Managing Change
Change management in software development life cycles, network operations and IT Security Departments use the concepts of SOD to ensure proper approvals and release to production processes. There are five basic steps to all change management that need segregated management and process steps to maintain a proper risk management model:
- initiation of change with appropriate authorization.
- Project management oversight of the change process.
- Tracking of changes to key process steps.
- Corresponding management and risk controls must be developed and documented.
- Management oversight and approval for implementation of changes into “production.”
In addition, the CoBIT ( Control Objectives for Information and related Technology) description for push to production or release management should be well understood: “ In addition, application developers should not be able to promote code into production. If this control does not exist, unauthorized changes to software could result. In addition, uncontrolled and/or unauthorized changes to business information may lead to fraud and irregularities. Finally, malicious programs can be introduced into the production environment, affecting system availability, data integrity and information confidentiality issues.”
Case Study #1: Accounting Software and Operational Systems Control: An Opportunity for Fraud
The general manager of a corporate distribution network of heavy refrigeration equipment found that system inventory counts within the accounting software did not match to physical inventory calculations. Book count is generally expected to equal the system count of inventory as a basic audit check for accuracy in financial reporting. Book inventory accounting is based on the last physical inventory conducted within a business unit. The count is used as a basis to add purchases and subtract cost of sales in order to calculate the current ‘ending’ inventory.
Month after month, the operations manager kept pointing to problems in the old accounting software. The accounting manager kept running the book calculations with variances against the system counts that she could not explain. To help address the issue, the general manager made a business case to corporate executives for a new, integrated accounting software package and requested accounting support from the corporate office for implementation. The software was purchased and implementation was quickly put on track to enable production over the next several months.
When the annual physical inventory came, due within the same annual period, the general manager mandated that the system inventory valuations must equal book inventory valuations at the beginning of each monthly period. The general manager made the operations manager directly accountable for this control from that point forward.
The operations manager suggested that the annual inventory be coordinated with the transition to the new accounting software. In turn, the general manager accepted this suggestion as a pragmatic solution.
The old and new accounting systems ran parallel for a few months and, at the transition point, the operations manager worked closely with the accounting manager to ensure that “Book” matched “System” inventory valuations, and began operating under the new accounting software.
Much to the general manager’s disappointment, variances between the two inventory valuations continued and book value climbed. The operations manager came under severe scrutiny and corporate staff auditors were dispatched to the distribution center. Requests for supporting documentation of the last inventory were requested. At this point, the operations manager stopped showing up for work and was not returning phone calls.
Shortly thereafter, it was discovered that a theft ring was being conducted by the operations manager. The variances described were due to stolen inventory in the amount of several million dollars, or about 3 percent of the assets on the subsidiary’s balance sheet. The fraudulent activity was covered up for two years by the lack of SOD in three areas:
- The operations manager had inventory responsibility and administration access to the accounting software. This gave him the ability to plug the inventory at the point of transition to the new system.
- The data load process from the physical inventory to the new software application was heavily influenced by the operations manager and provided cover to conceal the vast difference between book and systems counts at the point of transition.
- The segregation between review and approval of the data load and final push to production were not conducted correctly. This was an error on the part of the general manager.
SOD in the implementation of new software is where this problem became super charged; the inventory problem was swept under the rug during the data load!
Case Study #2: Sales Processes and Managing Data: A Revenue Recognition Risk
A very technically savvy sales rep for an advertising firm built an advertising revenue model that only he understood. The revenue was based on selling access to a large customer base to potential advertisers and then broadcasting advertising messages to those customers.
The sales rep would sell the deals, write the insertion orders for the broadcasted content and report to accounting on the closed and delivered deals. Many times, these deals were structured with a barter component.
Clearly, the sales rep had too much control over too many of the components of revenue recognition - he created fraudulent insertion orders that he would have his trading partners sign to complete the barter transaction.
However, the trading partners never delivered their commitments to the insertion orders, and the sales rep was the only one who understood the broadcast e-mail system, including how to access log files.
This fraudulent activity went undetected until the trading partner was sold to another corporation. The new management of the trading partner was presented with insertion orders that did not have proper supporting documentation. In turn, management decided to call the sales rep’s company to discuss the matter.
It was only at this time that this $900,000 dollar scheme was uncovered!
What's the lesson? Watch out for the segregation between revenue and technical operations.
Be Wary and Watchful
While SOD seems a simple process, not properly following it can lead to disastrous consequences, evidenced by the two case studies above. As CPAs, you have the knowledge to make certain SOD is properly implemented within your own organization, as well as your clients’ and customers' businesses.
Want to unlock features that will help you study for CISA and support ExamTopics?
We work hard to maintain the website and the database. By buying Contributor Access for yourself, you'll help us maintain and extend ExamTopics and you will also gain the following features for CISA:
- Question display customization
- View discussions bellow questions
- Printable versions of the exam
- Exams as PDFs (discussions included)
- No "Are You a Robot?" checks
- Website support
Contributor Access features are unlocked instantly after checkout.
ExamTopics is a free website but we constantly have to combat bots and content theft. Please forgive us for adding these measures.
You can access all our content for free, but we'll have to ask you to register or login to continue.
ExamTopics team.
- Internal accounting controls (e.g., processes, checks, balances, segregation of duties) safeguard assets. Implement them early on.
- Two types of internal controls:
- Preventative: E.g., requiring dual signatures on cheques
- Detective: E.g., reconciling the bank or inventory counts
- Segregation of duties provides critical oversight and deters fraud and theft. Separate:
- Custody of assets
- Ability to authorize the use of assets
- Recordkeeping
Internal controls are the processes, checks and balances that need to be put in place as a business grows. Internal controls can relate to any aspect of your business, from human resources to IT. Internal controls in accounting are critical and are used for safeguarding assets. Having a system of internal controls, including a segregation of duties, matters because as much as you trust your team, simply having a team means there is no longer one person with complete oversight and knowledge of the operations.
When implementing an internal control procedure, ensure it includes a means to generate evidence that a process has been followed or completed. This may be as simple as requiring that a document be initialled—but if there is nothing to show that something happened, it didn’t!
Benefits of internal controls
As your business grows and becomes more complex, it is more likely that errors, duplication or omissions can occur. For example, without internal controls to dictate who is responsible for certain purchases, more than one person may make the same purchases, resulting in duplication and waste. Or products may be received by mistake from a supplier and, without internal controls, the fact that the items were not ordered may be missed. There are many other reasons to implement internal controls—and the longer you wait to introduce these procedures, the more difficult it will be to change your company’s processes and to get buy-in from your employees (see below).
The importance of internal controls in accounting
Why establish internal controls in accounting? If you are required to have a review or an audit but do not have sufficient internal controls in place, an accountant will not be able to satisfactorily conduct their tests. And if you are claiming a tax credit such as through the SR&ED Program, you may not be able to support your claim if you do not have adequate timesheets and other records, and this could result in a significant loss of funding.
Securing the buy-in from your employees
Employees may have a negative reaction to the implementation of internal controls. They may feel that these are time consuming, labour intensive or show a lack of trust in them. It is important to communicate to your co-workers and colleagues that these processes are required as the business grows, not only for oversight purposes (although this is certainly part of it) but also for planning, tracking and review purposes.
Types of internal controls: Preventative and detective
Internal controls generally fall into one of two categories: preventative or detective.
Preventative controls are those such as requiring dual signatures on cheques or having password-protected files. This type of control protects and limits access to business assets.
Detective controls include reconciling the bank or inventory counts. Typically these internal controls are performed periodically to see if any need to be corrected. They will often turn up internal errors or problems, as well as any external errors (such as bank errors).
Segregation of duties: Safeguarding assets
One of the key concepts in placing internal controls over a company’s assets is segregation of duties. Segregation of duties serves two key purposes:
- It ensures that there is oversight and review to catch errors
- It helps to prevent fraud or theft because it requires two people to collude in order to hide a transaction
Segregation of duties involves separating three main functions and having them conducted by different employees:
- Having custody of assets
- Being able to authorize the use of assets
- Recordkeeping of assets
This segregation of duties is often difficult to achieve in small businesses, but should be implemented as much as possible. In some cases, it may result in an employee from another department being responsible for one of the functions.
When having adequate internal controls is not possible
Where it is not possible to have adequate preventative internal controls including segregation of duties, it is important to implement a compensating control. An example of this could be increased periodic oversight by you or the board of directors.