“a conceptual model for segregation of duties: integrating theory and practice” kevin kobelsky,...
TRANSCRIPT
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice”
Kevin Kobelsky, University of Michigan – Dearborn
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
The Problem:Stealing (intentional)Loss (unintentional)
Motivation
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
The Solution:“Independent Review"
(underlying principle)achieved through
Segregation of Duties (SoD)
Motivation
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
Segregation of Duties
An employee should not be in a position to both1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors.
Control Approach:• All asset handling is reviewed by independent
person, inappropriate action is acted on• Division of a process into subtasks is not
enough if no independent review, follow-up action
Objective: Reduce risk that assets will be stolen/lost/wasted
Solution: At least three people required
Segregation of Duties Model
SoD in Literature - Agency
Tirole (1986) examines costs of lack of segregation of Agent from Supervisor
SoD in Literature - Agency
Secondary Review has benefits – Beck (1986), Barra (2010) – peer agentsKofman and Lawarée (1993) – peer supervisor
SoD in Literature – Practitioner
Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.
SoD: Agency vs Practitioner
Agency
Practitioner
1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model
vs.
SoD: Agency vs Practitioner
Agency
Practitioner ??
2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability.
vs.
SoD: Agency vs Practitioner
Agency ??
Practitioner
3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency.
vs.
SoD: Agency vs Practitioner
Agency
Practitioner
4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses.
?Needed?vs.
SoD: Practitioner vs Reality
Practitioner
5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?
SoD: Ambiguity
3 domains diverge:1)Agency-based model2)Practitioner model3)Business practice
Opportunity:Integrate these models to rigorously evaluate internal controlfor theory, evaluation, training.
Primary SoD
Primary SoD reflects 1. Agency – Initiation of trans’n in Custody3. Practitioner – Recording for efficiency4. Agency – All Asset types included in Custody5. Practice – Recording and Custody not segregated6. Reconciliation added to ensure Record reliableBut lacks Secondary Review to ensure repeatability
Secondary SoD
Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on:3. Practitioner – Recording for efficiency6. Reconciliation to ensure Record reliable.Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)
IT Aspects
Primary SoD has traditional requirements:- Data input controls- Access control with authentication- Program change control- Independent review of master file
changes(note not segregated from initiation)
Secondary SoD requires:- Secondary review of the above to ensure all are operating effectivelyYet rarely addressed! An inconsistency with manual processes?