happens too often!
Most IT departments have specialized security personnel who manage the integrity of networks,
critical applications, and other high-risk areas specific to the organization. They deal with issues such
as encryption of data, remote access (VPN), application and data security, and surveillance and
monitoring. These types of personnel perform the technical security work; for example, selecting a
firewall, customizing it to the business process and needs, and monitoring it. They may also assist in
developing, testing, or monitoring systems, as well as probing them for weaknesses. Security
personnel are in a good position to relay any system weaknesses, although they are also in a good
position to attempt to defraud systems.
6. Administrators
The term administrator is used quite loosely but generally means someone who oversees, or literally
administers, some kind of system or data such as a network, operating system, application, or
database. For example, database administrators oversee a database or association of databases to
ensure the data has integrity. Database administrators help maintain database structures, jobs
(small, automated, and usually programs that run automatically to edit or communicate data), data
types, settings, relationships, access to, content in, and other aspects of databases.
Any kind of administrator has what is often called ‘‘power-user access.’’ That generally means
administrators can manipulate the system within their domain however they please. For example,
an Application Access Administrator could potentially (depending on controls in place) create a
fictitious account with high-level privileges, enter fraudulent transactions, and subsequently delete
the fictitious account and possibly the audit trail of activities conducted. Administrator access must
be balanced with monitoring through technology and through output of the system; controls here
would include monitoring of automatic alerts and log changes made by administrator users and
detailed review of reports on the data under administration.
7. Change Control
The change control department provides quality assurance over the process of changing programs,
databases, settings, and infrastructure components. Change control is critical because program
changes affect how applications or jobs (tasks) manipulate data, and changes directly to data values
are difficult to automatically record and subsequently monitor. Change control should, at a
minimum, ensure that:
9. Project Management
Managing IT projects is one of the most difficult jobs in systems. Project management is the body of
knowledge that leads to successful implementation of a new or highly revised component of the
organization’s IT system to fulfill some specified business need. Projects are susceptible to failures
on functionality, deadlines, and costs; in fact, most projects fail on at least one of these measures.
This project risk is one reason why project management is important to an organization and may
become important in a fraud audit.
Project management best practices result in a substantial degree of documentation throughout the
project; approvals by business owners and other appropriate persons at project milestones, testing
results with a comparison of expected to actual results, and user acceptance of the final product. In
order to ensure success, the project management processes should be followed diligently. Personnel
such as system analysts and designers, developers, and quality assurance specialists all play key roles
in those processes.
The systems analyst works with the various user departments to determine how their needs can
best be met, what data must be entered, what processing must be carried out on the input data,
what output must be produced, and with
what frequency. Systems designers convert those needs into system specifications. From the
specifications, the programmer writes, debugs, and documents
changed. Quality assurance staff members examine and evaluate all of the
project steps to date and thoroughly test the system to ensure it is working as
intended.
terminal. When operators are in place, they usually deal with a significantly
tasks for the system to complete and are responsible for the proper use of
input and output devices. Operators monitor for any problems and perform
The librarian stores and retrieves programs and data, usually at a location
away from the computer site. Programs and data normally are stored on magnetic tape or disk and
serve as a backup if the original software or transaction files
are destroyed. The librarian also maintains, under normal circumstances, a log
of tapes being checked out from and back into the library.