1.

SEGREGATION OF DUTIES

Segregation of duties is a separation of conflicting interests that mitigates a person’s ability to

subvert the intended process. For example, entities typically require a check signature from a person
who does not authorize payments to mitigate the risk of false disbursements. If a person could
authorize payment and sign the check, what is to stop this person from authorizing a fraudulent
check?

An analysis of the cycles shows where segregation of duties should be employed. Specifically, within
a cycle, the steps in that cycle (initiating, authorizing, recording, reviewing, etc.) should be
segregated as much as possible. When not possible or feasible, the compensating control of formal
supervision and monitoring is necessary to help mitigate the risk of fraud. The illustration of sending
bank statements directly to management or internal audit for their review is one type of formal
supervision that could be used.

2. ACCOUNTING INFORMATION SYSTEMS

Essentially, there are three basic elements in an accounting information system that is automated as
opposed to manual:

1. Key personnel: management, security, database management, and change control

2. Computer hardware: physical equipment that includes processing and communications units
(mainly various types of servers, network devices, and personal computers) and peripheral devices
from keyboards to laptops, mobile phones and PDAs

3. Computer software: programs or instructions that enable the computer to perform a business
function (including protecting and managing other computer systems and data) using the data input
by personnel

It is important to note that these elements are over and above those in conventional (manual)
accounting systems, where the normal procedures are presumed to be in place. The major
difference is fewer personnel are directly connected with the actual use of data in a computerized
system, since programs and stored data are used to automate manual processing. From a risk
perspective, it is important to note automation may shift risks in the environment to a degree, while
basic risks such as unrecorded or inaccurately entered transactions cannot be eliminated. Auditors
and accountants have to understand the technology, the process, and the control to prevent, detect,
and investigate fraud. As many users have access to data through applications, the process for
granting user access to software is quite important. However, many applications in today’s market
are intranet, extranet, or Web applications, especially intranet applications. Often user access to the
network automatically grants access to the software Program, which again authenticates the user
and authorizes the person to have certain privileges or permissions in the given application. When
this scenario is the case, access to the network almost completely reduces the possibility of users
who were removed from the network gaining access.

This situation is just one example of how the systems infrastructure can affect

security over data; each system is unique. Fraud auditors need to truly understand

the process and controls in order to effectively conduct a fraud audit using the

accounting information system

 3. KEY PERSONNEL

Specifying the typical information systems, or information technology (IT),department is difficult, but
some generalizations can be made. While some decentralization usually exists, most organizations
have a centralized IT department servicing the entire organization. The employees in that
department aretechnology specialists of some kind, with regards to security, administrators,
databases, software, or systems projects. The IT department develops, maintains, and supports
systems and data for the rest of the organization especially end (systems) users and business
owners. This section briefly describes the jobs in the IT department.

4. Management

Both systems and business management over the accounting system are important in regard to
fraud for two reasons:

1. The importance of culture cannot be understated and management creates that

culture in the environment it manages.
2. Management ultimately controls what happens within its department; management
can always override controls that do not reach above the given management’s level
of authority.

5. Security

The gatekeepers to networks, systems, applications, and, most important, data, are security
personnel. Besides managing physical access, they manage user access (adding, editing, and
removing) to systems (logical access). Controlled physical access, except in unique industries and
government, is not normally as essential to security as controlled logical access.

Depending on the information system infrastructure (hardware, software, data, and communications
devices), different areas of physical and logical access are high risk. Defining access can be difficult,
due to several reasons including lack of security concerns by business management requesting
access and lack of business knowledge by security staff, complex access permission options, and
access groups (profiles) or privileges that are not well defined or periodically reviewed. Even if
defined properly, keeping user access up to date is critical and study after study has found neglecting
to do so greatly increases the possibility of fraud.

Periodic reviews of user access, especially when aimed at high-level and terminated users, are the
best single control related to unauthorized access when done thoroughly; reviews should reconcile
access privileges with user responsibilities and consider segregation of duties. To maintain access to
data, an effective line of communication must exist, well-defined processes and procedures must be
in place, and personnel responsible for reporting changes to user access must understand the
importance of this area and act accordingly.

Security personnel also manage parameters, settings, and technology related to security. Parameters
and settings refer to the options available to customize security in infrastructure components. For
example, security management software has parameters and settings for the use of password
requirements.
Experienced security personnel know best practices for passwords—such as length (requiring six to
eight characters), complexity (including a capital letter and a number or special character),
expiration (enforces a change of password after a set number of days), and lockout (after a set
number of failed attempts to access the system, the user will be locked out for a set time
period).Experienced security personnel also know that end users have to be aware of the
importance of passwords and know how to protect them, especially by not leaving them in the
drawer right beside the computer or, even worse, written on a sticky note attached to the computer
screen. It happens too often!

Most IT departments have specialized security personnel who manage the integrity of networks,
critical applications, and other high-risk areas specific to the organization. They deal with issues such
as encryption of data, remote access (VPN), application and data security, and surveillance and
monitoring. These types of personnel perform the technical security work; for example, selecting a
firewall, customizing it to the business process and needs, and monitoring it. They may also assist in
developing, testing, or monitoring systems, as well as probing them for weaknesses. Security
personnel are in a good position to relay any system weaknesses, although they are also in a good
position to attempt to defraud systems.

6. Administrators

The term administrator is used quite loosely but generally means someone who oversees, or literally
administers, some kind of system or data such as a network, operating system, application, or
database. For example, database administrators oversee a database or association of databases to
ensure the data has integrity. Database administrators help maintain database structures, jobs
(small, automated, and usually programs that run automatically to edit or communicate data), data
types, settings, relationships, access to, content in, and other aspects of databases.

Any kind of administrator has what is often called ‘‘power-user access.’’ That generally means
administrators can manipulate the system within their domain however they please. For example,
an Application Access Administrator could potentially (depending on controls in place) create a
fictitious account with high-level privileges, enter fraudulent transactions, and subsequently delete
the fictitious account and possibly the audit trail of activities conducted. Administrator access must
be balanced with monitoring through technology and through output of the system; controls here
would include monitoring of automatic alerts and log changes made by administrator users and
detailed review of reports on the data under administration.

7. Change Control

The change control department provides quality assurance over the process of changing programs,
databases, settings, and infrastructure components. Change control is critical because program
changes affect how applications or jobs (tasks) manipulate data, and changes directly to data values
are difficult to automatically record and subsequently monitor. Change control should, at a
minimum, ensure that:

 Change requests are approved and valid.

 Testing is performed and documented.
 Changes are moved into production (the version currently in use) by the appropriate person.

8. End Users and Business Owners

The end user inputs all of the data to be processed by the computer. Data in an accounting context
are usually classified as being processed in batch or in real time. With batches, data accumulate and
assimilate into groups over a period of time when transactions take place; later, at some specified
time or when users send a command, the batch is sent to be processed. Real-time processing, simply
put, process data in real time, as it is entered into the program. End users, especially those with a lot
of experience in a given area, know software rather well and could be a good source of
understanding how it does and does not operate and the intended business purpose, when relevant.
The term business owner refers to the employee responsible for the system. The designation is
usually made departmentally. For example, the vice president of finance at a bank would be
responsible for a capital management and forecasting system. Business owners are helpful in
understanding the specific functions of a business process. Generally, business owners are at a high
enough level of management to override controls, and the culture they create is an important factor
in antifraud program activities. Additionally, business owners often play critical roles in controls such
as approving or reviewing access, administering application access, approving and testing program
changes, and involvement in broader IT projects.

9. Project Management

Managing IT projects is one of the most difficult jobs in systems. Project management is the body of
knowledge that leads to successful implementation of a new or highly revised component of the
organization’s IT system to fulfill some specified business need. Projects are susceptible to failures
on functionality, deadlines, and costs; in fact, most projects fail on at least one of these measures.
This project risk is one reason why project management is important to an organization and may
become important in a fraud audit.

Project management best practices result in a substantial degree of documentation throughout the
project; approvals by business owners and other appropriate persons at project milestones, testing
results with a comparison of expected to actual results, and user acceptance of the final product. In
order to ensure success, the project management processes should be followed diligently. Personnel
such as system analysts and designers, developers, and quality assurance specialists all play key roles
in those processes.

The systems analyst works with the various user departments to determine how their needs can
best be met, what data must be entered, what processing must be carried out on the input data,
what output must be produced, and with

what frequency. Systems designers convert those needs into system specifications. From the
specifications, the programmer writes, debugs, and documents

the new system components. Developers are expected to document new

programs in detail and to update the documentation when programs are

changed. Quality assurance staff members examine and evaluate all of the

project steps to date and thoroughly test the system to ensure it is working as

intended.

10. Other Personnel

Computer operators mainly exist in mainframe environments, where they

direct the execution of various mechanical tasks by means of a console

terminal. When operators are in place, they usually deal with a significantly

important application, operating system, and/or server. Operators schedule

tasks for the system to complete and are responsible for the proper use of

input and output devices. Operators monitor for any problems and perform

backup activities. They should be required to document key, if not all,

activities, if automated logging is not in place.

The librarian stores and retrieves programs and data, usually at a location

away from the computer site. Programs and data normally are stored on magnetic tape or disk and
serve as a backup if the original software or transaction files

are destroyed. The librarian also maintains, under normal circumstances, a log

of tapes being checked out from and back into the library.