' been "off the board" for awhile ... but this thread caught me eye.
In looking at all of the responses, I'm somewhat shocked that no one
has discussed WHY the auditor is looking for separation of duties &
what the implications of this are. It's even more shocking that the
discussion has been on technology and not on accounting standards!
If you are interested, check out:
http://en.wikipedia.org/wiki/Separation_of_duties
My small company has been audited for the past 10 years. Even though
we are privately held, we decided to be audited to make it easier for
us to get financing when we need it. Separation of duties is always a
key audit point!
No one likes bureaucracy, but the purpose of separation of duties is
clear ... that it requires a conspiracy of at least two people in
order for fraud to occur. For example, a "trusted" person to change
inventory quantities in a file (ENDJRN, DFU/DBU, STRJRN anyone) & a
person in the warehouse to remove the inventory. How many of your
systems could catch this?
Quite frankly, 90% of System i shops that I have visited have no clue
about even the basic concepts of internal controls. What's worse,
their "professional staffs" often exhibit the attitudes seen in this
thread.
Keep in mind that a primary role for computerized systems is to
enforce standard, correct methods of operation. Company officers are
liable for any deviations ... and if they are subject to Sarbaines
Oxley regulations, they are CRIMINALLY LIABLE for any issues that
occur. Most of you should pray that no one in your companies ever
finds your postings (via Google, etc.)!!!
In a recent midrange jobs thread, there has been a LOT of discussion
about "Why do I need an education?". With my undergraduate degree, I
certainly learned the principles of internal controls (including
separation of duties). If you don't want to lose your jobs to
globally sourced techs/coders (willing to work for a fraction of
USA-based salaries), you should upgrade your perspectives ... after
all, a tech in India is much less likely to be able to cook up a
scheme over beers in a bar with a warehouse worker than most of you
are.
PLEASE don't take this as an endorsement of off-shoring. I have made
a conscious decision to employ USA-based USA citizen programmers (no
H1b's) ... at a significant labor expense differential.
John
On Oct 31, 2007 10:17 AM, Graap, Kenneth <keg@xxxxxxxxxxxxx> wrote:
We are in the middle of an IS Audit and the auditor is asking us why we
don't separate the duties of DB Administrator and System Administrator
on our System i platform.
.Historically we have always combined these duties on the System i but
we are now being pressured to come up with a way to separate them.
As anyone else had to do this and if so, how did you define these duties
and set up system security to enforce it?
or ... can anyone share a compelling argument for not separating these
duties?
Kenneth
****************************************
Kenneth E. Graap
IBM Certified Specialist
iSeries Multiple System Administrator
NW Natural (Gas Services)
keg@xxxxxxxxxxxxx
Phone: 503-226-4211 x5537
FAX: 503-721-2518
****************************************
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
midrange.com
