University of Michigan
Upcoming SlideShare
Loading in...5
×
 

University of Michigan

on

  • 1,169 views

 

Statistics

Views

Total Views
1,169
Views on SlideShare
1,169
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

University of Michigan University of Michigan Presentation Transcript

  • IT Segregation of duties is commonly used in IT organizations so that no single per- son is in a position to introduce fraudu- lent or malicious code or modify data without detection. Strict control of soft- ware and data changes demand that the same person performs only one of the following roles:  Identification of a requirement or University of Michigan change request; e.g., business analyst/ program manager  Authorization and approval; e.g., gov- Office of University Audits ernance board or manager  Design and development; e.g., a pro- We are committed to supporting the University with grammer or developer objective assurance and advisory services that assess risk  Review, inspection and approval; e.g., and promote a strong internal control environment. a second developer or manager  Implementation in production; i.e., Wolverine Tower, 3rd Floor 3003 South State Street software change or system administra- Ann Arbor, MI 48109-1286 tor Additional Resources: To successfully implement segregation of duties in IT a number of concerns University Audits need to be addressed: http://www.umich.edu/~uaudits/internalcontrol/  Ensure a person's authorization rights financial.internal.html in the system allows the least privilege required to do their job. University of Michigan Statement on Stewardship  Use strong and secure authentication http://www.hr.umich.edu/stewardship.html methods (i.e., knowledge of a pass- word, possession of an object (key, University of Michigan token) or biometrics).  Circumvention of rights in the system Standard Practice Guide http://spg.umich.edu/pdf/501.07-1.pdf can occur through vulnerabilities in database administration access, user http://spg.umich.edu/pdf/519.03.pdf administration access, tools that pro- vide back-door access or supplier in- http://spg.umich.edu/pdf/507.01.pdf stalled user accounts. Specific controls such as a review of an activity log http://spg.umich.edu/pdf/601.24.pdf may be required to address this spe- cific concern. Office of Internal Controls http://www.umich.edu/~avpf/InternalControls.htm
  •  Approving time sheets, leave requests,  Comparing collections to amounts new hires, and personnel changes deposited per the accounting records  Verifying cash collections and daily bal- and bank deposits ancing reports  Comparing source billing documents to system-generated billing summa- Custody: access to or control over any ries physical asset such as cash, checks, equip-  Comparing time sheets to gross pay ment, supplies or materials. registers Segregation of duties is a key management tool.  Access to any funds through the collec-  Performing physical inventory, sup- When properly segregated, tasks and associated tion of funds or processing of payments, plies or equipment counts privileges for a specific business process are dis- including petty cash custodian  Comparing P-Card expenses to re- tributed among multiple employees.  Access to safes, lock boxes, file cabinets, ceipts equipment rooms, or other places where  Reconciling Statements of Activity money, checks or other valuable items Why Segregation of Duties? are stored In addition, these additional controls Provides many benefits:  Receiving any goods or services should be put in place to make segrega-  Detects most normal clerical errors and even  Maintaining inventories tion of duties more effective: systemic errors  Review by a higher administrative  Handling or distributing paychecks or  Prevents unauthorized or questionable transac- authority of reconciliation of State- other payments tions before they occur ments of Activity and Gross Pay Registers  Supports University stewardship Record keeping: the process of creating and  Review of purchasing and inventory  Deters and detects fraud maintaining records of revenues, expendi-  Preapproval for purchasing, travel,  Protects innocent employees from wrongful tures, inventories, and personnel transac- and hosting accusations tions.  Review of transaction logs  Preparing cash receipt deposits, invoices,  Review of exception reports What is Segregation of Duties? purchase requisitions, personnel or pay-  Follow prescribed, written proce-  No single individual should have control over roll changes dures two or more phases of a transaction or opera-  Entering charges or posting payments to  Ensure system authorization rights tion an accounts receivable system are in line with job roles  Management should assign responsibilities to  Maintaining inventory records ensure duties are properly segregated In small departments when duties can  Segregated roles: Authorization, Custody,  Payroll time-keeping not be fully separated, at a minimum, Record Keeping, and Reconciliation  Acting as systems administrator custody (receiving/management of as- sets) should be separate from approval Authorization: the process of reviewing and ap- and reconciliation. The additional con- proving transactions or operations. Reconciliation: verifying the processing or trols listed above will provide more as-  Approving purchase requisitions, non-PO recording of transactions to ensure that all surance for the segregation of duties. vouchers, P-Card expenses, and PeoplePay pay- transactions are valid, properly authorized, ments and recorded.