4.4.2 (Segregation-of-duties Controls (Authorization Forms # (large…
Transaction authorization is the
responsibility of the user department
Authorization is delegated relates to the particular level of responsibility
of the authorized individual in the department.
must be performed by management and audit to detect the unauthorized entry of transactions.
Custody of Assets
Custody of corporate assets must be determined and assigned appropriately. .
Data owner usually is assigned to a particular user department, and that individual’s duties should be specific and in writing.
of the data has responsibility for
DETERMINING AUTHORIZATION LEVELS
required to provide adequate security,
while the ADMINISTRATION GROUP is often responsible for IMPLEMENTING AND ENFORCING SECURITY SYSTEM
Access to Data
Controls over access to data are provided
by a combination of physical, system and application security in the user area and the IPF.
The physical environment must be secured to prevent unauthorized personnel
from accessing the various tangible devices connected to the central processingunit, thereby permitting access to data.
System and application security are additional layers that may prevent unauthorized individuals from gaining access to corporate data.
SYSTEM OWNERS must provide IT with formal authorization forms (
copy or electronic) that define the access rights of each individual.
all users should be authorized with specific system access via a
formal request from management
large companies or in those with remote sites,
signature authorization logs should be maintained,
formal requests should be compared to the signature log.
should be reviewed periodically
to ensure they are current and appropriate to the user’s job functions
User Authorization Tables
IT department should use the
DATA FROM AUTHORIZATION FORMS
to build and maintain user authorization tables.
These define who is authorized to update, modify, delete and/or view data.
privileges are provided at the system, transaction or field level.
In effect, these are user access control lists
authorization tables must be
secured against unauthorized access by additional password protection or data encryption
control log should record all user activity and appropriate management should review this log
. All exception items should be investigated
Compensating Controls for Lack of Segregation of Duties
Compensating controls are internal controls that are
intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated.
IS auditor should
carefully evaluate the reports, applications and related processes for appropriate controls, :
including testing and access controls to make changes to the reports or functions.
Compensating controls include the following
Audit trails help the IT and user departments as well as the IS auditor by
providing a map to retrace the flow of a transaction.
enable the user and IS auditor to recreate the actual transaction flow from the point of origination to its existence on an updated file.
In the absence of adequate SoD, good audit trails may be an acceptable compensating control
The IS auditor should be able to determine
who initiated the transaction,
the time of day and
date of entry,
the type of entry,
what fields of information it contained,
and what files it updated.
ultimately the responsibility of the
limited reconciliation of applications may be performed by the DATA CONTROL GROUP with the use of control totals and balance sheets
type of independent verification
INCREASES THE LEVEL OF CONFIDENCE
that the application processed successfully and the data are in proper balance
HANDLED AT SUPERVISORY LEVEL
and should require evidence, such as initials on a report, noting that the exception has been handled properly.
Management should also ensure that exceptions are resolved in a timely manner.
may be manual or automated.
An example of a
is a record of
(grouped or batched)
BEFORE they are submitted for processing
AUTOMATED TRANSACTIONAL LOG
RECORD OF ALL TRANSACTIONS PROCESSED
and is maintained by the computer system.
may be performed through observation and inquiry
Independent reviews .
are carried out to
COMPENSATE FOR MISTAKES AND INTERNAL FAILURES
in following prescribed procedures. (given in next chart )
These reviews are particularly
important when duties in a small organization cannot be appropriately segregated
Such reviews will
HELP TO DETECT ERRORS AND IRREGULARITIES
SEGREGATION OF DUTIES WITHIN IT
IS auditor should
obtain enough information to understand and document the relationships among the various
job functions, responsibilities and authorities, and assess the adequacy of the SoD
an automated tool may be required to
evaluate the actual access a user has against a SoD matrix.
errors or misappropriations could
be detected in a timely manner
fraudulent and/or malicious
acts can be discouraged and prevented
If adequate SoD does not exist, the following could occur:
• Misappropriation of
(i.e., errors or irregularities)
Undetected unauthorized or erroneous changes or modification of data and programs
Undetected improper use of funds or modification of data
Duties that should be segregated
• Custody of the assets
• Recording transactions
When duties are segregated, ,
access to the computer,
production data library,
and OS and associated
utilities can be limited,
and potential damage from the actions of any one person is, therefore, reduced.