Developers having access to enter business transactions 1365



  • Our external auditors are having diificulty with the fact that our developers of our ERP system have access to enter a business transaction.
    We have an older ERP system in place, FACTS if anyone is familiar with it, and lets just say it is not exactly built with great security in mind. Our auditors, which are one of the big 4, refuse to look pass this and say that they will not be able to deem our IT controls effective with this issue on the board. We are a relatively small IT shop and already have segregation issues, and the bottom line is that someone must have full access to the system. It is just very frustrating to have all the other controls we have overlooked and be deemed in effective because of one issue. We do have a variety of comparisons and other mitigating controls in place, that we feel would catch any errors that could have a financial impact.
    Does anyone have any ideas as to any data monitoring or other detective control that we could put in place that could possibly appease our auditors? Thanks.



  • The following guidance from ISACA might be helpful:
    COMPENSATING CONTROLS FOR LACK OF SEGREGATION OF DUTIES
    In a small business where the IS department may only consist of four to five people,compensating control measures must exist to mitigate the risk resulting from a lack of segregation of duties.
    Compensating controls would include:
    -and-#9679; Audit trailsAudit trails are an essential component of all well-designed systems. They help the IS and user departments as well as the IS auditor by providing a map to retrace the flow of a transaction. They enable the user and IS auditor to recreate the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
    -and-#9679; ReconciliationReconciliation is ultimately the responsibility of the user. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application ran successfully and that the data are in proper balance.
    -and-#9679; Exception reportingException reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner.
    -and-#9679; Transaction logsA transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system.
    -and-#9679; Supervisory reviewsSupervisory reviews may be performed through observation and inquiry or remotely.
    -and-#9679; Independent reviewsIndependent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities.
    Excerpted from COSO Guidance for Smaller Public Companies,
    Segregation of Duties
    Establishing appropriate segregation of duties often presents difficulties in smaller organizations, at least on the surface. Even companies that have only a few employees, however, usually can parcel out their responsibilities to achieve the necessary checks and balances. But if that is not possible, direct oversight of incompatible activities by more senior management can provide the necessary control.
    At the most basic level, segregation of duties means that no single individual should have control over two or more phases of a transaction or operation. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of his or her duties.
    Segregation of duties is not an end in itself, but rather a means of mitigating a significant risk inherent in processing. In many smaller businesses, one person may have complete control of all aspects of a process. That complete control of processing by one person may increase risks. Segregation of duties is needed so that one individual, or function, acts as a check and balance against the activities of another. For example, if one person processes sales and the resulting debit to accounts receivable, that person should not have access to processing cash receipts for the payment of those receivables, should not be responsible for reconciling the bank account, and should not have authority to write off accounts receivable.
    Independent reconciliations can provide an additional control to mitigate risks and may be especially important in situations when there is inadequate segregation of duties. In the example above, the risk is that a salesperson can provide goods at no or little charge to customers, and then collect money or receive a kickback. An independent reconciliation of actual inventory on hand with the amount shown by the salesperson would identify a discrepancy. Of course, the reconciliation is only as good as the follow-up investigation to identify the underlying cause of any difference in the account balance.
    It often is thought that the manager of a small business is in a position to compensate for inadequate segregation of duties due to the manager’s knowledge of the business. This is appealing because the manager can fulfill such a role without hiring additional personnel. COSO recommends that smaller businesses first explore other alternatives to mitigating risks through segregation of duties before turning to management oversight as a solution.
    We make this recommendation because:
    Management should concentrate on strategic and operational objectives of the company, and having managers perform some parts of the process results in dilution of management, and
    There would no longer be an independent check on management’s activities, other than the board or audit committee, as discussed earlier.
    Managing Change to Custom Software
    Management of a manufacturing company has decided to make significant modifications to its inventory management software. The company has only two developers on staff and will need to rely on those individuals to develop, test and migrate the software to production. Additionally, the company does not have an automated code promotion utility to control versions and migrations to the production environment. In this situation the standard controls relevant to segregation of duties may be obtained though:
    Clear identification and risk analysis of the changes that will be required.
    Assignment of the changes to each of the developers so that each developer only works on those changes assigned to them.
    Testing and migration of changes to production are executed by the developer who was not responsible for the change.
    Review by Management. Manual controls may be relied upon to manage the code version and migration issues and include:
    Creating a manual log of version of the code copied to the development environment with date and time. Again manually track the version of the code migrated to test and then to production.
    The individual responsible for the information technology functions and independent from the process reviews all version control procedures prior to moving the code to production.
    Hope this helps and good luck with the auditors…just remember, its a winless battle to go toe to toe with them…if it were me, I’d try to identify which of the compensating controls they obtain comfort and ensure that the compensating control is designed and operating effectively.
    Regards,
    Milan



  • Hope this helps and good luck with the auditors…just remember, its a winless battle to go toe to toe with them…if it were me, I’d try to identify which of the compensating controls they obtain comfort and ensure that the compensating control is designed and operating effectively
    Excellent points … From the IT side, I’ve also worked with internal and external auditors for many years. When they ‘score a point’ 😉 they are unlikely to give up any ground here at all, as this is part of the service they are rendering.
    The following ideas might help:

    1. If your Operating System permits, start logging all access and transactions for the affected ERP processes under scrutiny. This can be a temporary solution as Milan noted.
    2. Search for creative ways of resolving this long term. In some cases programmer intervention is needed due to complex reformatting issues. Document this process in detail.
    3. Maybe a business analyst or power user can be trained so that you have true separation of duties. You may have to have a small development project as well to make this process easier.
    4. I would most likely acknowledge the potential weakness, noting that you have trustworthy individuals in place, but will improve this over time as it requires resource commitments and work.


  • Milan,
    Very well written and presented.
    The very fear of the review and flagging of exceptions would deter the process owner to commit anything nefarious. As an added control, the process owner can be covered by fidelity bonds, a form of insurance which protects the Business Unit against losses caused by dishonest employees (fidelity bonds also serve as a control when new employees are hired since, the insurer will typically perform a background check on prospective employees).


Log in to reply