“A Conceptual Model for
Segregation of Duties: Integrating
Theory and Practice”
Kevin Kobelsky,
University of Michigan – Dearborn
Motivation
The Problem:
Stealing (intentional)
Loss (unintentional)
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
Motivation
The Solution:
“Independent Review"
(underlying principle)
achieved through
Segregation of Duties (SoD)
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
Segregation of Duties
An employee should not be in a position to
both
1) perpetrate AND
2) conceal
Fraud/Irregularities or
Unintentional Errors.
Control Approach:
• All asset handling is reviewed by independent
•
person, inappropriate action is acted on
Division of a process into subtasks is not enough if no
independent review, follow-up action
UWCISA 8th Symposium Oct. 4, 2013 Kevin Kobelsky
Segregation of Duties Model
Objective: Reduce risk that assets will be stolen/lost/wasted
Solution: At least three people required
SoD in Literature - Agency
Tirole (1986) examines costs of lack of
segregation of Agent from Supervisor
SoD in Literature - Agency
Secondary Review has benefits –
Beck (1986), Barra (2010) – peer agents
Kofman and Lawarée (1993) – peer supervisor
SoD in Literature – Practitioner
Standards, Textbooks:
AICPA, 2006; Arens et al., 2013; COSO, 1994; Elsas,
1996; Elsas et al., 1998; Fishman, 2000; Louwers et al.,
2013; Messier et al., 2012; PCAOB, 2007; Stone, 2009;
Weigand and Elsas, 2012; Whittington and Pany, 2013.
SoD: Agency vs Practitioner
Agency
vs.
Practitioner
1. Practitioner Authorization includes ability to
initiate a trans’n without review by Custodian –
Independent primary review of such transactions not
included in model
SoD: Agency vs Practitioner
Agency
vs.
Practitioner ??
2. Practitioner – no Secondary Review of any
transaction is included in model. Provides assurance re:
quality of Primary Review process, i.e., Repeatability.
SoD: Agency vs Practitioner
Agency ??
vs.
Practitioner
3. Agency – no mention of Recordkeeping, which
separates data gathering from evaluation to enhance
efficiency.
SoD: Agency vs Practitioner
Agency
vs.
?Needed?
Practitioner
4. Practitioner – includes physical assets in
Custody, records-based assets, liabilities such as
A/R, A/P in Recording. Segregates them.
Merely reduces embezzlement of physical assets by
substitution of records-based assets/expenses.
SoD: Practitioner vs Reality
Practitioner
5. Practitioner – In practice, Recording is often NOT
segregated from Custody for efficiency reasons, e.g.,
Receiver prepares Receiving Report, Cashier prepares
invoices/receipts, etc. How can this be? What is missing?
SoD: Ambiguity
3 domains diverge:
1) Agency-based model
2) Practitioner model
3) Business practice
Opportunity:
Integrate these models to rigorously
evaluate internal control
for theory, evaluation, training.
Primary SoD
Primary SoD reflects
1. Agency – Initiation of trans’n in Custody
3. Practitioner – Recording for efficiency
4. Agency – All Asset types included in Custody
5. Practice – Recording and Custody not segregated
6. Reconciliation added to ensure Record reliable
But lacks Secondary Review to ensure repeatability
Secondary SoD
Secondary SoD reflects
2. Agency – Secondary Review for repeatability,
based on:
3. Practitioner – Recording for efficiency
6. Reconciliation to ensure Record reliable.
Requires Authorization of Reconciliation to verify assets
while Reconciliation being performed (Blokdijk, 2004)
SoD: IT Aspects – Primary SoD
Data
Auth’n
Input
Checks
Review
Custody Trans’n Master
Input
File
Chgs
Programs
Testing
Promo’n
Control
Job
Control
Program’g
Maint’ce
Copy to
Prod’n
Oper’ns
New Technology, Different Process Steps
But same approach
Each Custody duty is evaluated independently
No need for segregation across columns!
SoD: IT Aspects – Primary SoD
Data
Auth’n
Input
Checks
Programs
Review
Custody Trans’n Master
Input
File
Chgs
Testing
Promo’n
Control
Job
Control
Program’g
Maint’ce
Copy to
Prod’n
Oper’ns
Access
Control
Access Control is a precondition SoD,
akin to procedure definition in manual system.
Must segregate from all other duties.
SoD: IT Aspects – Prog Chgs
Auth’n
Custody
Testing
Program’g
Maint’ce
Emp 1
Promo’n
Control
Copy to
Prod’n
Job
Control
PCC w
2 people
Oper’ns
Emp 2
Unconventional segregations more cost-effective?
SoD: IT Aspects – Prog Chgs
Auth’n
Custody
Testing
Program’g
Maint’ce
Emp 1
Promo’n
Control
Copy to
Prod’n
Job
Control
PCC w
2 people
Oper’ns
D
Emp 2
Unconventional segregations more cost-effective?
SoD: IT Aspects – Data Control
Data
Auth’n
Input
Checks
Review
Custody Trans’n Master
Input
File
Chgs
No need to segregate Master file changes from
Transaction initiation
IT Aspects – Secondary SoD
Primary SoD has elements of traditional
requirements, but some differences:
- Access control with authentication
- Data input controls, but… master file
changes can be done by transaction initiator
- Program change control, but…
don’t need 3 separate roles (Program, Test,
Operations) for PCC, only 2
- Overall, need at least 3 people for
Primary SoD
(2 for PCC + 1 for Access Control)
IT Aspects – Secondary SoD
Secondary SoD requires:
- Secondary review of the above to ensure
all are operating effectively
Yet rarely addressed!
An inconsistent standard vis-a-vis manual
processes?
Implications, Contributions
1. Integration of Agency Theory model,
Practitioner model, and Practice
identifies limitations in the two models.
2. Insights allow for unconventional duty
combinations in manual and IT processes.
3. Not all segregations are equal – Primary vs
Secondary
4. Secondary segregations common for
organizational control processes, but not
for IT-based processes that they rely upon.