Temple MIS - Connect and innovate with an elite information systems program

Sean Patrick Walsh replied 7 years, 9 months ago

I can think of two ways businesses can implement complementary controls to reinforce Segregation of Duties controls; geography and mandated leave.
Most of the “teeth” in SOX apply strictly to publicly traded companies, and those types of companies are typically quite large and spread over a large area of the country or even the planet. In that type of situation the business could spread the SOD’s across a large geographical area which would definitely prevent Tom, Dick, and Jane from getting together in the lunch room and hatching a plan to commit fraud through collusion. Although this doesn’t fully prevent personnel from developing relationships outside of work whereupon that type of collusion can be discussed, separating key personnel from each other by mileage can significantly help prevent collusion.
Many businesses force employees in key positions within the business to take vacation within a specific time period for a minimum length of time. During this time another employee carries out the duties and responsibilities of the vacationing employee in the hopes of discovering any intentional or unintentional errors committed by the employee. The mandated vacation policy acts as a deterrence to employees who might feel inclined to commit fraud since they will not be able to constantly hide the fraud from other employees as they will have to turn over their role(s) to other personnel each required time period.
Brou Marie Joelle Alexandra Adje replied 7 years, 9 months ago

Good point Paul. It is true that segregation of duties does not prevent collusion. I like that to mentioned complementary controls. But, what about simply rotation of duties? In fact, an employee is less likely to collude with someone to “steal” if the assignment is a temporary one. This goes with mandatory vacation Sean mentioned. The idea being that it would not only be easier to detect fraud when the perpetrator is away , but also complacence because when employees get complacent and have low morale, they are more predisposed to commit fraud.
Khawlah Abdulaziz Alswailem replied 7 years, 9 months ago

I agree with you, Paul. Separation of duties restricts the amount of power or influence held by any individual. It also aids to avoid conflicting in responsibilities for people and ensures that they are not responsible for reporting on themselves or their superiors. in my point of view, the issue of SoD is that many organizations have a lack of clear and coherence list of responsibilities that assigned for the high-level managers (e.g CEO-CFO). They usually have high authority with low observation or checking from another part which may cause high impact if the fraud happens from their side.
Paul Linkchorst replied 7 years, 9 months ago

Hey Shawn,

You bring up a good point about how geography can help strengthen segregation of duties.
From the fraudsters perspective, geographical distances might mean that communication has to be on a logged/monitored channel (i.e. email, instant messenger, phone calls) and therefore this might deter fraud. I also have heard of mandated forced vacations as well, but I guess I supposed this was a control that looked good on paper but the effect is not as strong as those wished. Maybe it is my lack of experience, but do senior managers in an organization have their work performed by other members of the organization? I suppose forcing a mandated vacation might prevent a manager from being able to hide a fraud from occurring. With that being said, I would agree that these two types of controls can complement segregation of duties.
- Sean Patrick Walsh replied 7 years, 9 months ago
  
  Well if I remember correctly from Ed’s slides, 42% of from comes from line employees and 36% from managers. Since the majority of instances of fraud happen in those two groups it would be prudent for the business’s mandated vacation policy to affect those two groups to help mitigate the opportunity to hide any fraud being conducted. Like you stated, I imagine senior management, and I am implying C-Suite level, may not have personnel step in to their position to handle all duties and responsibilities when they are on vacation, but then I am not sure the kind of fraud a mandated vacation policy is intended to deter and/or detect is the type of fraud likely committed by senior management.
  - Paul Linkchorst replied 7 years, 9 months ago
    
    Shawn,
    
    You brought up a really good point. When I think of fraud, my mind seems to always go to the big cases like Enron, where C-Suite executives were the ones behind the fraud which isn’t always the case. I can see now how this type of control might be more effective than I gave it credit for.
Priya Prasad Pataskar replied 7 years, 9 months ago

Paul, this is a well defined issue. In continuation to your article I read a post by EY which spoke about strengthening the SOD control. They suggest to take a risk based methodology for SOD. What companies should figure out is the conflict with the. A task based SOD is costly and this division does not effectively handle SOD control. Companies should build a landscape of conflicts and control each conflict if not remove it completely by SOD. This way management is definitely aware of conflict areas, they know where to focus and places where SOD can be improved. Management must study the conflict matrix to reduce the risk or accept where necessary.
EY defines steps for successful SOD
1. Study the company, roles, map them to business objective and determine conflict matrix.
2. Use the matrix as a tool to resolve SOD concerns. Management must also explore numerous ways of doing one task to explore all possible fraud areas. Determine not only the access and roles but various menus that are available for roles to perform tasks.
3. Testing: Testing of SOD must analyse the result of matrix. Try permutation and combination of business processes and tools, technical and business definitions to test SOD effectiveness.
– Test for entire application life cycle
– Test for intra vs cross application
Determine the risk rating based on level of conflict.
4. Mitigation: In this case, the risk cannot be removed completely but only can be minimized. Problem still exists in the system but control is establish to minimize risk,
Conflict by conflict analysis is to document key controls to mitigate a risk. Thus the aim would be to bring risk of conflict of tolerable level.
5. Remediation:
-Tactical role clean up – Are both sides of rights required to an employee to perform his job? Example: Write and execute and modify
-Strategic role clean up – Is the same person responsible for performing a role and monitoring it?
Cleaning of conflict matrix will result in a regulated SOD environment that would be efficient in practice and considers cost only where required.
Source [EY – A risk based approach to segregation of duties]
Paul Linkchorst replied 7 years, 9 months ago

Hi Priya,

The EY matrix suggestion sounds like the matrix we used in our ERP class. During that exercise, we had to assign roles and responsibilities to different job titles which did not always naturally fit into one employee’s job title. This required looking at the overall matrix to determine which tasks should be performed by which individuals. Sometimes, you had an individual that performed two tasks that might have crossed into the gray area for SOD. Therefore, complimentary controls such as reviews or authorizations can be implemented/performed to help mitigate the risk of fraud in these gray areas of which, should be tested for design and effectiveness.

Paul Linkchorst

@paul-linkchorst

MANAGEMENT INFORMATION SYSTEMS

ABOUT MIS

MIS COMMUNITY

CURRENT STUDENTS

@paul-linkchorst

Footer

MANAGEMENT INFORMATION SYSTEMS

ABOUT MIS

MIS COMMUNITY

CURRENT STUDENTS