“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.

Slides:



Advertisements
Similar presentations
An Internal Control Overview
Advertisements

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Auditing Concepts.
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Cash Control Presentation The University of Austin.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn.
7-1 FRAUD, INTERNAL CONTROL, AND CASH Financial Accounting, Sixth Edition 7.
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
ERM - Control Activities Authorization of transactions Segregation of incompatible duties Independent checks on performance Safeguarding assets and information.
Reporting and Analyzing Cash and Internal Controls
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
INTERNAL CONTROL OVER FINANCIAL REPORTING
CASH CONTROLS AT OSU. WHAT IS “CASH”? Currency, coin, and cash equivalents: Checks Traveler’s checks Cashier’s checks Credit card records EFTs: ACH and.
Got Internal Controls? presented by South Texas College Business Office “Count on Satisfaction”
Today’s Lecture application controls audit methodology.
Internal Control and Control Self-Assessment
Control and Accounting Information Systems
Central Piedmont Community College Internal Audit.
Transaction Processing and the Internal Control Process Small Business Information Systems Professor Barry Floyd.
Matt Malinowski Susan Green. MYTHS Internal control starts with a strong set of policies and procedures Internal control – That’s why we have external/internal.
Introduction to Internal Control Systems
Chapter 5 Internal Control over Financial Reporting
Chapter 2 Conflict of interest. SEC guiding principles not in book Independence in fact Independence in appearance Auditors are not independent if relationships.
Internal Control in a Financial Statement Audit
PASBO Conference 3/14/ School District Business Operations – Efficiencies and Internal Controls Matthew J. Malinowski Business Manager Susquehanna.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
1 Internal Control and Managing Cash Chapter 4. 2 Learning Objective 1 Set up an effective system of internal control.
Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Chapter 7 Fraud, Ethics, and Controls.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Chapter 9: Introduction to Internal Control Systems
Learning Objectives Understand the Business – LO1 Distinguish among service, merchandising, and manufacturing operations. – LO2 Explain common principles.
Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
A Conceptual Model for Segregation of Duties: Integrating Theory and Practice for Manual and IT-based Processes.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)
Financial Management & Internal Control for Utility Companies Julia Barber, CPA and Sherman, Barber & Mullikin, CPAs Madison, IN
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
1 CHAPTER 5 - b INTERNAL CONTROL OVER FINANCIAL REPORTING.
7-1 FRAUD, INTERNAL CONTROL, AND CASH 7 Remember… people will lie, cheat and steal! Not everybody…. and not all the time.… but they do….
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Presented by: Mr. Raziq Chapter 3 Accounting Systems and Internal Control Slide 3.1.
Experience perspective // CPAs & ADVISORS CLUB FINANCIAL MANAGEMENT BEST PRACTICES Presented by Rick Wittgren, CPA, partner.
INTERNAL CONTROLS A STUDY TO THE REQUIREMENT OF INTERNAL CONTROL SYSTEMS.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Internal Control and CASH BY JUDITH PAQUETTE. Learning Objectives  Learn the elements of Internal Control  Discuss the role of Internal Control in a.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Auditing Concepts.
Audit Findings.
Accounts Receivable, Accounts Payable & Cash
Internal Control and Cash
Internal Controls.
Internal Controls and Ethics
Purchases and Cash Disbursements Procedures
Module 2 Segregation of Duties Case Study Individual Assignment
Internal Controls.
Internal Controls.
Presentation transcript:

“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn

UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky The Problem: Stealing (intentional) Loss (unintentional) Motivation

UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky The Solution: “Independent Review" (underlying principle) achieved through Segregation of Duties (SoD) Motivation

UWCISA 8 th Symposium Oct. 4, 2013 Kevin Kobelsky Segregation of Duties An employee should not be in a position to both 1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors. Control Approach: All asset handling is reviewed by independent person, inappropriate action is acted on Division of a process into subtasks is not enough if no independent review, follow-up action

Objective: Reduce risk that assets will be stolen/lost/wasted Solution: At least three people required Segregation of Duties Model

SoD in Literature - Agency Tirole (1986) examines costs of lack of segregation of Agent from Supervisor

SoD in Literature - Agency Secondary Review has benefits – Beck (1986), Barra (2010) – peer agents Kofman and Lawarée (1993) – peer supervisor

SoD in Literature – Practitioner Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013.

SoD: Agency vs Practitioner Agency Practitioner 1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model vs.

SoD: Agency vs Practitioner Agency Practitioner ?? 2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability. vs.

SoD: Agency vs Practitioner Agency ?? Practitioner 3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency. vs.

SoD: Agency vs Practitioner Agency Practitioner 4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses. ? Needed ? vs.

SoD: Practitioner vs Reality Practitioner 5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing?

SoD: Ambiguity 3 domains diverge: 1)Agency-based model 2)Practitioner model 3)Business practice Opportunity: Integrate these models to rigorously evaluate internal control for theory, evaluation, training.

Primary SoD Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability

Secondary SoD Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004) Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004)

SoD: IT Aspects – Primary SoD Auth’n Custody New Technology, Different Process Steps But same approach Each Custody duty is evaluated independently No need for segregation across columns! New Technology, Different Process Steps But same approach Each Custody duty is evaluated independently No need for segregation across columns! Trans’n Input Input Checks Data Programs Master File Chgs Review Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control

SoD: IT Aspects – Primary SoD Auth’n Custody Access Control is a precondition SoD, akin to procedure definition in manual system. Must segregate from all other duties. Trans’n Input Input Checks Data Programs Master File Chgs Review Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control Access Control

SoD: IT Aspects – Prog Chgs Auth’n Custody Unconventional segregations more cost-effective? Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control PCC w 2 people Emp 1 Emp 2

SoD: IT Aspects – Prog Chgs Auth’n Custody Unconventional segregations more cost-effective? Program’g Maint’ce Testing Copy to Prod’n Promo’n Control Oper’ns Job Control D Emp 1 Emp 2 PCC w 2 people

SoD: IT Aspects – Data Control No need to segregate Master file changes from Transaction initiation Auth’n Custody Trans’n Input Input Checks Data Master File Chgs Review

IT Aspects – Secondary SoD Primary SoD has elements of traditional requirements, but some differences : -Access control with authentication -Data input controls, but… master file changes can be done by transaction initiator -Program change control, but… don’t need 3 separate roles (Program, Test, Operations) for PCC, only 2 -Overall, need at least 3 people for Primary SoD (2 for PCC + 1 for Access Control)

IT Aspects – Secondary SoD Secondary SoD requires: - Secondary review of the above to ensure all are operating effectively Yet rarely addressed! An inconsistent standard vis-a-vis manual processes?

Implications, Contributions 1.Integration of Agency Theory model, Practitioner model, and Practice identifies limitations in the two models. 2.Insights allow for unconventional duty combinations in manual and IT processes. 3.Not all segregations are equal – Primary vs Secondary 4.Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.