VIEWS: 16 PAGES: 7 POSTED ON: 5/9/2011
Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare Introduction Segregation of Duties (SOD) has much greater scrutiny with the process controls requirements mandated by Section 404 of the Sarbanes Oxley Act (SOX). Segregation of duties should include the assurance that no one individual has the physical and system access to control all phases of a business process or transaction: from authorization to custody to record keeping. When conflicts exist in segregation of duties, organizations can be exposed to significant risks. Auditors are looking for conflicts in segregation of duties in which one individual has access to responsibilities which are inherently in conflict with one another, such as purchasing and accounts payable, purchasing and receiving, general ledger and supply management, etc. The conflicts can be caused by innocent and unintentional errors or by intentional and criminal fraud. Current State of Segregation of Duties (SOD) Most companies have been scrambling to identify SOD conflicts and remediate them in their applications, but may have overlooked some areas of exposure that could cause problems in the future. We will discuss four of these problems. The first is the ability to override the given controls based on positional authority, the second relates to positions that support and maintain the applications that can override the controls, the third is the ‘critical request’ situations, and the final relates to controls that overlap process and application controls. Overriding process controls as it pertains to SOD To relate SOD to the procure-to-pay process, a successful SOD would separate the following functions: The conventional view of most auditors is that good segregation of duties will greatly reduce the chances of unilateral errors or fraud and require collusion between or among multiple employees in order for errors to occur without detection. While this is true, it is only a narrow view that does not consider how segregation of duties relates to hierarchical approvals. Hierarchical, or multi-level, approvals refer to a concept whereby authorizations are attached to positions in a hierarchy, rather than to individual users. The Procure to Pay process is perhaps the best example of this type of controls whereby PO’s are approved at increasing dollar values as they go up the hierarchy. The traditional approach to developing and monitoring SOD often leaves out the possibility that the process controls can be overridden at some level of the organization. Further complicating the ability to maintain segregation of duties and provide viable checks and balances, consider the same reporting relationship in a global organization in which each functional area is located in different time zones or even different continents, with users speaking different languages. In many of these locations, American-based notions of ethics and corporate governance are not understood or followed. Many of those who handle these Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare transactions may be clerical level folks who are conditioned to follow instructions without questioning or evaluating them. The Need for a Hierarchical Segregation of Duties (HSOD) What is needed is a hierarchical segregation of duties (HSOD) approach, which at a minimum would do the following: 1. Identify individual conflicts in segregation of duties 2. Identify the roles and responsibilities of the individuals involved 3. Identify the reporting relationships of the individuals involved 4. Identify HSOD conflicts that occur at higher levels within the organization While the existing SOD controls may be able to identify and prevent obvious conflicts that occur at clerical and transactional levels, they do nothing to address the ease at which higher level supervisors and managers may make mistakes or commit fraud. Just as important, a narrow SOD approach does not address the need for executive level SOD, i.e., the need for critical business decisions to be reviewed and approved by key stakeholders outside of their area. For instance, key stakeholders in finance and sales should review long term planning and forecasting supply management decisions, while sales forecasts should be approved by key stakeholders in supply management and finance. In our example, good business practice would argue that supplier master control should be segregated from all supply chain and procurement responsibilities fairly high up in the hierarchy. It would look something like this: Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare The prevention of errors and wrongdoing is only one aspect of the HSOD process. What follows is a checklist of areas of concern in the procure-to-pay process that from a HSOD approach: Auditor Tests, a Snapshot in Time. Auditor tests, both manual and using software tools, are often times only a snapshot in time. Their activities and schedules are typically well understood by company employees. There may be little to prevent internal users from changing responsibilities to pass an audit and then changing them back after the auditors depart. Most organizations lack the sophisticated controls to catch the switch. Planning, Scheduling, and Forecasting Controls: Ironically most organizations have developed very robust controls to for procurement and payments processes, but have typically done much less to control the overall master scheduling, planning and forecasting process. One error or intentional fraud at this level can cascade down into hundreds of mistakes at the execution level within procurement, and supply management. This process is further complicated by the global and outsourced nature of many organizations. Controlling the process is further complicated when the players are located in different countries and or are the product of multiple mergers and acquisitions. The typical SOD approach does not address these issues. A robust HSOD solution should include approval workflows that standardize and automate the review and approval of master schedules, forecasts, and plans. Ideally, the process would include a risk assessment around the various planning and forecasting assumptions and decisions. Buyer/Planner Approach: Many organizations have adopted a buyer/planner (or buyer/scheduler) approach in which the traditional purchasing and planning functions are merged under one individual. The segregation of these functions provides checks and balances, but creates inefficiencies and delays. As mentioned above, very tight controls are typically in place to control procurement within most organizations, but the controls around the master scheduling, planning, and forecasting processes are typically much looser. This is true at a senior level or at a buyer/planner level. Auditors may lack an understanding of the complexity of this process to develop adequate tests scenarios and audits. So Why Is This Essential? – Examples of SOD and HSOD Fraud Various surveys have shown that most fraud is committed at executive levels of organizations. This is not to minimize the impact of fraud at lower levels, which SOD will help to prevent. What follows is an example of SOD and HSOD Fraud. We will suggest that HSOD fraud is a much larger risk than SOD fraud. To paraphrase the classic TV show, the stories are true, but the names (commodities) have been changed to protect the innocent (and the author). SOD Fraud: A major appliance manufacturer had a very profitable repair depot in which appliances both within and beyond warranty would be received from customers, repaired, renovated and returned. If the units were beyond repair, they would be scraped and the units replaced with a rebuilt or new unit. The guy running the repair depot was Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare technically adequate, but the consensus of management was that he was not very bright and required a lot of hand holding as to how to perform the required system transactions. In his position, he would perform receiving transactions (from customers), inventory transactions (scraping units, and issuing components) and shipping transactions (to customers.). Well, he was actually dumb as a fox, running a side business selling refurbished units. It was actually quite simple. He created a false scrap transaction for a unit that he would then refurbish and sell to some of the company’s customers at very discounted prices. Since he was in control of all the required transactions, no one in the organization suspected the fraud, until the Saturday afternoon that a senior manager came into the office to catch up on some work and caught him loading a truck with several units. It was estimated that he was recognizing $50,000 per year in his venture. HSOD Fraud: A major automotive accessories manufacturer purchased a great deal of aluminum coils. This could be procured by actual net weights or by a theoretical minimum weight calculation (TMW). Using TMW, the buyer typically pays a small premium but is assured of only paying for the theoretical minimum weight and not actual and higher net weights of materials. The head of operations made a deal with the company’s largest supplier to defraud the company by charging for more weight than actually received. It required her to manipulate the purchasing, receiving and accounts payable processes. She convinced a naïve and inexperienced buyer that the PO’s to the supplier were in TMW, and therefore did not need to be weighted upon receipt. The truth is that TMW purchases should be weighed and the TMW calculations verified by determining the length of coils. In turn, the buyer instructed receiving not to weigh coils because they were TMW. The head of operations helped her cause by preventing the purchase of an electronic scale large enough to weigh the great majority of coils. Receiving was instructed to enter the weights on the packing lists as the actual net weights, so accounts payable and finance had no reason to suspect fraud. A consultant was hired by the company president to revamp the organization. Unfortunately for the head of operations, she had a background in buying TMW and suspected fraud. She verified it by weighing the smaller coils that the electronic scale could accommodate. Every coil was 7% to 10% underweight. The calculated fraud was over $1 million per year and had been in place for five years Support and Maintenance Positions that can Override Controls Due to the complexities in the maintenance and support of ERP applications, many IT departments (or external consultants) have virtually unlimited access as System Administrators or as Super Users. There is often a need for Super Users to access “production” environments. Granting access to a production system to such Super Users adds a level of risk as they may override the controls during system support. Unlike in mainframe environments, technology limitations in the database make it impossible from a performance perspective to provide a complete audit trail on a user. Audit trails are developed on a table by table basis, but due to the extreme volume in some transactional tables such as where payables invoices or purchase orders are stored, a complete audit trail cannot be developed for Super Users who are often given unlimited access to the applications for the sake of supporting the production users. The role of the System Administrator is another area of significant risk. The System Administrator role grants access to business functions and are often held by someone with Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare other roles such as a development, Super User or even database administration. In many companies, the System Administrator is the final gatekeeper to prevent a user from getting access to two or more functions that could give that user the ability to violate SOD. Because of this role, they inevitable become familiar with how a user is able to violate good controls. With this knowledge and the System Administrator role they have the ability to violate SOD and internal controls. Write access to the database adds even further risk and should be considered as well in the design of SOD controls. Business Critical Situations and the Override Possibilities Has your business ever been forced to override process controls because of business critical issues? Have you had situations of parts shortages or supplier quality issues that have caused your company to circumvent process controls or face shutting down your production line? How many times have you overridden process controls for the sake of expediency or because a key approver was on vacation or tied up in a meeting? If so, you have overridden process controls and have caused a violation of your controls. Does your process documentation account for the override of such controls and define when and who can override the controls? A good business practice would argue that supplier master control should be segregated from all supply chain, procurement and payables responsibilities. Does your process of adding suppliers define when and who can override such controls. If not how can you expect the clerk to discern when it is appropriate to override such controls because of critical business reasons. What if it is their boss who asks for the override of such controls and their boss also happens to have the ability to enter invoices in Payables or create Purchase Orders? Perhaps this one override of the control has allowed that manager to commit fraud. So, in the definition of process controls, don’t be so idealistic. Make sure that the ‘exceptions’ to this process are clearly defined. If such decisions are made on the fly, you can’t always count on someone to make the right decision. Such violation of the process controls then becomes a control that hasn’t been in place for the whole quarter and will require extra scrutiny when your CFO and CEO are making your company’s quarterly 302 controls assertions and your 404 audit. Controls spanning both process and application controls Have you properly identified and develop controls that span both basic process controls and associated have applications controls? We will look at the example of entering a supplier, which is a key function that should not be held by anyone who has the ability to enter invoices or enter purchase orders. There are two components to this process. The first is the identification and approval from of the use of that supplier. This should include a qualification of that supplier that they are capable of providing you with the goods or services at the quantity that you need and that they are financially sound. After this qualification process, you then need to enter such supplier in your payables and/or purchasing system. Often the focus is one discipline but not the whole picture. The process should start with the completion of the form by the supplier or third party verification of the forms data entry to an external database containing public records to verify Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare the validity of the supplier and the accuracy of the information entered. This prevents someone from fraudulently completing the New Supplier Form. This is a process control that happens outside any system. Next, the ability to enter the supplier in your payables and/or purchasing system must be considered so that the person with this function doesn’t also have the ability to enter invoices or enter purchase orders. Hence, the controls for the business process of entering a supplier need to be reviewed both from a process and application perspective. Finally, as noted earlier, the process to override the current process for ‘critical’ requests should be clearly stated. This would include who is authorized to override the policy and under what circumstances. This makes it clear to the gatekeeper of the process when and by whom the process can be overridden so that there can be no confusion. Conclusion For companies, getting through the initial section 404 audits is the top priority and has included measures to address SOD conflicts. However, several issues may still need to be addressed as 2005 is upon us and 302 reports are being issued. The danger is to be lulled into a false sense of security because auditors didn’t catch the issues during the 404 audits or haven’t yet addressed them in their questionnaires and audit plans. However, just as companies are becoming more sophisticated in the identification of issues, auditors are also becoming smarter about the various risks at a more detailed level. I, for one, wouldn’t want my auditor to identify such issues in next year’s 404 audit. Reference: Copied in part from “Hierarchical Segregation of Duties” by Anthony Tarantino, Cutter IT Journal, Volume 7, Number 22, December 2004. Questions and Comments: The authors welcome your questions and comments. Tony can be reached at firstname.lastname@example.org and Jeffrey can be reached at email@example.com. About the Authors: Anthony Tarantino, Ph.D., CPIM, CPM Anthony Tarantino is an expert in supply chain management with 10 years of executive-level consulting experience and 20 years of industry experience in supply management. Dr. Tarantino has nearly 30 years’ experience in management positions in a variety of industries. He is now helping clients on how to achieve supply chain excellence with improved corporate governance. He is a regular contributor to various publications, including Inside Supply Management, Sarbanes-Oxley Compliance Journal, Cutter IT Journal, and Line 56 on topics such as corporate governance and Sarbanes-Oxley as well as informational supply chain and e- business. Dr. Tarantino holds a CPIM from APICS, is pursuing his lifetime Certified Purchasing Manager (CPM) certification from the Institute of Supply Management (ISM), has a Ph.D. in Beyond the Obvious for Segregation of Duties: Implementing a Hierarchical Segregation of Duties Approach and Other Challenges By Anthony Tarantino and Jeff Hare organizational communications from the University of California, Irvine, and a B.A. from the University of California, Santa Cruz. He can be reached at firstname.lastname@example.org. Jeffrey T. Hare, CPA Jeffrey T. Hare is the founder and President of ERP Seminars. He is CPA and is one of the thought leaders on SOX Compliance in an Oracle Applications Environment. His experience prior to coming into the Oracle Applications space includes Public Accounting, Controller and CFO roles. His Oracle experience includes PM as a client in his Controller role and over five years of consulting experience. He has written many white papers on SOX compliance in an Oracle Applications Environment and has written articles for various industry publications. He can be reached at email@example.com. White papers can be requested at www.erpseminars.com.
"Beyond the Obvious for Segregation of Duties Implementing a "