X-Raying Segregation of Duties Support to Illuminate an
Download
Report
Transcript X-Raying Segregation of Duties Support to Illuminate an
UWCISA
University of Waterloo Centre for Information Systems Assurance
5th Symposium on Information Systems Assurance
Information Integrity and Business Systems
X-Raying Segregation of Duties
Support to Illuminate an Enterprise’s Immunity to Solo-Fraud
Computational Auditing
Philip Elsas
October 12, 2007 - Toronto, Canada
Introduction
• Since 2003: Company, Netherlands, Canada
• 1988-2003: Deloitte.
Principal & Chief System Architect, inventor
of Smart Audit Support. Since 1994 key
in Deloitte’s worldwide audit practice.
Currently part of “The Deloitte Audit”
• 1990-1996: PhD “Computational Auditing”,
chapter 5: Smart Audit Support
Computational Auditing
X-Raying SoD
Agenda
• What’s the Challenge?
• Solution Claim: 5 Perspectives
• “Look & Feel”: Input & Output
• What’s in it for the Auditor?
• Support Status
Computational Auditing
What’s Auditor’s SoD Challenge?
SOx section 404,
ISA 315, SAS 70,
ISA 240, §17-20,
excl. Collusion &
Overriding:
Potential
Solo-Fraud,
for all Officials
1
SoD in Client’s Body of
Authorizations, Voluminous,
Automated (more systems)
& Non-Automated, Mutually
Different Systematics
Audit Budget
Effective & Efficient:
- Assess/Diagnose SoD
Tooling:
- Advise on SoD
- Best/Worst Practice Database:
Improvement
Quality & Tailoring: Ongoing
- (ERP) System-Oriented SoD Analysis:
Critical Combinations of Transactions Crossing system border?
Computational Auditing
What’s Auditor’s SoD Challenge?
SOx section 404,
ISA 315,
SAS 70,
ISA 240, §17-20,
excl. Collusion &
Overriding:
Potential
Solo-Fraud,
for all Officials
2
SoD in Client’s Body
of Authorizations,
Voluminous, Automated
(more systems) & NonAutomated, Mutually
Different Systematics
Effective & Efficient:
- Assess/Diagnose SoD
- Advise on SoD
Improvement
Audit Budget
NEEDED IS: INTEGRATING TOOL. ENTERPRISE-WIDE. UNIFYING.
Computational Auditing
X-Raying SoD
Agenda
• What’s the Challenge?
• Solution Claim: 5 Perspectives
• “Look & Feel”: Input & Output
• What’s in it for the Auditor?
• Support Status
Computational Auditing
Solution Claim
3
What is it? Auditor’s Perspective
The SoD Support is software that:
• detects Weaknesses and Reparation
Opportunities in an organization with
respect to SoD, in Design and Implemented
• delivers Crucial Information to the auditor,
that up to now he had to find in a difficult
and “ad hoc” way
• hunts down the weaknesses
Systematically, and thus Completely
With thanks to Prof. Hans Blokdijk RA for a first summarization, 2005
Computational Auditing
Solution Claim
4
What is it? IT Perspective
The SoD software package:
• gives an Overview of all potential singleemployee frauds, so-called Solo-Frauds
• indicates which Measures are minimally
required to create an SoD in which
Solo-Fraud is impossible
• and, as the crowning touch: it Proves the
Absence of Solo-Frauds
From: Interview in ‘de Accountant’, February 2006, by Nart Wielaard RA
Computational Auditing
Solution Claim
5
What is it? Usage Perspective
It is a powerful tool to assess SoD in systems:
• by getting an overview of all User Profiles
in (ERP) Systems, with special attention
to record-keeping account-chains
• and deriving Authorization Tables from it
• and reading this into the SoD Support
+ intercept Authorization Change Requests
for analysis: Continuous Control Monitor
Feedback from Peter Waas RE RA, 2005, National Coordinator
Financial Auditing and EDP Auditing, Dutch Tax Office
Computational Auditing
Solution Claim
6
What can it? Audit Practice Perspective - SRA
The SoD Support is in SRA’s audit practice:
• a very good instrument for the auditor to
compare the Minimally Required SoD with
the Current SoD
• a good advisory product with which you can
Demonstrate the Risks that are present to
the businessman, so that he can assess
them himself
From: Interview in ‘de Accountant’, 2006 with Harold Kinds RA,
Technical Auditing Director, SRA
SRA: 6000 auditors, 370 offices, Dutch member firm of the
International Network of Accountants and Auditors
Computational Auditing
Solution Claim
7
Audit Practice Perspective - Ernst & Young
The SoD Support:
• offers Added Value in both:
Output: Diagnosis & Remediation, and
Input: Guiding the Input Preparation Procedure by
a Systematic Framework (50%) !! Dedicated Editor
A Top-down, Leveled Process Diagram
Top-Level is: One-Level-Up & Connecting Cycles
Fits in a Modern Audit Approach:
1. Focus on Client’s Processes
2. Risk Analysis & 3. Items in Financial Statements
• is Feasible in Practice
• is to be Adopted by Preferred Audit Software Supplier
From: Ernst & Young Pilot Study Evaluation Report and Discussions,
Dr. Hans Verkruijsse PhD RE RA & Huub Lucassen RE RA & Team, 2006-2007
Computational Auditing
X-Raying SoD
Agenda
• What’s the Challenge?
• Solution Claim: 5 Perspectives
• “Look & Feel”: Input & Output
• What’s in it for the Auditor?
• Support Status
Computational Auditing
Example Input: Top-Level Business Process
8
Enterprise-wide:
Unifying
Authorizations
Buffer - Static - Balance Items
Transaction Dynamic - Profit
& Loss Items
Top-down,
Leveled
Diagram
Cycle is
Top-level
Transaction
Top-level:
Connected
Cycles
Executable
Business
Model
Systematic
All Enterprise Sizes
Large: SME’s + Hat
Computational Auditing
Observation
9
The SoD support allows you to model authorizations existing in reality.
You’ll then be encumbered with the following hunting question:
Is reality properly represented in this model?
However, this question is vaporizing.
Today authorizations are more and more specified in systems.
So what is then left of this difference between authorizations in reality
and a model of them, in case both are specified in systems?
The only remaining difference is something like a “pragmatic status”:
what is a specification used for?
For authorizations “model” and “reality” coincide more and more:
model becomes reality and reality becomes model, and showing
whether or not a model represents reality becomes absurd.
Instead mathematical proofs of model properties - correctness,
integrity, etc. - gain scope, namely: reality, and thus win importance.
Computational Auditing
Example Output: Solo-Fraud Base
One Potential Solo-Fraud
Computational Auditing
10
X-Raying SoD
Agenda
• What’s the Challenge?
• Solution Claim: 5 Perspectives
• “Look & Feel”: Input & Output
• What’s in it for the Auditor?
• Support Status
Computational Auditing
What’s in it for the Auditor?
11
In comparison with other SoD Conflict Resolution Methods
Quality
Application area
CostEfficient
Consistent
Input Preparation
+
+
+
SoD Design
- Diagnose
- Remediation
+
+
o
Implemented SoD
- Diagnose
- Remediation
+
+
o
+
–
+
SoD Change Management
Computational Auditing
X-Raying SoD
Agenda
• What’s the Challenge?
• Solution Claim: 5 Perspectives
• “Look & Feel”: Input & Output
• What’s in it for the Auditor?
• Support Status
Computational Auditing
Support Status
12
• Software:
– Diagram Editor: desk top downloadable
– Analyzer & reporter: desk top Web
– SoD Change Management: Web
• Positioning; converging to combining:
– What’s wanted by CA’s audit firm clients:
Product adoption by Preferred Software Supplier
What can CA do to arrange?
– What’s wanted by CA:
Affiliation with University, Auditing Faculty
What can CA do to arrange?
Computational Auditing