7/30/2019 S33 - Segregation of Duties

1/16

S33 - Segregation of Duties

Scott Mitchell and Colin Wallace

7/30/2019 S33 - Segregation of Duties

2/16

Scott Mitchell, Senior Manager (503) 478-2193

SegregationSegregation

of Dutiesof Dutieso n a ace, en or anager -

Our ObjectivesOur Objectives

Clarify the role of Segregation of Duties (SOD)

emons ra e ow o mp emen e ec ve

Clarify the evaluation process of current useraccess

Demonstrate that management is alwayssurprised after evaluating their SOD

7/30/2019 S33 - Segregation of Duties

3/16

AgendaAgenda

Discuss fraud and risks of fraud

e ne

Demonstrate a method for evaluating SOD

Considerations for maintaining SOD

Examples of findings

Fraud examples in the newsFraud examples in the news

SocieteGenerale

renc an oses . ue ounau or ze ra ng

SiemensAG

Fraudulentconsultingcontracts($500M)

NEC

Invalidrevenue($18M)andkickbacks($4.2M)

NBCUniversal,

Inc.

Treasurerchargedwithwirefraud($813K)

7/30/2019 S33 - Segregation of Duties

4/16

The Fraud TriangleThe Fraud Triangle

Pressure/Incentive

Opportunity Rationalization

What is Segregation of Duties?What is Segregation of Duties?

Howdoyoudefineit?

Whatisthegoalof

segregationofduties?

Areall

SOD

conflicts

equalinimportance?

7/30/2019 S33 - Segregation of Duties

5/16

What is Segregation of Duties?What is Segregation of Duties?

COSO:Dividingorallocatingtasksamongvar ous n v ua sma ng tposs etore uce

therisksoferrorandfraud.

Containsfourcomponents

Custody

RecordKeeping

Reconciliation

What is Segregation of Duties (cont.)?What is Segregation of Duties (cont.)?

Ideally,asingleindividualwouldhaveresponsibility

Benefitsinclude:

Safeguardingofassets

Accuratefinancialreporting

Reducedriskofnoncompliance

(e.g.,SOXandexternalaudit)

7/30/2019 S33 - Segregation of Duties

6/16

What is Segregation of Duties (cont.)?What is Segregation of Duties (cont.)?

SODconflictsarenot equallyimportanttoeverycompany:

Safeguardingofassetsvs.financialreportingrisks

Relativeimportanceofinformationconfidentiality

Reducedriskwhenthechainofaccessisbroken

SODrisksarecompanyspecific

Evaluating Your SODEvaluating Your SOD

Createapolicy

Includeastatementthatmanagementisresponsibleforenforcingthepolicyand

maintainingproperSOD

Ultimatelyincludesalistofincompatibleduties

Identifythe

core

tasks

performed

at

your

company

7/30/2019 S33 - Segregation of Duties

7/16

Evaluating Your SODEvaluating Your SOD

Identifyincompatibilities

Riskbasedforyourbusiness

Considersensitivedutiessuchaspostingofournal entries erformin reconciliations and

VendorMaster

Example SOD MatrixExample SOD Matrix

r y/Edit

roval

/Edit

val

Entry/Edit

pproval

entEntry

Sensitive Activities CustomerMaste

SalesOrderEntr

SalesOrderApp

ShipConfirm

VendorMaster

RequisitionEntr

RequisitionAppr

PurchaseOrder

PurchaseOrder

Receiving

InventoryAdjust

Customer Master 1 0Sales Order Entry/Edit 0 1 0 0Sales Order Approval 0 1Ship Confirm 0 1 0 0

Requisition Entry/Edit 1 0 0Requisition Approval 0 1Purchase Order Entry/Edit 0 1 0 0Purchase Order Approval 0 1Receiving 0 0 1 0Inventory Adjustment Entry 0 0 1

7/30/2019 S33 - Segregation of Duties

8/16

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

Translaterequirementsintoapplications

Definemenusorobjectsgrantinguseraccess

Identifythesensitiveobjectsassociatedwithconflictin duties

Timeconsumingdependingonthesystem

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

Rolesforkeyresponsibilitieswithwelldefined

Shipping/Receiving

Purchasing

AccountsPayable

AccountsReceivable

7/30/2019 S33 - Segregation of Duties

9/16

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

Object Description Area

P0012 Automatic Accounting Instructions AAI

P0022 Tax Rules Tax

P0030G G/L Bank Accounts Accounting

P03013 Customer Master Customer Master

P03B0001 Speed Receipts Entry Receiving

P03B0002 Invoice Revisions Vendor Invoices Entry/Edit

P03B102 Standard Receipt Entry Receiving

P03B11 Standard Invoice Entry Vendor Invoices Entry/Edit

P03B11SI Speed Invoice Entry Vendor Invoices Entry/Edit

P03B11Z1 Batch Invoice Revisions Vendor Invoices Entry/Edit

Receiving

P03B121 Work With Electronic Receipts Input Receiving

P03B123 Electronic Receipt Entry Receiving

P03B305 Credit Granting / Management Customer MasterP03B42 A/R Deduction Activity Master Maintenance Customer Master

Role

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

Determinetheexistingroleaccessrights

Identifybuiltinconflictsprovidedbyeachrole

Documentdesiredchangestoroles

Determinetheusersassignedtoroles

ofuserconflictsallowed

7/30/2019 S33 - Segregation of Duties

10/16

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

Role Object Description

GL P0012 Automatic Accounting Instructions

GL P0030G G/L Bank Accountsser o e

User1 Receiving

User2 Receiving

User3 AP

User4 AP

User5 AR

User6 AR

User7 GL

AR P03013 Customer Master

AR P03B305 Credit Granting/Management

AR P03B42 A/R Deduction Activity Master Maintenance

Receiving P03B0001 Speed Receipts Entry

Receiving P03B102 Standard Receipt Entry

Receiving P03B121 Work With Electronic Receipts Input

Receiving P03B123 Electronic Receipt Entry

Tax P0022 Tax Rules

AP P03B0002 Invoice Revisions

AP P03B11 Standard Invoice Entry

AP P03B11SI Speed Invoice Entry

AP P03B11Z1 Batch Invoice Revisions

Tables such as the above will provide informationof user access to sensitive transactions

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

User RoleTransType

ConflictTransType

Role User

Role ObjectTransType

TransType

Object Role

e a ove grap c ep c s ow user con c scan be identified using lists of:

Users/roles

Roles/objects/transaction types

Conflicting pairs of transaction types

7/30/2019 S33 - Segregation of Duties

11/16

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

AddedRequirements

o ess ou notconta n u t n con cts

Additionalissuesandcomplexity

Usersassignedtomultipleroles

Usersassi nedaccessri htsbUserID

Usersaccessing

multiple

systems

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

Doesthissolveallissues?Notlikely.

ma groupso users

Systemconstraints

Manualactivitiesoutsidethesystem

Detectivecontrolshavearole

Audittrails

Exceptionreports

7/30/2019 S33 - Segregation of Duties

12/16

Evaluating Your SOD (cont.)Evaluating Your SOD (cont.)

OthersourcesofSODconcern:

Applicationadministratoraccess

Securityadministratorandusersetup

Programmeraccesstoproduction

Powerfulutilities

Sharedpasswords

Accesstoedit/changeaudittables

Maintaining SODMaintaining SOD

Prevention

Toolsforgrantinguseraccessrights ITbecomesagatekeeper

Conflictsraisedforaddedapprovalormitigation

Roleanduserchangecontrols

Maintainstrong

authenticationrequirements

7/30/2019 S33 - Segregation of Duties

13/16

Maintaining SOD (cont.)Maintaining SOD (cont.)

Detection

nterna au t

Periodicevaluationandmonitoring

Exceptionreporting

AutomatedMethods

Automatedmonitoring

ERPsystem

tools

and

workflow

SOD ObservationsSOD Observations

WhathaveyouseeninSODfindings?

Whatconflictsaremostconcerningtoyouandyourcompany?

7/30/2019 S33 - Segregation of Duties

14/16

7/30/2019 S33 - Segregation of Duties

15/16

Management is SurprisedManagement is Surprised

3,100KRONOSuserscouldauthorizetheirownpayro

1,100werehourlyemployeeswhocouldapprovetheirownovertime

All3,100couldchangetheirvacationaccrualsandapprovepaymentinlieuofvacation

Key PointsKey Points

SegregationofDutieshelpspreventfraudanderrors

ompan ess ou en y e r r s san con ro s

Detectivecontrolscanbeeffective

AprocessisneededtocorrectineffectiveSOD

MaintainingeffectiveSODrequiresprocessesandtools

Managementisalwayssurprisedaboutcurrentaccess

Withoutperforming

an

analysis,

SOD

issues

are

apparent

aftersomethingbadoccurs

7/30/2019 S33 - Segregation of Duties

16/16

Questions and AnswersQuestions and Answers

Thank You!Thank You!

ScottMitchellScott.Mitchell@mossadams.com

(503)4782193

ColinWallaceColin.Wallace@mossadams.com

(503)478

2185

Thematerialappearinginthispresentationisforinformationalpurposesonlyandisnotlegaloraccountingadvice.Communicationofthisinformationis

notintendedtocreate,andreceiptdoesnotconstitute,alegalrelationship,including,butnotlimitedto,anaccountantclientrelationship.Althoughthese

materialsmayhavebeenpreparedbyprofessionals,theyshouldnotbeusedasasubstituteforprofessionalservices.Iflegal,accounting,orother

professionaladviceisrequired,theservicesofaprofessionalshouldbesought.