John J. Kasperek, President, recently gave seminar at the Missouri Athletic Club on preventing fraud against small business. Here is Part Two OF Three of his remarks:
Do you have internal controls within your business to prevent fraud?
The best means to implement Separation Of Duties in your business.
Here are concepts to implement Separation Of Duties, or “SoD” on the IT side of your business.
Separation of Duties- Information Technology (IT)
SoD, in which tasks are assigned so that no one person controls a process and thus prevents fraud, is long thought to only apply to accounting functions. Many companies today have only recently begun to recognize the SoD issues emerging from Information Technology.
“Best Practices” would segregate IT functions in the following three categories:
· Development Group
1) This group has responsibility for systems development.
2) Tests & installs software. Provides connectivity of hardware.
3) Restricted access to “live” production data.
· Computer Operations Group
1) This group has responsibility for ensuring the continuing availability of the system.
2) Provides needed system disks, and documentation to users. Runs backup & recovery operations.
3) Should not have direct access to network administration.
· Network Administration Group
1) This group has responsibility for network administration on behalf of system owner.
2) Provides network support to user. Monitors information access of users.
3) Should not testing, promoting or administrating software programs.
SoD is not commonly addressed by small businesses. Small businesses are urged to recognize the wired society we conduct business in today and implement SoD controls regarding Information Technology.