Presentation is loading. Please wait.

Presentation is loading. Please wait.

“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.

Published byAndrew Parks Modified over 8 years ago

Similar presentations

Presentation on theme: "“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn."— Presentation transcript:

1 “A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn

2 UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky The Problem: Stealing (intentional) Loss (unintentional) Motivation

3 UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky The Solution: “Independent Review" (underlying principle) achieved through Segregation of Duties (SoD) Motivation

4 UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky Segregation of Duties An employee should not be in a position to both 1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors. Control Approach: All asset handling is reviewed by independent person, inappropriate action is acted on Division of a process into subtasks is not enough if no independent review, follow-up action

5 Objective: Reduce risk that assets will be stolen/lost/wasted Solution: At least three people required Segregation of Duties Model

6 SoD in Literature - Agency Tirole (1986) examines costs of lack of segregation of Agent from Supervisor

7 SoD in Literature - Agency Secondary Review has benefits – Beck (1986), Barra (2010) – peer agents Kofman and Lawarée (1993) – peer supervisor

8 SoD in Literature – Practitioner Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.

9 SoD: Agency vs Practitioner Agency Practitioner 1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model vs.

10 SoD: Agency vs Practitioner Agency Practitioner ?? 2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability. vs.

11 SoD: Agency vs Practitioner Agency ?? Practitioner 3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency. vs.

12 SoD: Agency vs Practitioner Agency Practitioner 4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses. ? Needed ? vs.

13 SoD: Practitioner vs Reality Practitioner 5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?

14 SoD: Ambiguity 3 domains diverge: 1)Agency-based model 2)Practitioner model 3)Business practice Opportunity: Integrate these models to rigorously evaluate internal control for theory, evaluation, training.

15 Primary SoD Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability

16 Secondary SoD Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004) Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)

17 SoD: IT Aspects – Primary SoD Auth’n Custody New Technology, Different Process Steps But same approach Each Custody duty is evaluated independently No need for segregation across columns! New Technology, Different Process Steps But same approach Each Custody duty is evaluated independently No need for segregation across columns! Trans’n Input Input Checks Data Programs Master File Chgs Review Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control

18 SoD: IT Aspects – Primary SoD Auth’n Custody Access Control is a precondition SoD, akin to procedure definition in manual system. Must segregate from all other duties. Trans’n Input Input Checks Data Programs Master File Chgs Review Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control Access Control

19 SoD: IT Aspects – Prog Chgs Auth’n Custody Unconventional segregations more cost-effective? Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control PCC w 2 people Emp 1 Emp 2

20 SoD: IT Aspects – Prog Chgs Auth’n Custody Unconventional segregations more cost-effective? Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control D Emp 1 Emp 2 PCC w 2 people

21 SoD: IT Aspects – Data Control No need to segregate Master file changes from Transaction initiation Auth’n Custody Trans’n Input Input Checks Data Master File Chgs Review

22 IT Aspects – Secondary SoD Primary SoD has elements of traditional requirements, but some differences : -Access control with authentication -Data input controls, but… master file changes can be done by transaction initiator -Program change control, but… don’t need 3 separate roles (Program, Test, Operations) for PCC, only 2 -Overall, need at least 3 people for Primary SoD (2 for PCC + 1 for Access Control)

23 IT Aspects – Secondary SoD Secondary SoD requires: - Secondary review of the above to ensure all are operating effectively Yet rarely addressed! An inconsistent standard vis-a-vis manual processes?

24 Implications, Contributions 1.Integration of Agency Theory model, Practitioner model, and Practice identifies limitations in the two models. 2.Insights allow for unconventional duty combinations in manual and IT processes. 3.Not all segregations are equal – Primary vs Secondary 4.Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.

Download ppt "“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn."

Similar presentations

An Internal Control Overview

An Internal Control Overview
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Auditing Concepts.

Auditing Concepts.
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Cash Control Presentation The University of Austin.

Cash Control Presentation The University of Austin.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.

“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.
7-1 FRAUD, INTERNAL CONTROL, AND CASH Financial Accounting, Sixth Edition 7.

7-1 FRAUD, INTERNAL CONTROL, AND CASH Financial Accounting, Sixth Edition 7.
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
ERM - Control Activities Authorization of transactions Segregation of incompatible duties Independent checks on performance Safeguarding assets and information.

ERM - Control Activities Authorization of transactions Segregation of incompatible duties Independent checks on performance Safeguarding assets and information.
Reporting and Analyzing Cash and Internal Controls

Reporting and Analyzing Cash and Internal Controls
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
CASH CONTROLS AT OSU. WHAT IS “CASH”? Currency, coin, and cash equivalents: Checks Traveler’s checks Cashier’s checks Credit card records EFTs: ACH and.

CASH CONTROLS AT OSU. WHAT IS “CASH”? Currency, coin, and cash equivalents: Checks Traveler’s checks Cashier’s checks Credit card records EFTs: ACH and.

Similar presentations

Ads by Google