Add to collection(s) Add to saved
  1. Business
  2. Finance

Incompatible Security Analysis

advertisement 
Incompatible Security Analysis
This document is an analysis of incompatible security identifiers in the ISRS system. Some of
them were previously defined and have been entered into the security administration module.
Others need to be added if agreed that they are incompatible. The document also contains
recommendations for changes in security groups that would eliminate some incompatible
security. Finally, it contains a review of mitigating controls that were previously defined and
shows the queries or reports in ISRS which must be used to document the mitigating control.
Cash In
Risk: Cash received is not deposited
Business Process
Risk (risk is not listed if previously defined)
Security
General Receipt
A general receipt is a risky transaction because
the system does not contain any information of
amount that should have been received. It is
not incompatible with other system security but
users need to consider it when developing
manual procedures.
AR_03
Receipt Correction
Employee Waivers
Non-Employee
Waivers
Write-Off
Collections
Deferment
Manual Receivable
Reduction
Incorrectly record
market rate tuition
Record Application
Fee as Paid
Back-Dated Drop
Student Residency
Billing Residency
The applicant system allows a user to mark an
application fee as paid. If a user can do it and
receive cash, they could disguise the theft of
cash.
Incompatible
Security
N
ot
e
AR_03
AR_03
AR_03
AR_06
AR_18
AR_09
1
1
1
AR_03
AR_03
AR_03
AR_03
AR_25
AR_24M
AR_11H
AR_07
1
1
1
1
AR_03
AR_17
1
AR_03
ST_06L
ST_06M
ST_06H
ST_07L
ST_07M
ST_07H
ST_08L
ST_08M
ST_08H
RG_05H
ST_15M
AR_08H
1
1
1
AR_03
AR_03
AR_03
Business Process
Change Course Fees
Change Tuition or
Standard Fee Rates
Income Contracts
Externally Billed
Inventory Job
Externally Billed
Cost Allocation
Change Housing
Room Type
Risk (risk is not listed if previously defined)
Changing these rates would re-calculate every
student in these groups. The impact would be
fairly evident so it may not merit an
incompatibility
Customized training can enter their income
contracts into the system. If a user can enter or
modify the income amount and takes in cash
receipts, they can disguise theft of cash.
The Consumable Inventory module has the
capability to charge the issue to an external
party which creates an Accounts Receivable in
the system. A person that can cancel or adjust
the issue and receive cash could disguise theft
of cash. Only Mn Southwest State has used this
feature of the system and total records are 352.
The Cost Allocation module has the capability
to charge the allocation to an external party
which creates an Accounts Receivable in the
system. A person that can cancel or adjust the
allocation and receive cash could disguise theft
of cash. Only Mn Southwest State has used this
feature of the system and total records are
1,311.
If a room type is changed, it will cause the
system to re-calculate charges for a student in
the room. If a user can perform this function
and receives cash, they could calculate a lower
amount and keep part of a payment.
Security
Incompatible
Security
AR_03
AR_03
AR_23H
AR_01H
AR_03
CN_04H
AR_03
CI_05H
AR_03
CA_05H
AR_03
SH_01H
Fictitious Expense
Voucher
AC_TRAN_J
OURNAL_V
OUCHER
1 – Incompatibility is defined in the current A/R grid
Cash Out
Risk: Cash disbursed is not a payment to a customer interacting with the college or university
Business Process
Risk
Direct Payment
Voucher
incompatibilities defined and loaded into
the Security Admin system – there are
more identifiers that allow changing of
address than the ones listed in the system
incompatibilities defined and loaded into
P.O. Pay-off
Security
Incompatible
Security
Note
N
ot
e
1
1
Expense Voucher
Employee Payroll
Student Payroll (2)
Student Payroll
Refunds
Refunds
Financial Aid
Overage
Financial Aid
Overage
Financial Aid
Overage (4)
the Security Admin system
see Cash In section
HR has defined incompatibilities and
they are loaded in the system.
defined problem between student payroll
processing and direct deposit setup
The person that can create a work
authorization and enter time should not
be able to print checks. They could
create a fictitious payroll and generate a
check for it without detection.
The system calculates the refund so the
risk is that it is not delivered to the
correct party. The current grid defines
incompatibilities with some of the
identifiers that allow address change, but
not all of them.
Refund process should also be
incompatible with Direct Deposit set-up
because the user could change the bank
account for the deposit.
One incapability was defined where a
user could award financial aid and change
an address. It only addresses one
identifier that can change an address.
If a user can change direct deposit
information, they could redirect an
overage to their bank account
The person making the award should not
be writing checks or they could create a
fictitious award and take the check.
AC_TRA
N_JOUR
NAL_VO
UCHER
AR_03
PR_02(H,
M,L)
PR_02(H,
M,L)
AP_03H
AR_12H
AR_03,
ADDRESS_H
IGH,
ADDRESS_M
ED
AR_12H
AP_03H
FA_14
AR_03
FA_14
AP_03H
FA_14
AP_02(H,M,L
) – (3)
In
System
AP_02(H,M,L
) – (3)
In
System
In
System
Short-Term Loans
2 – The PR_01 and PR_02 groups allow a user the ability to setup a work authorization and enter
timesheets. In essence, they are performing the HR and payroll functions. These groups should
be reviewed. The groups should be renamed into something that better describes their function.
3 -- The functions in the AP high, medium, and low groups should be reviewed. Also, the
groups should be renamed to better describe their function.
4 – Other financial aid identifiers should be examined to understand their function better.
Equipment
The goal is to protect against the risks of unauthorized purchase, use, or disposal. Another risk is
that it is not properly recorded in the system.
Key internal control over the purchasing is to ensure proper authorization. The owner of the cost
center or one of their delegates should authorize the purchase. Purchasing and payment
separation have been addressed.
Protecting the asset from authorized use or disposal requires that physical inventory counts be
done by someone other than the custodian of the asset. While an important separation of duties,
it does not impact ISRS security.
The security group EQ_02 includes both the recordkeeping function and the running of the
reconciliation report. We may want to put them in separate identifiers so a college can separate
these functions. EQ_03 can also run the reconciliation report.
Recommendations
1. Remove Address update capabilities from AR_03 (Cashier). This would eliminate the
incompatibility between
AR_03 and
AR_12H
AR_03 and
AR_16
AR_03 and
FA_14.
Also remove from AR_32H (A/R Special Comments Maintenance) because it is not
necessary for the job function. This change requires a special version of AR1000UG
without the address tab.
2. AR_03 and AR_01H are not incompatible. Changing tuition and fee rates would be
obvious and a very slight risk of causing an undetected theft of receipts.
3. Create incompatibilities for AR_03 with CN_04H, CI_05H, CA_05H, and SH_01H.
They could be used to disguise theft of cash, but risk is low.
4. Do not split the group PR_02H into separate security groups. Although it allows entry of
work authorization and time, they do create a risk if the person does not have access to
cash. It is already defined as being incompatible with AP_02H. Create an additional
incompatibility with AP_03H.
5. Create an incompatibility between AR_12H and AP_03H.
6. FA_14 is incompatible with AP_01H and AP_03H.
7. Remove the equipment reconciliation report from EQ_02. Leave it in EQ_03 and or
create a new group for the report . Mark it as incompatible with EQ_02.
Mitigating Control Analysis
Web Role/Uniface Group
Incompatible Web
Incompatible Reason
Role/Uniface Group
AC_TRAN_PAYMENT_ Detection may occur with a
VOUCHER
the cost center budget or an i
review of payment vouchers
AR_03 - Cashiering
A mitigating control is an in
review of cash receipt correc
expense vouchers.
1.
AC_TRAN_BUDGET
2.
AC_TRAN_JOURNAL_VOUCHER
3.
4.
AC_TRAN_JOURNAL_VOUCHER
AC_TRAN_PAYMENT_VOUCHER
AR_10 - Head Cashier
AP_01H - Accounts
Payable Supervisor
5.
AC_TRAN_PAYMENT_VOUCHER
6.
AC_TRAN_PAYMENT_VOUCHER
7.
AC_TRAN_PAYMENT_VOUCHER
AP_01L - Accounts
Payable Clerk
AP_01M - Accounts
Payable Incharge
AP_02 - Bank
Reconciliation
8.
AC_TRAN_PAYMENT_VOUCHER
AR_03 - Cashiering
9. AC_TRAN_PAYMENT_VOUCHER
10. AC_TRAN_PAYMENT_VOUCHER
11. AC_TRAN_PAYMENT_VOUCHER
AR_04 - Receivables
AR_16 - 3rd Party
BUSMGR - Business
Manager
12. AC_TRAN_PAYMENT_VOUCHER
DEPTHEAD Department Head
HR_SUPERUSER
13. AC_TRAN_PAYMENT_VOUCHER
same as #2
A more timely mitigating co
independent review of local
canceled checks.
same as #4 except that the re
should include the state treas
same as #4 except that the re
should include the state treas
A mitigating control is an in
review of vendor name on lo
A mitigating control would b
of changes to person informa
review of local checks to per
same as #8
same as #8
Detection may occur with a
the cost center budget or an i
review of payment vouchers
same as #11
same as #11
14. AC_TRAN_PAYMENT_VOUCHER
15. AC_TRAN_PAYMENT_VOUCHER
16. AC_TRAN_PAYMENT_VOUCHER
17. ADDRESS_HIGH - Address Maint
HR_SYSTEMWIDE_SU
PERUSER
PURCLERK Purchasing Clerk
PURHEAD - Purchasing
Director
AR_06 - Receipt
Corrections
same as #11
same as #11
same as #11
Mitigating controls are (1) R
refund checks prior to mailin
Review address change activ
for unusual activity, (3) Lim
by requiring students to com
address changes on-line, or (
students to pick up refund ch
A mitigating control would b
independent review of all ref
activity."
18. ADDRESS_HIGH - Address Maint
AR_12H - Refunds
19. ADDRESS_HIGH - Address Maint
AR_16 - 3rd Party
A mitigating control would b
independent review of all ov
payments."
20. ADDRESS_HIGH - Address Maint
FA_14 - Maintenance Award
A mitigating control would b
independent review of all ov
payments."
21. ADDRESS_MED - Address Maint (no delete)
AR_06 - Receipt
Corrections
AR_12H – Refunds
AR_16 - 3rd Party
FA_14 - Maintenance Award
AP_02 - Bank
Reconciliation
same as #17
22. ADDRESS_MED - Address Maint (no delete)
23. ADDRESS_MED - Address Maint (no delete)
24. ADDRESS_MED - Address Maint (no delete)
25. AP_01H - Accounts Payable Supervisor
26. AP_01L - Accounts Payable Clerk
27. AP_01M - Accounts Payable Incharge
28. AP_03H - Direct Deposit High
AP_02 - Bank
Reconciliation
AP_02 - Bank
Reconciliation
PR_02H - Payroll
Controller
same as #18
same as #19
same as #20
It would show on AP0140CP
report which displays except
check status is missing a tran
type expected for that status
cancel status looks for a PV,
and XD.). Mitigating control
independent review of local
independent review and auth
checks with status codes voi
canceled or unclaimed."
same as #25
same as #25
A mitigating control is an in
review of the AP_DD_ACC
table.
29. AP_03H - Direct Deposit High
30. AP_03H - Direct Deposit High
31. AR_03 - Cashiering
32. AR_03 - Cashiering
33. AR_03 - Cashiering
PR_02L - Payroll Clerk
PR_02M - Payroll
Process Incharge
AR_06 - Receipt
Corrections
same as #28
same as #28
AR_07 - Receivable
Corr/Adjusts
AR_08H - Billing
Residency
No ISRS report shows this a
must be done with an ad hoc
A mitigating control would b
independent review of the au
and verifying that changes h
documentation.
A mitigating control is an in
review of waivers.
A mitigating control is an in
review of deferment report a
to back-up documentation. C
could require students to sign
promissory notes that studen
acknowledges deferment and
owed. Compare promissory
deferment report. Ensure end
set for deferments."
A mitigating control would b
independent review of all ref
activity."
A mitigating control would b
independent review of all ov
payments."
A mitigating control is an in
review of all discounted tuiti
A mitigating control is an in
review of waivers.
A mitigating control is a rev
audit report which would sho
change in the fee.
34. aAR_03 - Cashiering
r
35. AR_03 - Cashiering
AR_09 - A/R Customer
Waiver and Corrections
AR_11H - Deferments
36. AR_03 - Cashiering
AR_12H - Refunds
37. AR_03 - Cashiering
AR_16 - 3rd Party
38. AR_03 - Cashiering
AR_17 - Customized
Training
AR_18 - A/R Employee
Waivers
AR_23H - Course Fee
Tables
39. AR_03 - Cashiering
40. AR_03 - Cashiering
41. AR_03 - Cashiering
42. AR_03 - Cashiering
AR_24M - Collections
AR_25 - Write-offs
43. AR_03 - Cashiering
FA_14 - Maintenance Award
A mitigating control is an in
review of receipt corrections
A mitigating control is an in
review of write-offs.
same as #37
44. AR_03 - Cashiering
RG_05H - Student
Registration
45. AR_03 - Cashiering
ST_15H - Student
Residency Maint w/del
46. AR_03 - Cashiering
ST_15M - Student
Residency Status
Maintenance
DEPTHEAD Department Head
47. BUSMGR - Business Manager
48. BUSMGR - Business Manager
REQNORGN - PO
Originator
A mitigating control would b
independent review of the A
for Back Dated Drops report
verifying that changes had p
documentation.
A mitigating control would b
independent review of the au
and verifying that changes h
documentation.
same as #45.
Another mitigating control is
of AC0530CP for transaction
processed for the time period
incompatibility exists.
same as #47
Related documents
Incompatible Security Analysis Document
Incompatible Security Analysis Document
train journeys in france: send us your travel tips
train journeys in france: send us your travel tips
Rotherham NHS Stop Smoking Service
Rotherham NHS Stop Smoking Service
LESSONS LEARNED
LESSONS LEARNED
Solving Problems using Linear Systems
Solving Problems using Linear Systems
Mitigating Circumstances Application - Heriot
Mitigating Circumstances Application - Heriot
TRAVEL VOUCHER OR SUBVOUCHER
TRAVEL VOUCHER OR SUBVOUCHER
Urban Sustainability
Urban Sustainability
Download
advertisement