If the segregation of duties/ functions is not practical and not cost effective, than management must develop alternative control activities (compensating controls). The same principle is also applied in IT System, but with different implementation due to different process. (see below: Compensating Controls for Lack if Segregation of Duties).
Segregation of Functions in IT SystemThe IT environment tends to consolidate activities. A single application may authorize, process, and record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level (transaction processing tasks that computers now perform) to higher-level organizational relationships within the computer services function. Segregation of functions in applications is less visible and to be consolidated, meanwhile segregation of functions in IT unit is manageable.
If management fails to develop a segregation of functions, then company will face the risk of:
- Hardware/ applications is not compatible with business requirements.
- The failure of hardware / applications, which then will cause the business operations to stop.
- The deterioration of the integrity of programs and database. Programs and database can be manipulated for fraudulent practices, either by personal or by organizations.
- Deteriorating organization’s reputations and loss of clients.
- Misappropriation of assets
- Misstated financial statements.
- Inaccurate financial documentation (i.e. errors of irregularities)
- Improper use of funds or modification of data could go undetected.
- Unauthorized or erroneous changes or modification of data and programs may not be detected.
|Segregation of Functions||Related Risk|
|Systems Development / Programmer, from:
Computer Operations/ User (and software admin)
|With detailed knowledge of the application’s logic and control parameters and access to the computer’s operating system and utilities, an individual could make unauthorized changes to the application during its execution. Such changes may be temporary (“on the fly”) and will disappear without a trace when the application terminates.|
|Database Administration, from:
Other Functions (example: operations, system develop-ment, and maintenance)
|DBA function is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion. Delegating these responsibilities to others who perform incompatible tasks threatens database integrity.|
|Manipulation of testing results.
Inappropiarte testing documentations.
|New Systems Development/ Programmer, from:
Maintenance (for in-house system development)
|The programming group codes the programs. Under this approach, the programmer who codes the original programs also maintains the system during the maintenance phase of the systems development life cycle. Although a common arrangement, this approach is associated with two types of control problems: inadequate documentation and the potential for program fraud.|
|Segregation in Networks:
Segregate: groups of information services, users, and information systems.
|• Unauthorized / inappropriate access to data/ system,
• System failure, malware.
• Data manipulation/ stolen.
|Authorization of transactions, from
|• Manipulation of data before entry.
• Data/ material transactions processed by the information system are not valid and not in accordance with management’s objectives.
1. Users’ direct access capability should be restricted by the operating system and database.
2. Users’ access rights should be approved and documented by management.
3. User master records should be assigned for each user to prevent sharing of IDs and passwords.
4. Passwords should be kept confidential and should be difficult to divulge.
5. Passwords should be changed regularly.
6. Management should regularly review and follow up on any access violations.
7. Access to the SAP system during nonworking hours should be minimized and adequately controlled.
Example of Segregation of Functions in IT UnitHere is the example of segregation of functions in IT Unit. Keep in mind that the organization structure of IT Unit should be based on the complexity and the identified risks of organization, as well as related rules/ laws.
|Segregation of Function IT Unit|
Compensating Controls for Lack of Segregation of DutiesIn a small business where the IS department may only consist of four to five people, compensating control measures must exist to mitigate the risk resulting from a lack of segregation of duties. Before relying on system generated reports or functions as compensating controls, the IS auditor should carefully evaluate the reports. applications and related processes for appropriate controls, including testing and access controls to make changes to the reports or functions. Compensating controls include:
a. Audit trails.
In some organizations limited reconciliation of applications may be performed by the data control group with the use of control totals and balance sheets. This type of independent verification increases the level of confidence that the application processed successfully and the data in proper balance.
c. Exception reporting.
Exception reporting should be •handled• at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been hand led properly.
d. Transaction logs.
A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed and is maintained by the computer system.
Example of transaction logs:
|Segregation of Function Transaction Log|
e. Supervisory reviews.
Supervisory reviews may be performed through observation and inquiry or remotely.
f. Independent reviews.
Independent reviews are carried out to compensate for mistakes or intentional failures. Such reviews will help detect errors or irregularities.