Please enable JavaScript.
Coggle requires JavaScript to display documents.
4.4.2 (Segregation-of-duties Controls (Authorization Forms # (large…
4.4.2
Segregation-of-duties Controls
Transaction Authorization
Transaction authorization is the
responsibility of the user department
.
Authorization is delegated relates to the particular level of responsibility
of the authorized individual in the department.
least privilege
PERIODIC CHECKS
must be performed by management and audit to detect the unauthorized entry of transactions.
Custody of Assets
Custody of corporate assets must be determined and assigned appropriately. .
The
Data owner usually is assigned to a particular user department, and that individual’s duties should be specific and in writing.
The
OWNER
of the data has responsibility for
DETERMINING AUTHORIZATION LEVELS
required to provide adequate security,
while the ADMINISTRATION GROUP is often responsible for IMPLEMENTING AND ENFORCING SECURITY SYSTEM
Access to Data
Controls over access to data are provided
by a combination of physical, system and application security in the user area and the IPF.
The physical environment must be secured to prevent unauthorized personnel
from accessing the various tangible devices connected to the central processingunit, thereby permitting access to data.
System and application security are additional layers that may prevent unauthorized individuals from gaining access to corporate data.
Authorization Forms
#
SYSTEM OWNERS must provide IT with formal authorization forms (
either hard
copy or electronic) that define the access rights of each individual.
all users should be authorized with specific system access via a
formal request from management
large companies or in those with remote sites,
signature authorization logs should be maintained,
and
formal requests should be compared to the signature log.
Access privileges
should be reviewed periodically
to ensure they are current and appropriate to the user’s job functions
User Authorization Tables
IT department should use the
DATA FROM AUTHORIZATION FORMS
to build and maintain user authorization tables.
These define who is authorized to update, modify, delete and/or view data.
privileges are provided at the system, transaction or field level.
In effect, these are user access control lists
authorization tables must be
secured against unauthorized access by additional password protection or data encryption
.
A
control log should record all user activity and appropriate management should review this log
. All exception items should be investigated
Compensating Controls for Lack of Segregation of Duties
Compensating controls are internal controls that are
intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated.
IS auditor should
carefully evaluate the reports, applications and related processes for appropriate controls, :
including testing and access controls to make changes to the reports or functions.
Compensating controls include the following
Audit trails
Audit trails help the IT and user departments as well as the IS auditor by
providing a map to retrace the flow of a transaction.
enable the user and IS auditor to recreate the actual transaction flow from the point of origination to its existence on an updated file.
In the absence of adequate SoD, good audit trails may be an acceptable compensating control
The IS auditor should be able to determine
who initiated the transaction,
the time of day and
date of entry,
the type of entry,
what fields of information it contained,
and what files it updated.
Reconciliation
ultimately the responsibility of the
USER DEPARTMENT
some organizations,
limited reconciliation of applications may be performed by the DATA CONTROL GROUP with the use of control totals and balance sheets
.
type of independent verification
INCREASES THE LEVEL OF CONFIDENCE
that the application processed successfully and the data are in proper balance
Exception reporting
should be
HANDLED AT SUPERVISORY LEVEL
and should require evidence, such as initials on a report, noting that the exception has been handled properly.
Management should also ensure that exceptions are resolved in a timely manner.
Transaction logs
may be manual or automated.
An example of a
MANUAL LOG
is a record of
TRANSACTIONS
(grouped or batched)
BEFORE they are submitted for processing
.
An
AUTOMATED TRANSACTIONAL LOG
provides a
RECORD OF ALL TRANSACTIONS PROCESSED
and is maintained by the computer system.
Supervisory reviews
may be performed through observation and inquiry
or remotely.
Independent reviews .
are carried out to
COMPENSATE FOR MISTAKES AND INTERNAL FAILURES
in following prescribed procedures. (given in next chart )
These reviews are particularly
important when duties in a small organization cannot be appropriately segregated
Such reviews will
HELP TO DETECT ERRORS AND IRREGULARITIES
SEGREGATION OF DUTIES WITHIN IT
IS auditor should
obtain enough information to understand and document the relationships among the various
job functions, responsibilities and authorities, and assess the adequacy of the SoD
an automated tool may be required to
evaluate the actual access a user has against a SoD matrix.
SoD
errors or misappropriations could
be detected in a timely manner
fraudulent and/or malicious
acts can be discouraged and prevented
If adequate SoD does not exist, the following could occur:
• Misappropriation of
assets
• Misstated
financial statements
• Inaccurate
financial documentation
(i.e., errors or irregularities)
•
Undetected unauthorized or erroneous changes or modification of data and programs
•
Undetected improper use of funds or modification of data
Duties that should be segregated
include:
• Custody of the assets
• Authorization
• Recording transactions
When duties are segregated, ,
access to the computer,
production data library,
production programs
programming documentation,
and OS and associated
utilities can be limited,
and potential damage from the actions of any one person is, therefore, reduced.