“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice”

Kevin Kobelsky, University of Michigan – Dearborn

UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky

The Problem:Stealing (intentional)Loss (unintentional)

Motivation

UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky

The Solution:“Independent Review"

(underlying principle)achieved through

Segregation of Duties (SoD)

Motivation

UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky

Segregation of Duties

An employee should not be in a position to both1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors.

Control Approach:• All asset handling is reviewed by independent

person, inappropriate action is acted on• Division of a process into subtasks is not

enough if no independent review, follow-up action

Objective: Reduce risk that assets will be stolen/lost/wasted

Solution: At least three people required

Segregation of Duties Model

SoD in Literature - Agency

Tirole (1986) examines costs of lack of segregation of Agent from Supervisor

SoD in Literature - Agency

Secondary Review has benefits – Beck (1986), Barra (2010) – peer agentsKofman and Lawarée (1993) – peer supervisor

SoD in Literature – Practitioner

Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.

SoD: Agency vs Practitioner

Agency

Practitioner

1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model

vs.

SoD: Agency vs Practitioner

Agency

Practitioner ??

2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability.

vs.

SoD: Agency vs Practitioner

Agency ??

Practitioner

3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency.

vs.

SoD: Agency vs Practitioner

Agency

Practitioner

4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses.

?Needed?vs.

SoD: Practitioner vs Reality

Practitioner

5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?

SoD: Ambiguity

3 domains diverge:1)Agency-based model2)Practitioner model3)Business practice

Opportunity:Integrate these models to rigorously evaluate internal controlfor theory, evaluation, training.

Primary SoD

Primary SoD reflects 1. Agency – Initiation of trans’n in Custody3. Practitioner – Recording for efficiency4. Agency – All Asset types included in Custody5. Practice – Recording and Custody not segregated6. Reconciliation added to ensure Record reliableBut lacks Secondary Review to ensure repeatability

Secondary SoD

Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on:3. Practitioner – Recording for efficiency6. Reconciliation to ensure Record reliable.Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)

IT Aspects

Primary SoD has traditional requirements:- Data input controls- Access control with authentication- Program change control- Independent review of master file

changes(note not segregated from initiation)

Secondary SoD requires:- Secondary review of the above to ensure all are operating effectivelyYet rarely addressed! An inconsistency with manual processes?

Implications

Integration of Agency Theory model, Practitioner model and Practice identifies limitations in the two models.

Not all segregations are equal – Primary vs Secondary

Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.