Module 1 Financial Accounting Review Case Study

Module 2
Segregation of Duties Case Study
Individual Assignment
Accounting Information Systems
Primary Learning Objectives
Investigating
Understand
how the SAP system assigns authorizations to users
how to implement segregation of duties controls
Begin
to understand the role of risk assessment in implementing
controls
Applying
the principles of segregation of duties to a case study
Determining
how segregation of duties can be applied to a
computerized system
Accounting Information Systems
© 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 2
Segregation of Duties
Segregation
of duties is one of the strongest controls within an
accounting system
The
following duties should be segregated:
 Authorizing the transaction
 Recording the transaction
 Custody of assets involved in the transaction
 Independent verification and reconciliation of the transactions
Accounting Information Systems
© 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 3
Risk Analysis
 All
control assessments, including the segregation of duties, should
be based on the analysis of risks
 Control
should then be applied in order to mitigate those risks
 Risks
have two components
 Threats
 Vunerabilities –
– Wiki defines vulnerability as the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the
flaw.
–
ENISA defines vulnerability as the existence of a weakness, design, or
implementation error that can lead to an unexpected, undesirable event [G.11]
compromising the security of the computer system, network, application, or protocol
involved.
Accounting Information Systems
© 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 4
Steps Involved in the Case

The case deals with the revenue cycle (sales to cash business
process) of a hypothetical company

The case consists of four parts
1. Examine how the SAP system assigns authorizations to users –
completed outside of class.
2. Risk assessment – analyze the threats to the company‘s revenue
cycle
3. Allocate tasks to employees to properly segregate duties
4. Develop an authorization matrix for segregating duties on a
computerized system
Accounting Information Systems
© 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 5
Steps Involved in the Case

The case is divided into four parts.

The first three parts deal with assessing risk, assigning tasks to
achieve proper segregation of duties, and completing a matrix to
assign authorizations in a computerized environment.

The fourth part must be done outside of class, as we have been
warned SAP writes all the authorizations to the archive log. A class
as small as 40 students has crashed the entire instance.
 This part deals with investigating how SAP sets up
authorizations for users.
Accounting Information Systems
© 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 6