CALL: 407.351.3322 | 877.885.IAPP
IAPP Websites
IAPP USA WEBSITE USA/CAN  IAPP UK WEBSITE UK
Search
 
Home About The IAPP Archived AP Matters Issues IAPP News & Events Advertise With Us
AP MATTERS
MEMBER LOGIN | JOIN NOW  
Issue: Jan - Feb 2010
Cover Story
World Without Invoices: Problem or Panacea?
Featured
Benchmarking: Processing costs
Bouncing checks? Beware
Special section: AP automation dilemma
Special section: As demand rises, so do invoice processing solutions
Special section: Financial supply chain automation - Coming of age?
Special section: Hot ticket - Receivables auction site
Special section: Purchasing cards 2.0 - Visibility, control, security
Special section: Technology and expertise drive outsourcing
Special section: When is automation not the answer?
Technology Buyers Guide 2010: Special Advertising Supplement
Departments
Career HQ: From the Trenches
Career HQ: Management Perspective
Control Center
Focus on Government
Fraud Prevention
From Our Fraud Files
Hot List
In Touch
Letter from the Executive Director
Management Diaries
Policies and Procedures
Procure to Pay
Professional Profile
Reality AP
Tax Advisory
Technology Spotlight
Online Exclusives
AR automation paves the way for paperless processing
White paper: Cutting costs by cutting out invoices
Archived AP Matters Issues > 2010 Issues > Jan - Feb 2010 | Departments
Control Center
By Chris Doxey  

Twitter Facebook LinkedIn Blog Email
Share this AP Matters Article
Restricted access is key to keeping systems secure

Let’s face it: Even with the best of intentions, sometimes mistakes happen. Other times, errors are introduced deliberately. Whether they are intentional or not, errors are more likely to be detected in the presence of controls such as segregation of duties. Within the procure-to-pay cycle, this control can avoid situations in which one individual can establish a vendor, create an invoice, initiate a receiving document, and pay an invoice.

The segregation of duties provides four primary benefits:
1) The risk of a deliberate fraud is mitigated because the collusion of two or more persons would be required in order to circumvent controls.
2) The risk of legitimate errors is mitigated because the likelihood of detection is increased.
3) The cost of corrective actions is mitigated because errors are generally detected relatively earlier in their lifecycle.
4) The organization’s reputation for integrity and quality is enhanced through a system of checks and balances.
Segregation of duties is a basic, key internal control and one of the most difficult to accomplish. In essence, there is greater assurance that internal control responsibilities will be fully deployed when there is increased dispersion of such responsibilities among multiple individuals and work groups.
To support segregation of duties, it is critical to ensure that proper access to accounting and financial systems is validated and reviewed with a systems access control process. Improper system access can create the opportunity for an individual to commit fraud and cover his or her tracks.
Systems access controls apply to both domestic and international financial and operational systems and are an integral part of segregation of duties. The scope of the systems access controls is worldwide. The controls apply to the approval of new access requests and the establishment of an internal controls environment for general system access.

Systems access controls ensure that transactions cannot be systematically generated to create segregation of duties control issues. There are two types of segregation of duties controls that must be in place: control of security object privileges, and control of multiple security profiles.

Responsibilities
Systems access is defined based on individual employee roles and responsibilities within financial and operational processes. Access should be reviewed periodically, such as once a month, to reflect changes in organizational responsibility.

Risk assessment
If systems access controls are not implemented, the following control weaknesses can occur:
• Purchases can be authorized and goods can be received from the transaction at the user level.
• The same user can perform inventory management and physical counts.
• Sales can be invoiced and cash applied by the same user.
• The same user can approve a sales order and the terms of sale.
• The same user can modify an evaluated receipts contract and receive against a purchase order.
• Products can be shipped and sales order tolerances modified.
• A vendor can be established in the accounts payable process and payments can be executed.
• An accounts payable user can create an erroneous accounts receivable transaction.
• A general ledger user can post and pay accounts payable invoices.

Control measures
Lack of proper controls can have additional negative impact, including: 

Security object privileges: If these are not properly defined, conflicts can occur in which the user can have excessive or conflicting user access. A segregation of duties issue arises when profiles, roles, or classes are not well-defined at the user level. The conflicting privileges introduce risk assigned to a user through a single security object.

Multiple security profiles: If these are not properly defined, conflicts can occur in which the cumulative privileges of the user are excessive and conflicting. The conflicting privileges introduce risk when assigned to a user through multiple security objects.

Validation and control review
Management should circulate application-level reports to the appropriate IT and business personnel for ongoing validation. A periodic review of effectiveness should be completed each quarter. Validation should occur at three levels:
1. Validation of conflict definitions, which indicate the conditions that constitute a conflict in duties. Consider monitoring controls that may mitigate the risk of a conflict definition.
2. Validation of technical segregation of duties reports, which outline the existing conflicts.
3. Testing performed by internal audit.
 
Comment on this article
 
Place Your Ad
©IAPP 2010 | ADVERTISING | PRIVACY POLICY | TERMS OF USE | CONTACT US | ADMIN LOGIN | SITE MAP

Powered by Intellavia iVCMS