“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.

Slides:

Advertisements

Similar presentations

Internal Control Integrated Framework

Advertisements

An Internal Control Overview

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

LOUISIANA GFOA 31 ST ANNUAL FALL CONFERENCE.  Currency  Coin  Checks  Debit Cards  Credit Cards.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Cash Control Presentation The University of Austin.

Learning Objectives LO1 Explain the key risks of misstatement in production and payroll processes. LO2 Outline the production process: typical transactions,

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

7-1 FRAUD, INTERNAL CONTROL, AND CASH Financial Accounting, Sixth Edition 7.

Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

ERM - Control Activities Authorization of transactions Segregation of incompatible duties Independent checks on performance Safeguarding assets and information.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Reporting and Analyzing Cash and Internal Controls

Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Chapter 9 THE ACQUISITION CYCLE— PURCHASING AND RECEIVING.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

INTERNAL CONTROL OVER FINANCIAL REPORTING

“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.

CASH CONTROLS AT OSU. WHAT IS “CASH”? Currency, coin, and cash equivalents: Checks Traveler’s checks Cashier’s checks Credit card records EFTs: ACH and.

Got Internal Controls? presented by South Texas College Business Office “Count on Satisfaction”

Internal Control and Control Self-Assessment

Control and Accounting Information Systems

Central Piedmont Community College Internal Audit.

Transaction Processing and the Internal Control Process Small Business Information Systems Professor Barry Floyd.

Chapter 5 Internal Control over Financial Reporting

Chapter 2 Conflict of interest. SEC guiding principles not in book Independence in fact Independence in appearance Auditors are not independent if relationships.

Internal Control in a Financial Statement Audit

PASBO Conference 3/14/ School District Business Operations – Efficiencies and Internal Controls Matthew J. Malinowski Business Manager Susquehanna.

1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.

1 Internal Control and Managing Cash Chapter 4. 2 Learning Objective 1 Set up an effective system of internal control.

Evaluation of Internal Control System. Learning Objective 1 Contrast management’s need for internal control with the auditor’s need to consider internal.

Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Management Advisory and Compliance Services Towson University Management Advisory and Compliance Services Internal Controls.

[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.

Learning Objectives Understand the Business – LO1 Distinguish among service, merchandising, and manufacturing operations. – LO2 Explain common principles.

Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.

A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,

A Conceptual Model for Segregation of Duties: Integrating Theory and Practice for Manual and IT-based Processes.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.

1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)

1 CHAPTER 5 - b INTERNAL CONTROL OVER FINANCIAL REPORTING.

7-1 FRAUD, INTERNAL CONTROL, AND CASH 7 Remember… people will lie, cheat and steal! Not everybody…. and not all the time.… but they do….

Experience perspective // CPAs & ADVISORS CLUB FINANCIAL MANAGEMENT BEST PRACTICES Presented by Rick Wittgren, CPA, partner.

INTERNAL CONTROLS A STUDY TO THE REQUIREMENT OF INTERNAL CONTROL SYSTEMS.

Internal Control and CASH BY JUDITH PAQUETTE. Learning Objectives  Learn the elements of Internal Control  Discuss the role of Internal Control in a.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.

Auditing Concepts.

Audit Findings.

Accounts Receivable, Accounts Payable & Cash

Discussion of “Towards a Deeper Understanding of IT Governance Effectiveness: A Capabilities Approach" by Prasad, Heales, Green Kevin Kobelsky.

General Ledger, Financial Reporting and Management Reporting Systems

Internal Control and Cash

Internal Controls.

Internal Controls and Ethics

Internal Controls Towson University

Purchases and Cash Disbursements Procedures

Module 2 Segregation of Duties Case Study Individual Assignment

INTERNAL CONTROLS AND THE ASSESSMENT OF CONTROL RISK

Internal Controls For Small Governments

Internal Controls.

Internal Controls.

Presentation transcript:

“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn

UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky The Problem: Stealing (intentional) Loss (unintentional) Motivation

UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky The Solution: “Independent Review" (underlying principle) achieved through Segregation of Duties (SoD) Motivation

UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky Segregation of Duties An employee should not be in a position to both 1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors. Control Approach: All asset handling is reviewed by independent person, inappropriate action is acted on Division of a process into subtasks is not enough if no independent review, follow-up action

Objective: Reduce risk that assets will be stolen/lost/wasted Solution: At least three people required Segregation of Duties Model

SoD in Literature - Agency Tirole (1986) examines costs of lack of segregation of Agent from Supervisor

SoD in Literature - Agency Secondary Review has benefits – Beck (1986), Barra (2010) – peer agents Kofman and Lawarée (1993) – peer supervisor

SoD in Literature – Practitioner Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.

SoD: Agency vs Practitioner Agency Practitioner 1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model vs.

SoD: Agency vs Practitioner Agency Practitioner ?? 2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability. vs.

SoD: Agency vs Practitioner Agency ?? Practitioner 3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency. vs.

SoD: Agency vs Practitioner Agency Practitioner 4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses. ? Needed ? vs.

SoD: Practitioner vs Reality Practitioner 5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?

SoD: Ambiguity 3 domains diverge: 1)Agency-based model 2)Practitioner model 3)Business practice Opportunity: Integrate these models to rigorously evaluate internal control for theory, evaluation, training.

Primary SoD Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability

Secondary SoD Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004) Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)

IT Aspects Primary SoD has traditional requirements: -Data input controls -Access control with authentication -Program change control -Independent review of master file changes (note not segregated from initiation) Secondary SoD requires: - Secondary review of the above to ensure all are operating effectively Yet rarely addressed! An inconsistency with manual processes?

Implications Integration of Agency Theory model, Practitioner model and Practice identifies limitations in the two models. Not all segregations are equal – Primary vs Secondary Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.