When the IS auditor identifies a lack of segregation of duties
Chinmay Kulkarni has asked people on LinkedIn a question that appears to be from the ISACA Certified Information Systems Auditor (CISA) exam. He posted (I have included the current poll results, with 941 voting):
CISA Question 3
As an IS auditor, what is the FIRST step you will take upon identifying lack of segregation of duties [“SOD”] within the organization?
Document as audit finding 18%
Implement SODs 7%
Review Compensating Controls 46%
Review Access Controls 30%
I am not a CISA, although I could have “grandfathered” into it when ISACA first set up the CISA certification.
One of my problems with these exams is that I always question the question, and frequently think the available answers are wrong. (I was able to pass both the UK’s Chartered Accountancy and the US CPA exams.)
I have a problem with the available answers to this question.
1. Document as an audit finding
The auditor has “identified a lack of segregation of duties,” but:
- Has the auditor confirmed the facts with management?
- Does the auditor understand whether it matters? Where is the risk? Even if there is a deficiency, does the risk justify corrective action? If so, there is no “finding”.
- Does management already know? Have they assessed the risk and believe it is acceptable, given the cost, etc.?
- Are there other controls over the risk? Maybe controls within the business or elsewhere are being relied on, not the ones the auditor is considering.
- Compensating controls may reduce the business risk, but by how much?
I have seen a couple of situations where an external auditor came to me (I was the head of internal audit) to inform me that there was an issue with segregation of duties. In the first case, he said individuals in China’s HR department had access to SAP payroll, so they could add and then pay a fictitious employee. However, the company did not use SAP payroll in China. In the second, a different auditor said there were individuals in China who had the ability to post an inventory adjustment to cover up the theft of inventory and hide it further with their ability to post a GL entry. I questioned him and found out that the inventory in question was in Romania while the employee and the GL were in China. There was no real risk.
Moving directly to documenting an audit finding is not a good option for the first step the auditor should take.
In fact, depending on the organization, the IS auditor should discuss the issue with the team lead or audit manager as a first step – which is not an option provided in the question.
2. Implement SODs
The auditor doesn’t implement segregation of duties or any other control for that matter. If that is to be done, it is done by management.
3. view compensating controls
As noted above:
- There may not be a business risk justifying corrective actions.
- The auditor hasn’t confirmed the facts or their implications.
- The business may not be relying on these controls, but on controls within the business, (Technically, these not compensating controls. They are the primary controls and are not designed to compensate for any SOD deficiency.) In fact, it is possible that the controls tested should not have been in scope for the audit!
Of all the options provided, this may be the best but it is seriously flawed.
- Review access controls
I am flummoxed! How do you determine that there is a lack of SOD if you haven’t already assessed access controls?
If I was presented in an exam setting with these four options and had to choose one, I would go with #3.
But in real life, I would have an issue with any auditor who hadn’t first made sure of their facts, discussed the issue and its implications with management, and confirmed this was a real business risk that needed to be addressed.
What do you think?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, as you have implied above, there is no ‘back story’, that is no mention of discussions with management about risk, about their concerns and about the impact if a risk happens, before the audit work commenced.
It is this type of question that makes me distrust multiple choice exams.
I have a mixed opinion about segregation of duties, and I like your answer. The thing to remember is that strict SOD will eliminate all collaboration. I recall in the days before the cockpit doors were locked during takeoff, it was typical to see both pilot’s hands on the throttle. In most cases collaboration, is essential. It is a risk if the objective is malicious.
Perhaps when documenting the Audit Finding, the Auditor would be required to document the risk and corrective action. The auditor has to discuss the finding first, with their supervisor and with management, before it gets to the draft audit report.
One thing that I believe is that auditors, especially non-experienced, often forget is the number of people you need before SoD can be fully effective. Due to holidays, courses, sickness and other kinds of absence, you need at least 3 people in every position.
It’s been quite a few years, but I recall that almost every question on the CISA exam was like that. The instructions will say to choose the “BEST” answer. I assumed these questions were utilizing a type of testing method with a fancy sounding name like, “cognitive assumption based intelligence assessment”. I will say that a new auditor should know and understand all of those answers, and how they relate to SOD, to be able to conclude #3 is the “best” answer. in this case (it’s #3 right??) 🙂
It’s sad when the “best” is a poor answer.
I too dislike the cognitive assumption based intelligence assessment testing method. 😀