Incompatible Security Analysis Document
advertisement
Incompatible Security Analysis This document is an analysis of incompatible business processes. It is intended to act as risk assessment for ISRS security identifiers. Incompatibilities defined in this document should be entered into the security administration system so institutions are warned about the incompatibility and can document mitigating controls if they need to create incompatible security. If the risk for the incompatibility is documented in the security administration system, the risk is not repeated in this document. The document contains recommendations for recording additional incompatibilities or changing security groups to eliminate some incompatible security. Finally, it contains a review of mitigating controls that were previously defined and shows the queries or reports in ISRS which must be used to document the mitigating control. Cash In Risk: Cash received is not deposited Business Process Risk (risk is not listed if previously defined) Security General Receipt A general receipt is a risky transaction because the system does not contain any information of amount that should have been received. It is not incompatible with other system security but users need to consider it when developing manual procedures. AR_03 Cashiering & Receipt Correction Cashiering & Manual Receivable Reduction Cashiering & Employee Waivers Cashiering & NonEmployee Waivers Incompatible Security Note n/a AR_03 AR_06 1 AR_03 AR_07 1 AR_03 AR_18 1 AR_03 AR_09 1 Business Process Cashiering & WriteOff Cashiering & Collections Cashiering & Deferments Cashier & Market Rate Tuition Set-up Cashier & Application Fee Recording Cashiering & BackDated Drop Cashiering & Student Residency Cashiering & Billing Residency Cashiering & Change Course Fees Cashiering & Change Tuition or Standard Fee Rates Cashiering & Income Contracts Risk (risk is not listed if previously defined) The applicant system allows a user to mark an application fee as paid. If a user can do it and receive cash, they could disguise the theft of cash. If the institution creates receivables for application fees, a mitigating factor is that marking the applicant as paid does not reduce the receivable balance. Changing these rates would re-calculate every student in these groups. The impact would be fairly evident so is not an incompatibility Customized training can enter their income contracts into the system. If a user can enter or modify the income amount and takes in cash receipts, they can disguise theft of cash. Security Note AR_03 Incompatible Security AR_25 AR_03 AR_24M 1 AR_03 AR_11H 1 AR_03 AR_17 1 AR_03 AR_03 ST_06L ST_06M ST_06H ST_07L ST_07M ST_07H ST_08L ST_08M ST_08H RG_05H 1 AR_03 ST_15M 1 AR_03 AR_08H 1 AR_03 AR_23H 1 AR_03 AR_01H n/a AR_03 CN_04H 1 Business Process Risk (risk is not listed if previously defined) Security Cashiering & Externally Billed Inventory Job The Consumable Inventory module has the capability to charge the issue to an external party which creates an Accounts Receivable in the system. A person that can cancel or adjust the issue and receive cash could disguise theft of cash. This feature is seldom used, but does present a risk. The Cost Allocation module has the capability to charge the allocation to an external party which creates an Accounts Receivable in the system. A person that can cancel or adjust the allocation and receive cash could disguise theft of cash. This feature is seldom used, but does present a risk. If a room type is changed, it will cause the system to re-calculate charges for a student in the room. If a user can perform this function and receives cash, they could calculate a lower amount and keep part of a payment. AR_03 Incompatible Security CI_05H AR_03 CA_05H AR_03 SH_01H AR_03, AR_10 AC_TRAN_J OURNAL_V OUCHER Cashiering & Externally Billed Cost Allocation Cashiering & Housing Room Type Change Cashiering & Expense Voucher Note 1 1 – Incompatibility documented in the security administration system Cash Out Risk: Cash disbursed is not a payment to a customer interacting with the college or university Business Process Budgeting & Payment Risk Analysis Security AC_TRA N_BUD GET Incompatible Security AC_TRAN_P AYMENT_V OUCHER Note 1 Business Process Risk Analysis Department Purchasing & Central Purchasing Purchasing & Payment BUSMG R PURCLE RK, PURHE AD AC_TRA N_PAY MENT_ VOUCH ER AC_TRA N_PAY MENT_ VOUCH ER AC_TRA N_PAY MENT_ VOUCH ER Payment & Disbursement Payment & Bank Reconciliation Payment & Address Change Expense Voucher Personnel & Employee Payroll Security see Cash In section AC_TRA N_JOUR NAL_V OUCHE R HR_SUP ERUSER Incompatible Security DEPTHEAD, REQNORGN Note AC_TRAN_P AYMENT_V OUCHER 1 AP_01H, AP_01M, AP_01L 1 AP_02 1 AR_03, AR_04, AR_16, HR_SUPERU SER, HR_SYSTEM WIDE_SUPE RUSER AR_03 1 PAYROLL_S UPERUSER 1 1 1 Business Process Risk Analysis System-wide Personnel & Employee Payroll Student Payroll Work Authorization and Time Entry Student Payroll & Direct Deposit Student Payroll & Check Writing System Generated Refunds & Address Changes HR_SYS TEMWI DE_SUP ERUSER Third Party & Address Change Incompatible Security PAYROLL_S YSTEMWID E_SUPERUS ER The PR_01 and PR_02 groups allow a user the ability to setup a work authorization and enter timesheets. In essence, they are performing the HR and payroll functions. However, the person cannot benefit from a fictitious payroll unless they can create a check or set-up direct deposit. The groups themselves do not create incompatible duties. The person that can create a work authorization and enter time should not be able to print checks. They could create a fictitious payroll and generate a check for it without detection. The system calculates the refund so the risk is that it is not delivered to the correct party. The current grid defines incompatibilities with some of the identifiers that allow address change, but not all of them. Refund created by Receipt Correction & Address Change Refunds & Direct Deposit Security 1 n/a PR_02(H ,M,L) PR_02(H ,M,L) AP_03H AR_12H 1 AR_12H AR_03, ADDRESS_H IGH, ADDRESS_M ED ADDRESS_H IGH, ADDRESS_M ED AP_03H AR_16 AR_03 1 AR_06 Refund process should also be incompatible with Direct Deposit set-up because the user could change the bank account for the deposit. Note 1 AP_02(H,M,L ) – (3) 1 Business Process Risk Analysis Security Financial Aid Overage & Address Change Financial Aid Overage & Direct Deposit Financial Aid Overage & Check Writing Short-Term Loans Need to record incompatibility for other identifiers that can change address. FA_14 Incompatible Security AR_03 If a user can change direct deposit information, they could redirect an overage to their bank account The person making the award should not be writing checks or they could create a fictitious award and take the check. FA_14 AP_03H FA_14 AP_02(H,M,L ) – (3) Note 1 1 – Incompatibility documented in the security administration system 2 -- The functions in the AP high, medium, and low groups should be reviewed. Also, the groups should be renamed to better describe their function. Equipment The goal is to protect against the risks of unauthorized purchase, use, or disposal. Another risk is that it is not properly recorded in the system. Key internal control over the purchasing is to ensure proper authorization. The owner of the cost center or one of their delegates should authorize the purchase. Purchasing and payment separation have been addressed. Protecting the asset from authorized use or disposal requires an independent physical inventory. The inventory should be done by someone other than the custodian of the asset. While an important separation of duties, it does not impact ISRS security. The security group EQ_02 includes both the recordkeeping function and the running of the reconciliation report. If one person does both duties, they could ignore items on the reconciliation report resulting in incorrect asset valuation. However, the Financial Reporting unit in the Office of the Chancellor monitors reports reducing the risk of immaterial misstatement to an acceptable level Recommendations 1. Create an incompatibility for AR_03 and ST_06L, ST_06M, ST_06H, ST_07L, ST_07M, ST_07H, ST_08L, ST_08M, ST_08H. 2. Remove Address update capabilities from AR_03 (Cashier). This would eliminate the incompatibility between AR_03 and AR_12H AR_03 and AR_16 AR_03 and FA_14. Also remove from AR_32H (A/R Special Comments Maintenance) because it is not necessary for the job function. This change requires a special version of AR1000UG without the address tab. Note: this was endorsed by the work group at the 7/20/2010 meeting. Add incompatibilities for all the student identifiers that can change address information. 3. Create incompatibilities for AR_03 with CN_04H, CI_05H, CA_05H, and SH_01H. They could be used to disguise theft of cash, but risk is low. 4. Create an incompatibility between AR_12H and AP_03H. 5. FA_14 is incompatible with AP_01H and AP_03H. Items from the 7/20/2010 Work Group 1. Split waivers and waiver corrections into separate groups. Then a cashier who receives payments from collections can remove the waiver and enter the payment. 2. Split direct deposit account maintenance and file processing into separate security groups. It would eliminate incompatibility for the person processing the file. 3. Remove address update capability from AR_04 and AR_16. 4. Create an AR_16H (update) and AR_16L (view only) instead of the AR_16 (update). Mitigating Control Analysis Web Role/Uniface Group Incompatible Web Role/Uniface Group AC_TRAN_PAYMENT_V OUCHER 1. AC_TRAN_BUDGET 2. AC_TRAN_JOURNAL_VOUCHER AR_03 - Cashiering 3. 4. AC_TRAN_JOURNAL_VOUCHER AC_TRAN_PAYMENT_VOUCHER AR_10 - Head Cashier AP_01H - Accounts Payable Supervisor 5. AC_TRAN_PAYMENT_VOUCHER AP_01L - Accounts Payable Clerk 6. AC_TRAN_PAYMENT_VOUCHER AP_01M - Accounts Payable Incharge Incompatible Reason ISRS Tools Detection may occur with a review or the cost center budget or an independent review of payment vouchers." A mitigating control is an independent review of cash receipt corrections and expense vouchers. Print Transaction Detail query for Budget Transactions. Sign and save for audit verification. same as #2 A more timely mitigating control is an independent review of local checks and canceled checks. same as #4 except that the review should include the state treasury same as #4 except that the review should include the state treasury Print separate queries of XP, XR, EV, and EG are necessary. They must be compared to EV or EG that could potential off-set an XP or XR. Sign, and save for audit verification. 7. 8. AC_TRAN_PAYMENT_VOUCHER AC_TRAN_PAYMENT_VOUCHER AP_02 - Bank Reconciliation AR_03 - Cashiering 9. AC_TRAN_PAYMENT_VOUCHER 10. AC_TRAN_PAYMENT_VOUCHER 11. AC_TRAN_PAYMENT_VOUCHER AR_04 - Receivables AR_16 - 3rd Party BUSMGR - Business Manager 12. AC_TRAN_PAYMENT_VOUCHER DEPTHEAD - Department Head HR_SUPERUSER HR_SYSTEMWIDE_SUP ERUSER PURCLERK - Purchasing Clerk PURHEAD - Purchasing Director 13. AC_TRAN_PAYMENT_VOUCHER 14. AC_TRAN_PAYMENT_VOUCHER 15. AC_TRAN_PAYMENT_VOUCHER 16. AC_TRAN_PAYMENT_VOUCHER A mitigating control is an independent review of vendor name on local checks. A mitigating control would be a review of changes to person information or a review of local checks to persons. same as #8 same as #8 Detection may occur with a review or the cost center budget or an independent review of payment vouchers. same as #11 same as #11 same as #11 same as #11 same as #11 An independent review of payments would suffice. Print Transaction Details for the local bank and source module of Accounting and Transaction Group of Payment. Look for vendors that do not make sense. Sign, and save for audit verification. A second control is to complete the Vendor Change process under the Business Process menu. The same process described in #7 could be used. The same process described in #7 could be used. 17. ADDRESS_HIGH - Address Maint AR_06 - Receipt Corrections Mitigating controls are (1) Review refund checks prior to mailing,(2) Review address change activity, looking for unusual activity, (3) Limit exposure by requiring students to complete address changes on-line, or (4) Require students to pick up refund checks." A mitigating control would be an independent review of all refund activity." 18. ADDRESS_HIGH - Address Maint AR_12H - Refunds 19. ADDRESS_HIGH - Address Maint AR_16 - 3rd Party A mitigating control would be an independent review of all overage payments." 20. ADDRESS_HIGH - Address Maint FA_14 - Maintenance Award A mitigating control would be an independent review of all overage payments." 21. ADDRESS_MED - Address Maint (no delete) 22. ADDRESS_MED - Address Maint (no delete) 23. ADDRESS_MED - Address Maint (no delete) 24. ADDRESS_MED - Address Maint (no delete) AR_06 - Receipt Corrections AR_12H – Refunds same as #17 AR_16 - 3rd Party same as #19 FA_14 - Maintenance Award same as #20 same as #18 ISRS does not have a good query or report to help in this area. A review is needed of people that get a refund and had an address change. ISRS does not have a good query or report to help in this area. A review is needed of people that get a refund and had an address change. ISRS does not have a good query or report to help in this area. A review is needed of people that get an overage check refund and had an address change. ISRS does not have a good query or report to help in this area. A review is needed of people that get an overage check refund and had an address change. 25. AP_01H - Accounts Payable Supervisor 26. AP_01L - Accounts Payable Clerk 27. AP_01M - Accounts Payable Incharge 28. AP_03H - Direct Deposit High 29. AP_03H - Direct Deposit High 30. AP_03H - Direct Deposit High 31. AR_03 - Cashiering 32. AR_03 - Cashiering AP_02 - Bank Reconciliation AP_02 - Bank Reconciliation AP_02 - Bank Reconciliation PR_02H - Payroll Controller PR_02L - Payroll Clerk PR_02M - Payroll Process Incharge AR_06 - Receipt Corrections AR_07 - Receivable Corr/Adjusts It would show on AP0140CP assurance report which displays exceptions when a check status is missing a transaction type expected for that status code. (e.g. cancel status looks for a PV, XV, CD, and XD.). Mitigating controls are independent review of local checks and independent review and authorization of checks with status codes void or canceled or unclaimed." same as #25 Print report AP0140CP. Sign and save for audit verification. Note: AP0101UG from the View Audit Details button on AP0004UG is not working and IT would like to remove it from the system. same as #25 A mitigating control is an independent review of the AP_DD_ACCT audit table. same as #28 same as #28 Print the audit report for this table. Sign and save for audit verification. A mitigating control is an independent review of receipt corrections. Print AC0531CP for XP and XR transactions. Sign and save for audit verification. No ISRS report shows this activity so it must be done with an ad hoc query. A better query would show the XP and XR along with the transaction line that it adjusted and the new transaction created (if any). . Print sign and save for audit verification. Need a report of RE transactions that are credit Accounts Receivable. 33. AR_03 - Cashiering AR_08H - Billing Residency 34. aAR_03 - Cashiering r 35. AR_03 - Cashiering AR_09 - A/R Customer Waiver and Corrections AR_11H - Deferments 36. AR_03 - Cashiering AR_12H - Refunds 37. AR_03 - Cashiering AR_16 - 3rd Party 38. AR_03 - Cashiering AR_17 - Customized Training 39. AR_03 - Cashiering AR_18 - A/R Employee Waivers AR_23H - Course Fee Tables 40. AR_03 - Cashiering 41. AR_03 - Cashiering AR_24M - Collections A mitigating control would be an independent review of the audit report and verifying that changes had proper documentation. A mitigating control is an independent review of waivers. A mitigating control is an independent review of deferment report and compare to back-up documentation. College could require students to sign promissory notes that student acknowledges deferment and balance owed. Compare promissory notes to deferment report. Ensure enddates are set for deferments." A mitigating control would be an independent review of all refund activity." A mitigating control would be an independent review of all overage payments." A mitigating control is an independent review of all discounted tuition. A mitigating control is an independent review of waivers. A mitigating control is a review of the audit report which would show the change in the fee. Print the audit report. . Sign and save for audit verification. Need a report of waivers. Need a report of deferments. Need a report of refunds. Need a report of overage payments. Need a report of all exception tuition for CE/CT. Need a report of waivers. Print the audit report. Sign and save for audit verification. No mitigating control developed. 42. AR_03 - Cashiering AR_25 - Write-offs 43. AR_03 - Cashiering FA_14 - Maintenance Award RG_05H - Student Registration 44. AR_03 - Cashiering 45. AR_03 - Cashiering ST_15H - Student Residency Maint w/del 46. AR_03 - Cashiering ST_15M - Student Residency Status Maintenance DEPTHEAD - Department Head 47. BUSMGR - Business Manager 48. BUSMGR - Business Manager REQNORGN - PO Originator A mitigating control is an independent review of writeoffs. same as #37 Need write-off report A mitigating control would be an independent review of the Audit Report for Back Dated Drops report and verifying that changes had proper documentation. A mitigating control would be an independent review of the audit report and verifying that changes had proper documentation. same as #45. Print AR0022GR. . Sign and save for audit verification. Another mitigating control is a review of AC0530CP for transactions that user processed for the time period that the incompatibility exists. same as #47 Run AC0530CP. Sign and save for audit verification. Print the audit report. Sign and save for audit verification.
