University of Michigan


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

University of Michigan

  1. 1. IT Segregation of duties is commonly used in IT organizations so that no single per- son is in a position to introduce fraudu- lent or malicious code or modify data without detection. Strict control of soft- ware and data changes demand that the same person performs only one of the following roles:  Identification of a requirement or University of Michigan change request; e.g., business analyst/ program manager  Authorization and approval; e.g., gov- Office of University Audits ernance board or manager  Design and development; e.g., a pro- We are committed to supporting the University with grammer or developer objective assurance and advisory services that assess risk  Review, inspection and approval; e.g., and promote a strong internal control environment. a second developer or manager  Implementation in production; i.e., Wolverine Tower, 3rd Floor 3003 South State Street software change or system administra- Ann Arbor, MI 48109-1286 tor Additional Resources: To successfully implement segregation of duties in IT a number of concerns University Audits need to be addressed:  Ensure a person's authorization rights financial.internal.html in the system allows the least privilege required to do their job. University of Michigan Statement on Stewardship  Use strong and secure authentication methods (i.e., knowledge of a pass- word, possession of an object (key, University of Michigan token) or biometrics).  Circumvention of rights in the system Standard Practice Guide can occur through vulnerabilities in database administration access, user administration access, tools that pro- vide back-door access or supplier in- stalled user accounts. Specific controls such as a review of an activity log may be required to address this spe- cific concern. Office of Internal Controls
  2. 2.  Approving time sheets, leave requests,  Comparing collections to amounts new hires, and personnel changes deposited per the accounting records  Verifying cash collections and daily bal- and bank deposits ancing reports  Comparing source billing documents to system-generated billing summa- Custody: access to or control over any ries physical asset such as cash, checks, equip-  Comparing time sheets to gross pay ment, supplies or materials. registers Segregation of duties is a key management tool.  Access to any funds through the collec-  Performing physical inventory, sup- When properly segregated, tasks and associated tion of funds or processing of payments, plies or equipment counts privileges for a specific business process are dis- including petty cash custodian  Comparing P-Card expenses to re- tributed among multiple employees.  Access to safes, lock boxes, file cabinets, ceipts equipment rooms, or other places where  Reconciling Statements of Activity money, checks or other valuable items Why Segregation of Duties? are stored In addition, these additional controls Provides many benefits:  Receiving any goods or services should be put in place to make segrega-  Detects most normal clerical errors and even  Maintaining inventories tion of duties more effective: systemic errors  Review by a higher administrative  Handling or distributing paychecks or  Prevents unauthorized or questionable transac- authority of reconciliation of State- other payments tions before they occur ments of Activity and Gross Pay Registers  Supports University stewardship Record keeping: the process of creating and  Review of purchasing and inventory  Deters and detects fraud maintaining records of revenues, expendi-  Preapproval for purchasing, travel,  Protects innocent employees from wrongful tures, inventories, and personnel transac- and hosting accusations tions.  Review of transaction logs  Preparing cash receipt deposits, invoices,  Review of exception reports What is Segregation of Duties? purchase requisitions, personnel or pay-  Follow prescribed, written proce-  No single individual should have control over roll changes dures two or more phases of a transaction or opera-  Entering charges or posting payments to  Ensure system authorization rights tion an accounts receivable system are in line with job roles  Management should assign responsibilities to  Maintaining inventory records ensure duties are properly segregated In small departments when duties can  Segregated roles: Authorization, Custody,  Payroll time-keeping not be fully separated, at a minimum, Record Keeping, and Reconciliation  Acting as systems administrator custody (receiving/management of as- sets) should be separate from approval Authorization: the process of reviewing and ap- and reconciliation. The additional con- proving transactions or operations. Reconciliation: verifying the processing or trols listed above will provide more as-  Approving purchase requisitions, non-PO recording of transactions to ensure that all surance for the segregation of duties. vouchers, P-Card expenses, and PeoplePay pay- transactions are valid, properly authorized, ments and recorded.