“A Conceptual Model for Segregation of Duties: Integrating Theory and Practice” Kevin Kobelsky, University of Michigan – Dearborn Motivation The Problem: Stealing (intentional) Loss (unintentional) UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky Motivation The Solution: “Independent Review" (underlying principle) achieved through Segregation of Duties (SoD) UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky Segregation of Duties An employee should not be in a position to both 1) perpetrate AND 2) conceal Fraud/Irregularities or Unintentional Errors. Control Approach: • All asset handling is reviewed by independent • person, inappropriate action is acted on Division of a process into subtasks is not enough if no independent review, follow-up action UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky Segregation of Duties Model Objective: Reduce risk that assets will be stolen/lost/wasted Solution: At least three people required SoD in Literature - Agency Tirole (1986) examines costs of lack of segregation of Agent from Supervisor SoD in Literature - Agency Secondary Review has benefits – Beck (1986), Barra (2010) – peer agents Kofman and Lawarée (1993) – peer supervisor SoD in Literature – Practitioner Standards, Textbooks: AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas, 1996; Elsas et al., 1998; Fishman, 2000; Louwers et al., 2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009; Weigand and Elsas, 2012; Whittington and Pany, 2013. SoD: Agency vs Practitioner Agency vs. Practitioner 1. Practitioner Authorization includes ability to initiate a trans’n without review by Custodian – Independent primary review of such transactions not included in model SoD: Agency vs Practitioner Agency vs. Practitioner ?? 2. Practitioner – no Secondary Review of any transaction is included in model. Provides assurance re: quality of Primary Review process, i.e., Repeatability. SoD: Agency vs Practitioner Agency ?? vs. Practitioner 3. Agency – no mention of Recordkeeping, which separates data gathering from evaluation to enhance efficiency. SoD: Agency vs Practitioner Agency vs. ?Needed? Practitioner 4. Practitioner – includes physical assets in Custody, records-based assets, liabilities such as A/R, A/P in Recording. Segregates them. Merely reduces embezzlement of physical assets by substitution of records-based assets/expenses. SoD: Practitioner vs Reality Practitioner 5. Practitioner – In practice, Recording is often NOT segregated from Custody for efficiency reasons, e.g., Receiver prepares Receiving Report, Cashier prepares invoices/receipts, etc. How can this be? What is missing? SoD: Ambiguity 3 domains diverge: 1) Agency-based model 2) Practitioner model 3) Business practice Opportunity: Integrate these models to rigorously evaluate internal control for theory, evaluation, training. Primary SoD Primary SoD reflects 1. Agency – Initiation of trans’n in Custody 3. Practitioner – Recording for efficiency 4. Agency – All Asset types included in Custody 5. Practice – Recording and Custody not segregated 6. Reconciliation added to ensure Record reliable But lacks Secondary Review to ensure repeatability Secondary SoD Secondary SoD reflects 2. Agency – Secondary Review for repeatability, based on: 3. Practitioner – Recording for efficiency 6. Reconciliation to ensure Record reliable. Requires Authorization of Reconciliation to verify assets while Reconciliation being performed (Blokdijk, 2004) SoD: IT Aspects – Primary SoD Data Auth’n Input Checks Review Custody Trans’n Master Input File Chgs Programs Testing Promo’n Control Job Control Program’g Maint’ce Copy to Prod’n Oper’ns New Technology, Different Process Steps But same approach Each Custody duty is evaluated independently No need for segregation across columns! SoD: IT Aspects – Primary SoD Data Auth’n Input Checks Programs Review Custody Trans’n Master Input File Chgs Testing Promo’n Control Job Control Program’g Maint’ce Copy to Prod’n Oper’ns Access Control Access Control is a precondition SoD, akin to procedure definition in manual system. Must segregate from all other duties. SoD: IT Aspects – Prog Chgs Auth’n Custody Testing Program’g Maint’ce Emp 1 Promo’n Control Copy to Prod’n Job Control PCC w 2 people Oper’ns Emp 2 Unconventional segregations more cost-effective? SoD: IT Aspects – Prog Chgs Auth’n Custody Testing Program’g Maint’ce Emp 1 Promo’n Control Copy to Prod’n Job Control PCC w 2 people Oper’ns D Emp 2 Unconventional segregations more cost-effective? SoD: IT Aspects – Data Control Data Auth’n Input Checks Review Custody Trans’n Master Input File Chgs No need to segregate Master file changes from Transaction initiation IT Aspects – Secondary SoD Primary SoD has elements of traditional requirements, but some differences: - Access control with authentication - Data input controls, but… master file changes can be done by transaction initiator - Program change control, but… don’t need 3 separate roles (Program, Test, Operations) for PCC, only 2 - Overall, need at least 3 people for Primary SoD (2 for PCC + 1 for Access Control) IT Aspects – Secondary SoD Secondary SoD requires: - Secondary review of the above to ensure all are operating effectively Yet rarely addressed! An inconsistent standard vis-a-vis manual processes? Implications, Contributions 1. Integration of Agency Theory model, Practitioner model, and Practice identifies limitations in the two models. 2. Insights allow for unconventional duty combinations in manual and IT processes. 3. Not all segregations are equal – Primary vs Secondary 4. Secondary segregations common for organizational control processes, but not for IT-based processes that they rely upon.