Readings
- What is a compensating control? When would you use one? Why? Can you give an example?
- If you had to rank the importance of the basic IT controls, how would you do it? Which is most important, which least?
- What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Your Neighborhood Grocer Case
Consider the following questions about the YNG case. Ignore the questions at the end of the case.
- YNG has grown through acquisition resulting in a mess of systems. Why did this happen and what controls can Larry put into place to ensure that it doesn’t continue into the future?
- Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
- The most recent IT Audit will produce a finding about the sorry state of access control in the company. What controls should Larry be ready to recommend to reduce the impact of this finding?
Marcus A. Wilson says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is used to distribute responsibilities in a way that does not create a conflict of interest that can lead to fraudulent actions both intentionally and unintentionally. This is a basic administrative control that helps the IT organization operate efficiently while reducing risks across IT groups and jobs.
One IT role that should be segregated is the DBA role. DBAs have elevated access to all of the organization’s data. I was a DBA in my previous role and we had several controls in place to enforce segregation of duties. The main control was a monitored process of unlocking admin and root IDs in a production database environment for changes. A change control ticket had to be created and approved by a change control board before the admin/root access could be unlocked by the IT operations center. This prevented a DBA from getting full access and modifying or altering production data without an approved business case.
Another role that should be segregated is the group or team responsible for the logging of systems. Logs should be kept to monitor and detect unauthorized and suspicious activity. The users with responsibility of reviewing the logs should not have the ability to write to or enable the logs. As a DBA we were required to enable automated logging of access and changes to databases but we had an external group within the organization that would review and audit the logs. This prevents someone that has elevated access from changing the logs to hide their tracks.
Richard Flanagan says
Jeff,
You’ve hit on two important controls. First, many companies require any purchase of IT equipment to go through a single buyer (or group) that reports to purchasing, but sits in IT. The goal here is to give IT awareness of all the IT buying that is taking place in hopes of controlling it. At first its often mind blowing for the organization to see just how much they are really spending. Once that is understood, senior management is much more likely to support a centralized IT strategy that reduces cost. Your second control is really Enterprise Architecture, a topic we will cover next week so I will leave the discussion until then.
Richard Flanagan says
Amanda,
You are assuming a major access control, “least privilege possible”. This is the accepted idea that a person should have no more access than they need to do their job. This makes role management critical and complicated. As people change jobs, their access needs to change. But if it isn’t done right, they can keep getting more and more until they become a risk. Its a matter of taking away as well as giving new access.
Another key control is the idea that each individual has a unique id and is responsible for anything that is done using that id. Companies that have group ids for certain workers (plant operators, wait staff, etc.) are looking for trouble as the password is widely known and responsibility cannot be tracked.
Jeff Hankin says
Annamarie, your example of it roles that should be segregated, Application Development and Application Maintenance, actually made me think of my own job. Where I work, those two roles are one in the same. Those who develop the applications are usually the ones who support and maintain it later on. This is done to improve efficiency, since the person who developed the system most likely has the most knowledge on the system and its interactions. This is definitely an area of risk within our IT department.
We do try to have at least one other employee be a backup on our systems and cross-training is attempted, though sometimes pushed to a lower priority based on the current business priorities. We also do code reviews before anything is installed into our live/production environment in which we go through our code line-by-line with 1 or 2 other people. This helps reduce the risk of having those who develop the code also maintain it. Those two roles should most certainly be segregated from a responsibility standpoint though.
Jimmy C. Jouthe says
Dan, I like that you brought the benefits of having segregation of duties in combination to having rotation of duties, they definitely complement each other. Segregating the duties to control/secure the work and rotating the duties of the personnel to keep it going. We have a situation at work where one section depends on another section but they must be segregated to prevent any forgery. For instance, at the start of the process, a user can not run a job in one section that involves printing and run the same job in the next section that involves enclosing, it has to be a different users. The issue is they are supposed to rotate. So, problems arise when someone from one section is out sick and nobody else seems remember how to do the work. Although the users are initially trained to use the systems in both sections, they often have to be retrained. Slows everything up.
Jimmy C. Jouthe says
Dan, Pretty good post, I like that you brought up the benefits of having segregation of duties in combination to having rotation of duties, they definitely complement each other. Segregating the duties to control/secure the work and rotating the duties of the personnel to keep it going. We have a situation at work where one section depends on another section but they must be segregated to prevent any forgery. For instance, at the start of the process, a user can not run a job in one section that involves printing and run the same job in the next section that involves enclosing, it has to be a different users. The issue is they are supposed to rotate. So, problems arise when someone from one section is out sick and nobody else seems remember how to do the work. Although the users are initially trained to use the systems in both sections, they often have to be retrained. Slows everything up.
Jeff Hankin says
James,
Pertaining to your second point, I’ve always heard a ‘tall tale’ told within IT of the programmer who wrote all of his code to check for his user ID in the HR system for it to work as intended. Once he left the company, the code he wrote went haywire, since his user ID was no longer active. I am not sure if it is true or not (it does seem a bit outlandish), but it shows the risk taken by companies who do not separate developers from the testers and, ultimately, those who install/implement the code into the production/live system. Had proper personnel controls been in place, the chance of someone catching that odd code would have been greater. Also, some background checks or reference calls may have pinpointed some questionable tendencies by that individual before they even had the ability to touch a piece of code.
M. Sarush Faruqi says
3. What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated?
Segregation of duties is a form of IT personnel controls which seek to ensure that one person is not responsible for carrying out critical functions in an organization in a way which could lead to fraudulent and malicious behavior that can go unnoticed in the course of the day to day activities of the business. Segregating duties is important in the sense that it does not give employees access to too many of the company’s assets where personal interests of the employee may lead to the risk of things such as the misuse of assets, misrepresentation of financial statements, misuse of the IT budget, and mishandling of data. In essence, segregation of duties limits what resources an employee has access to thereby reducing potential damage he or she can do if they decide to put their personal interests before the company’s financial well being.
One of the most important roles which should be segregated is the IT department from the rest of the organization. From personal experience, I’ve seen departments or divisions within an organization employ their own IT help desk for support on things such password resets, installment of workstations, and login support but areas such as security,development, database usage, and networking have been kept separate. The internal department should never perform IT duties as it can and will lead to a higher risk of engaging in dishonest behavior. In the STARS case we read a couple weeks ago, some of the departments were performing their own IT duties and forced the IT department to employ IT services they needed to satisfy their interests. This example shows why it is important to segregate duties and have a well represented IT department which performs IT duties without pressures from internal departments.
Another important role which should be segregated is application development from application maintenance. In this case, programmers who write the code should not be responsible for maintaining it as a whole. Segregating these two roles reduces the risk of malicious code being introduced into the application. In my company, we have developers on different delivery teams who write code and send it to a support team who reviews, compiles, and maintains all of the application code as it goes into production. What this essentially does is have a second pair of eyes look at the code to ensure everything which is going into production will safeguard consumer assets and will not tarnish the company’s image for personal interests in the form of things such malicious or faulty code.
Marcus A. Wilson says
YNG Case-
Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
There has been a disconnect between YNG’s IT purchasing strategy and business objectives. The IT organization does not have procurement controls or a policy that considers the business goals and strategies. Since the IT direction and business goals do not align, the business takes matters into their own hands which has resulted in a very diverse and inconsistent IT environment.
Larry should implement procurement controls to prevent this from continuing in the future. The first step would be developing an IT procurement policy that outlines the steps required for a substantial IT purchase. This policy would cover budget, current infrastructure, vendor relationships, and administrative processes. Other controls such as senior management and an IT committee approving purchases only after reviewing that the request meets the requirements in the IT procurement policy. The IT committee will have insight into the organizations’s strategy and can verify that the request fits into that strategy. This will also allow the purchase to be supported by IT and fit into the overall IT architecture.
M. Sarush Faruqi says
Hi Amanda,
I agree with you on the notion that developers or the people who took part in coding a piece of software should not have the ability to move it to production. This can definitely be an invitation to invite potential malicious code into the software with no other control to monitor what went into production. You bring up a valid point about not being able to segregate duties because of small staff size. I was actually reading an article a couple weeks ago which talked about developers taking on the role of coding and testing the application outside of unit testing. The article was trying to make the point that developers who code and test will be accountable for producing bug free code from start to finish and will essentially be forced to take ownership if a bug is found in production for a piece of software they coded.
While I agree that this will make developers more accountable and could potentially produce much better software applications, I think it gives them more control of what they code and how they test. They will test what they see as necessary and could add malicious code without anyone else noticing. What are your thoughts on this?
M. Sarush Faruqi says
Amanda,
I would agree with you in the sense that developers should have an independent group review and test the code to make sure it is performing at an optimal level and does not have potential malicious code embedded inside of it. In terms of the business accepting a delayed timeline, I think it depends on the business and the tone it sets within the organization. If management is concerned about the security of consumer information, I think they would be willing to accept a delayed timeline to make sure that quality code is going into production. However, if all they care about is selling the product and making sales, they may not accept any further delays to a planned project. I think it also comes down to the risk they are willing to accept that a bug or malicious code is introduced in production. Both of these things can potentially cause the business to lose money and possibly tarnish its image. In this case, I would imagine they would rather wait a little longer than to incur a financial or repetitional loss.
M. Sarush Faruqi says
Annamarie and Jeff,
Both of you bring up great points about the importance of segregating of duties. Like Jeff, developers in my company have code reviews as well before handing it off to the support team for a deeper level review. While I agree that giving developers the duties of application development and maintenance could prove to be efficient, I think companies also do it to have less impacts on their IT budget. Both application development and maintenance cost money to do which means more support or resources are needed to carry out these tasks. One of the biggest expenses in an IT budget are salaries so logically speaking, companies would be saving money by giving less people more tasks to do. If this is the case, appropriate compensating controls should be in place such as audit trails, log files, or supervisory reviews to make sure every behavior is tracked from development to maintenance.
Richard Flanagan says
James,
Very true, think of the USAir take over of American Airlines. It took them almost 2 years to merge their systems. As a frequent flier I can tell you it was a painful process. Deciding to do it a truly strategic question. The organization needs to understand the benefits and make a knowing decision. That’s what governance is all about, not backing into things but being proactive.
Richard Flanagan says
Wayne,
Good comment about cost. How can you manage when the business just plan doesn’t have the money to segregate duties properly?
Richard Flanagan says
Ariana,
Great example. Do the managers do their jobs correctly? How do you know? Do you have any layered controls to make sure?
Richard Flanagan says
Scott,
Excellent example. We had small plants in many countries with this exact problem (i.e. the plant manager was also the country manager, HR manager, etc.). The question became how few people do we need to establish a reasonable level of control. The final answer was we could run a whole country subsidiary and plant with only four people but it took a lot of compensating controls.
M. Sarush Faruqi says
Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
Business application procurement has been a disaster in YNG mainly because IT is not in alignment with the business strategic objectives. YNG is in a market where there is a lot of competition requiring more focus and resources on aspects such as marketing giving IT infrastructure a backseat when it comes to strategic planning and alignment. Management does not realize the value IT can provide within the business and end up purchasing software systems which are either outdated to retain legacy systems just so the business can say they have some form of IT in place to run their day to day operations.
Larry must implement controls around aligning IT with the business objectives of the organization. He needs to implement policies and procedures which reinforce IT and give it an active role in the development of the business. He needs to establish a process around decision making and implement a decision making body with equal representation from IT and the business to prioritize business and IT objectives including the purchasing of IT infrastructure. An IT budget must also be established which takes into account both external and internal costs and alignment with the business. Because the supermarket industry so competitive, adopting certain technologies may be necessary. Larry should work to establish procedures which cut costs from the budget to acquire these technologies without sacrificing other IT services. The establishment of a committee would be helpful here to make sure the rights costs are being cut and IT is not deviating from the goals of the business.
Marcus A. Wilson says
Jane, Great examples of compensating controls. In internal audit we support lots of engagements across the business. Over the last few years the business has grown and it becomes difficult to spread resources to ensure 100 % audit coverage. To account for this we have began using a lot of proactive monitoring using data analytics. We may not do a full audit on all of the scope areas but we are able to monitor certain areas of the business and can turn it into a full audit if something looks unusual. I think this would also classify as a compensating control.
Mengqi He says
What is segregation of duties and how does it play into basic administrative controls? Give an example of two IT roles that should be segregated.
Segregation of duties is an internal control intended to disperse critical functions of a business process to more than one person or department. It is very important in basic administrative controls for mitigating the risk of frauds and crimes by restricting authority of one person on a business process. For example, a person can place an order to buy products from a supplier, but a different person will issue the payment to the supplier and another person must record the transaction in the accounting records. If the person placing orders also records transaction, he/she may overstate the number or amount of the products to benefit himself/herself, while if the person recording transaction also issuing payment, he/she may issue more than needed to earn illegal benefit. Another example in IT duties is that application developer, database administrator (DBA), IT operator and the person responsible for information security should be segregated to prevent IT frauds. If the application developer is also responsible for information security, he/she may intentionally design a bug and omit it when monitoring for security to obtain benefit.
Last year, I participated an IT competition. The case was a typical example of bad segregation of duties. RODH Inc. is a global telecommunications company. Its accounts payable clerks were responsible for approving vendors, creating purchase requisitions, issuing payment and recording journal entries. The AP clerk almost have the authority on all critical functions of the procurement process! Therefore, it was common that quantity of goods received and paid for could not match up. Worse than that, employees’ authority to the system might not update even after transition to another department has completed, and this error did not be discovered by the IT director until the annual review. I believe the most urgent change for RODH is to enhance the segregation of duties and IT controls to operate more efficiently.
Although segregation of duties seems to be extremely important in an organization to prevent fraud, it is very difficult to achieve in small business. Therefore, many small businesses have to rely on compensating controls, like reviewing system report and audit trails, to achieve required IT controls.
Richard Flanagan says
Ah Dan, splitting hairs is fun but of course you are right. All these controls are important but usually taken for granted.
Richard Flanagan says
Cassandra
Correct but don’t limit your thinking to securoty controls this is true for all types of controls, security, general IT controls and business application controls.
Mengqi He says
Business application procurement seems to be a big problem. IT buys stuff the businesses’ don’t want and many of the business’ purchases have been outright failures. Why? What controls can Larry put into place to ensure that it doesn’t continue into the future?
Not reaching an agreement between business and IT staffs before making a purchase is the greatest issue in the application procurement process. The company should have IT purchasing controls to ensure that all purchased application will satisfy both business and IT staffs requirements to better accomplish the general goals and specific objectives of the company. Both business and IT staffs should have a great understand on the business objective intended to achieve through the new application. Firstly, the business staffs should develop business requirements based on the objective. Then, IT staffs should develop a feasibility study based on the business requirements to see whether the requirements are reasonable. After both business and IT staffs reach an agreement, the requirements can be sent to IT programing department or system supplier to develop. It is very important that both business and IT staff stay consistent on the business objective during the procurement process.
Mengqi He says
Jeff, I really like the way you ranked IT controls based frequency and severity of risks it prevented from, but I would like to rank IT standards, policies and procedures the most important because it establish norm of behavior and technical performance, and determine what should be done and how it can be done correctly. It is more like a guideline that will make sure all project stay consistent with the business objective of the organization. It is hard to pick the least important one because each is very important to help the company operate more efficiently in a IT secure environment.
Mengqi He says
Hi, Wilson. Indeed, the cost of SoD is one of the greatest consideration of small business. Instead of hiring extra employees to achieve SoD, they would have compensating controls which is much cheaper to help them fulfill the IT control requirements. Sometimes, the compensating controls will highly rely on employees’ loyalty to the company.
Jimmy C. Jouthe says
compensating control is a security measure utilized in place of another security measure that is deemed too difficult or unable to implement. When an organization doesn’t have enough employees in a department to carry out the internal control of segregation of duties then another security measure would have to take place to compensate for the risk for not being able to apply the control. so an employee performing all the functions in a process of work or an employee with conflicting access to an application involving transactions are examples where compensating controls would have to be implemented. In this case this compensating controls would include periodic reviewing of detailed paperwork/logs or transactions made by the employee, reviewing/analyzing any supporting documents/reports and questioning flags of any suspicious looking activities.
Jimmy C. Jouthe says
Brent,
Top Down is definitely the way to go but it has to be balanced with a bottom up approach as well. They are some things that Larry need to do now to avoid YNG from getting out of control while they strategize a plan that will get them aligned with the organizations goals. He needs to apply IT administration controls, STAT. IT standards, policies and procedures needs to be established/reestablished, it will assist in streamlining operations, reducing the budget and removing unnecessary processes. Evaluating and analyzing how the IT operations is running now, and making changes (personnel, resources) that coincide and align with the goals of the management would have to be included in all that. An IT budget control definitely needs to be in place and as you mentioned the main focus should be a top down approach to improve their operations but to get things moving now IT wise, YNG needs to have some money set aside for that. And I agree IT and the business management group definitely need to work together through this.
Mengqi He says
James, I agree with you on the ranking of IT controls. I agree that IT standards, policies and procedures should be the most important because it set the “tone” of the company environment. I think the IT administration performance controls the least important because it is more about improvement to do things better. So, if a company do a good job on the rest of the controls, the administration performance control will become less important.
Jimmy C. Jouthe says
Wilson,
YNG was just integrating and applying bandaids when necessary. They were spending money without a plan and thus wasting it. It was getting out of hand.
I agree a scalable centralized IT system would work especially if YNG plans on taking on any new supermarkets in the future.
Richard Flanagan says
Tiesha,
OK but why didn’t management assess the situation well do you think? Are they just stupid or irresponsible? How would external consultants help?
Richard Flanagan says
Zhe,
Be careful with budgeting. Having a great budget means nothing if you are not monitoring your expense, comparing them to your forecast, and then taking corrective active. Budgets are a preventative control, monitoring a detective control, and reacting are corrective.
Richard Flanagan says
Brock,
As we will talk about over the next couple of weeks, you don’t necessarily need to centralize everything but you do need to think about what you are doing and why. The fault is in not paying attention. Centralization brings various controls with it. If you are going to be decentralized you need to think about how you are going to compensate for those missing controls.
Richard Flanagan says
Snigdha,
I think you are onto something here. Does Larry need to go beyond the CEO? If so, who and why?