4141 Separation of Duties in the
DEFINING THE NEED FOR SEPARATION
Auditing standards call for complete segregation of functions; for example, only operators should have access to the computer, only the librarian to the data library, only programmers to the application system documentation.
Unfortunately, this is not always practical. In a small shop, the manager may
SEPARATION OF DUTIES 117
also act as the programmer and the backup operator. The data entry supervisor may serve as the control clerk. There may be no data librarian, this function perfonned instead by the operator. In the interest of economy, even large organizations may combine such functions as data entry and control or com-puter operations and maintenance of the tape library.
Some functions are separated "naturally" for reasons other than control and security. It is not cost-effective to have a high-priced programmer enter data or run production jobs on the computer. In some cases, however, neces-sary job separation is not economically justified. For example, it might be cost-effective to have programmers operate the computer when testing their own programs; however, from a control standpoint, the programming and operating functions must be kept separate.
Cost and Separation of Duties
If the DCOM looks only at costs versus benefits when making organiza-tional and operaorganiza-tional decisions about separation of duties, a particular cost should not be overlooked: the expected loss resulting from combining duties.
This cost can be estimated, although roughly, through risk analysis.
In risk analysis, the expected loss of a company equals the potential loss resulting from an undetected error multiplied by the probability of such an error, plus the potential loss resulting from an irregularity (a defalcation) multiplied by the probability of such an irregularity. With an accounts receiv-able system, for example, the potential loss from undetected errors might be
$50,000 a year. The probability of such losses might be 0.05. The potential loss from irregularities might be $1,000,000 (not unusually high for a com-puter crime). The probability of such a loss might be 0.002. The expected loss in the accounts receivable system would then be ($50,000 X .05)
+
($1,000,000 X .(02)
=
$4,500. If similar figures are developed for all other applications, the sum of these figures is the expected loss to the company of operating without adequate controls-including separation of duties.Although the potential losses and the probabilities are only rough esti-mates, errors, irregularities, and losses do occur, and the possibility of these problems should not be ignored. When performing a risk analysis, the DCOM should work with the controller and the auditors to develop reasonable esti-mates of probabilities and expected losses. The total expected loss should be compared with an estimate of the loss that can be expected even if controls are put in place. The difference between these two figures is the true cost of not having controls.
Another factor that should be considered in a cost/benefit analysis is the personnel cost involved in separating duties. If duties are properly segregated, it may be necessary to increase the staff because one person cannot perfonn functions that are separated. This increases salary and benefit costs. With proper scheduling, however, these costs can be minimized by using part-time personnel.
118 DATA CENTER OPERATIONS MANAGEMENT
Another potential cost of separating duties is loss of morale because of restrictions regarding on-the-job training for upgrading employees. A control clerk cannot be given on-the-job training in computer operation while also working as a clerk. A computer operator must be discouraged from leaming programming. An application programmer must be dissuaded from learning systems programming.
Alternatives to Separation of Duties
When analyzing the need for separation of duties, the DCOM should consider other techniques that can minimize undetected errors and discourage irregularities. The most acceptable technique is close supervision, although this also has costs. Careful review of inputs, outputs, console logs, and source listings; on-the-floor observations of personnel; random inspections of work being done; and discussions of actions and decisions with the staff-such techniques catch errors and reduce irregularities.
Another useful technique is to build adequate controls into all systems. For example, all important data fields should have programmatic edits; money fields should have limit and/or reasonability tests. Exception reports, transac-tion lists, master file change reports, and master file listings should be pre-pared by all systems. In addition, batch systems should provide batch balance reports and error listings. Control totals and record counts should be created and verified by the first program in a system, and these totals should be passed from program to program and be reverified. Operator interventions should be held to an absolute minimum.
Two types of packages on the market provide some assistance in maintain-ing control. A tape management system reduces the need for a tape librarian and decreases the possibility of unauthorized changes to data files. Program management systems that protect production programs from "on the fly"
changes and that create an audit trail of all program changes provide an operational control in the programming area.
When a data center has two or three shifts, rotating personnel between shifts provides a measure of control. Of course, when shifts are rotated, the manager should ensure that the applications are not rotated also. If a data entry operator or computer operator knows that someone else might work with an application, the temptation to perpetrate irregularities is reduced.
In summary, when the DCOM is deciding whether functions should be separated, he or she must consider:
• The size of the operation. (The smaller the staff, the harder it is to separate functions.)
• The risks involved in not separating duties.
• The potential costs of segregating duties.
• The possibility and the advisability of using alternative techniques to achieve the same measure of control.
SEPARATION OF DUTIES 119