Module 2 Segregation of Duties Case Study Individual Assignment Accounting Information Systems Primary Learning Objectives Investigating Understand how the SAP system assigns authorizations to users how to implement segregation of duties controls Begin to understand the role of risk assessment in implementing controls Applying the principles of segregation of duties to a case study Determining how segregation of duties can be applied to a computerized system Accounting Information Systems © 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 2 Segregation of Duties Segregation of duties is one of the strongest controls within an accounting system The following duties should be segregated: Authorizing the transaction Recording the transaction Custody of assets involved in the transaction Independent verification and reconciliation of the transactions Accounting Information Systems © 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 3 Risk Analysis All control assessments, including the segregation of duties, should be based on the analysis of risks Control should then be applied in order to mitigate those risks Risks have two components Threats Vunerabilities – – Wiki defines vulnerability as the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. – ENISA defines vulnerability as the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved. Accounting Information Systems © 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 4 Steps Involved in the Case The case deals with the revenue cycle (sales to cash business process) of a hypothetical company The case consists of four parts 1. Examine how the SAP system assigns authorizations to users – completed outside of class. 2. Risk assessment – analyze the threats to the company‘s revenue cycle 3. Allocate tasks to employees to properly segregate duties 4. Develop an authorization matrix for segregating duties on a computerized system Accounting Information Systems © 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 5 Steps Involved in the Case The case is divided into four parts. The first three parts deal with assessing risk, assigning tasks to achieve proper segregation of duties, and completing a matrix to assign authorizations in a computerized environment. The fourth part must be done outside of class, as we have been warned SAP writes all the authorizations to the archive log. A class as small as 40 students has crashed the entire instance. This part deals with investigating how SAP sets up authorizations for users. Accounting Information Systems © 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 6