Testing segregation of duties 547
-
How is everyone testing this control? Is it just a system access issue? I see it as both that as well as a policy. Is reviewing job descriptions a good enough test for the control? For example, I have two controls:
1 - Credit funtions are independent of order entry.
2 - System access to credit funtions is limited to the Credit specialist.
Are these two controls or just one?
-
Cheryl -
The best way to test this is to log on as a Credit Specialist and and an Order Entry person to see if they system allows any ‘backdoors’. For instance, if you log on as a Credit Specialist, can you still go to the menu or screens that an Order Entry person sees and vice versa.
With my experience with ERP/Security and knowledge of SOX, I would agree that the Credit functions are independent from Order Entry and system access to credit functions should be limited to a Credit Specialist only.
Treat this as 2 control activities and make one a key for testing purposes.
My 2 cents…
How is everyone testing this control? Is it just a system access issue? I see it as both that as well as a policy. Is reviewing job descriptions a good enough test for the control? For example, I have two controls:
1 - Credit funtions are independent of order entry.
2 - System access to credit funtions is limited to the Credit specialist.
Are these two controls or just one?