3606.3 Segregation of Duties
3606.3 職責分離
In This Section 在本節中
3606.3.1 Introduction 3606.3.1 簡介
3606.3.2 Definition and Assignment of Roles and Responsibilities
3606.3.2 定義和分配角色和責任
3606.3.2 定義和分配角色和責任
3606.3.3 Access Rights and Restriction
3606.3.3 存取權限和限制
3606.3.3 存取權限和限制
3606.3 .4 Evaluation of Segregation of Duties
3606.3 .4 職責分離評估
3606.3 .4 職責分離評估
3606.3.1 Introduction 3606.3.1 簡介
Global PwC Guidance 全球 PwC 指南
In order for internal control to be effective, there needs to be an adequate division of responsibilities among those who perform accounting procedures or controls and those who review such activities. Ideally, the flow of transaction processing and related activities are designed so that the work of one individual is either independent of, or serves as a check on, the work of another. A risk of material misstatement due to fraud or error may exist if the entity does not segregate incompatible duties and functions or if the underlying IT or physical access rights are inconsistent with the objective of segregating duties.
為了使內部控制有效,執行會計程序或控制的人員與審查此類活動的人員之間需要有適當的職責劃分。理想情況下,交易處理和相關活動的流程設計應該使一個人的工作要麼獨立於另一個人的工作,要麼作為對其工作的檢查。如果實體不將不相容的職責和功能劃分開來,或者底層的 IT 或物理訪問權限與劃分職責的目標不一致,則可能存在由於欺詐或錯誤導致的重大錯誤陳述風險。
為了使內部控制有效,執行會計程序或控制的人員與審查此類活動的人員之間需要有適當的職責劃分。理想情況下,交易處理和相關活動的流程設計應該使一個人的工作要麼獨立於另一個人的工作,要麼作為對其工作的檢查。如果實體不將不相容的職責和功能劃分開來,或者底層的 IT 或物理訪問權限與劃分職責的目標不一致,則可能存在由於欺詐或錯誤導致的重大錯誤陳述風險。
Segregation of duties ( “SoD"):
職責分離("SoD"):
- Reduces the risk of undetected error and limits opportunities to misappropriate assets or conceal intentional misstatements in the financial statements.
降低未被檢測錯誤的風險,並限制挪用資產或隱瞞故意錯誤陳述的機會在財務報表中。 - Serves as a deterrent to fraud or concealment of error because of the need to recruit another individual's co-operation (collusion) to conceal it.
因為需要招募另一個人的合作(串通)來隱瞞欺詐或錯誤,這就起到了阻嚇作用。
When segregation of duties is facilitated by the use of IT, it is:
當職責分離得到資訊科技的支持時,這是:
當職責分離得到資訊科技的支持時,這是:
- Accomplished by the proper definition and assignment of roles and responsibilities for processes and controls related to the entity's information system, including the related business processes relevant to financial reporting.
通過對與實體信息系統相關的流程和控制的角色和責任進行適當定義和分配,包括與財務報告相關的業務流程。 - Enabled by appropriate user access rights and restrictions built into the IT applications and/or other aspects of the IT environment.
通過適當的使用者訪問權限和內建於 IT 應用程式和/或其他 IT 環境方面的限制來啟用。 - Supported by information technology general controls (ITGCs) over system access rights and restrictions.
通過對系統訪問權限和限制的信息技術總體控制(ITGCs)的支持。
Definition of roles and responsibilities at user level. Typically, there will be an expectation of what responsibilities each role should be assigned
在使用者層面上定義角色和責任。通常,對於每個角色應該被指派的責任會有一定的期望。
在使用者層面上定義角色和責任。通常,對於每個角色應該被指派的責任會有一定的期望。
The proper assignment of those roles and responsibilities to each user, enabled by appropriate user access rights and restrictions built into the applications and other elements of the IT environment (database, operating system, network).
通過將這些角色和責任適當地分配給每個用戶,並通過應用程序和 IT 環境(數據庫、操作系統、網絡)中內置的適當用戶訪問權限和限制來實現。
通過將這些角色和責任適當地分配給每個用戶,並通過應用程序和 IT 環境(數據庫、操作系統、網絡)中內置的適當用戶訪問權限和限制來實現。
Controls within each component of the diagram above need to be designed, implemented and operating effectively for us to obtain sufficient evidence that appropriate segregation of duties has been achieved.
以上圖表中每個組件內的控制需要被設計、實施並有效運作,以便我們獲得足夠的證據,證明適當的職責分離已經實現。
以上圖表中每個組件內的控制需要被設計、實施並有效運作,以便我們獲得足夠的證據,證明適當的職責分離已經實現。
Restricted access and segregation of duties differ as described below:
訪問限制和職責分離的區別如下所述:
訪問限制和職責分離的區別如下所述:
- Restricted access refers to assigning access rights to physical assets (e.g., access to the warehouse where inventory is stored), or to applications and other aspects of the IT environment in line with an individual's roles and responsibilities. Restricted access does not address the appropriateness of an individual's responsibilities for initiating, recording or authorizing transactions and/or maintaining custody of assets, which is the topic addressed by segregation of duties. An example of restricted access is only allowing the payroll manager to have access to payroll related data in the entity's HR application. See PwC Audit 5107.4.3 for guidance relating to restricted access.
受限訪問是指根據個人的角色和責任,將訪問權限分配給實體資產(例如,存貨存放的倉庫的訪問權限)或應用程序和 IT 環境的其他方面。受限訪問並不涉及個人責任是否適當地啟動、記錄或授權交易和/或保管資產,這是職責分離所涉及的主題。受限訪問的一個例子是只允許薪資經理訪問實體的人力資源應用程序中與薪資相關的數據。請參見 PwC Audit 5107.4.3,了解有關受限訪問的指導。 - Segregation of duties refers to the division of responsibilities between those who initiate, record or authorize transactions and those who review or approve those activities and/or maintain custody of assets. An example would be an individual who has the authority and ability to post a journal entry to the general ledger not being given the authority to approve journal entries.
職責分離是指在發起、記錄或授權交易的人員與審核或批准這些活動和/或保管資產的人員之間的責任劃分。一個例子是一個有權力和能力將分錄輸入到總帳中的個人沒有被授予批准分錄的權力。
Risk of incompatible duties
不相容職責的風險
Due to diversity in entity sizes, applications and/or other aspects of the IT environment, types of operations, and a host of other variables, there is no one set of segregation of duties controls that can be used. Variety is to be expected, and the effectiveness of segregation of duties controls will depend on entity-specific circumstances and risks. It is not uncommon for entities to combine functions or duties that would ideally be segregated where the risks of combining them are sufficiently low or areotherwise mitigated. Points to consider when assessing whether incompatible duties could give rise to a risk of material misstatement include:
由於實體大小、應用程式和/或 IT 環境的其他方面、操作類型以及眾多其他變數的多樣性,沒有一套可以使用的職責分離控制。多樣性是可以預期的,職責分離控制的有效性將取決於特定實體的情況和風險。對於評估不相容職責是否可能導致重大錯誤的風險時應考慮的要點包括:
由於實體大小、應用程式和/或 IT 環境的其他方面、操作類型以及眾多其他變數的多樣性,沒有一套可以使用的職責分離控制。多樣性是可以預期的,職責分離控制的有效性將取決於特定實體的情況和風險。對於評估不相容職責是否可能導致重大錯誤的風險時應考慮的要點包括:
- The volume, complexity and financial significance of different types of transactions
不同類型交易的規模、複雜性和財務重要性 - The sequence of steps necessary to process transactions
處理交易所需的步驟序列 - The technology and application system(s) used to process transactions
用於處理交易的技術和應用系統 - The opportunities or motives for individuals to commit fraud or perpetuate errors
個人從事詐欺或犯錯的機會或動機 - The risk of loss or financial misstatement due to errors or fraud
由於錯誤或詐欺而導致損失或財務錯誤的風險
Based on the analysis performed we may conclude there is a low risk of material misstatement related to incompatible duties as controls have been implemented that are responsive to the potential misstatement. In such situations, we document the rationale for why the lack of segregation of duties does not present the potential for fraud or management override and how the controls reduce the risk of material misstatement. For example, the entity may have alternative or compensating controls that mitigate the risk arising from incompatible duties.
根據所進行的分析,我們可以得出結論,與不相容職責相關的實質錯誤風險較低,因為已實施了對潛在錯誤有反應的控制措施。在這種情況下,我們會記錄缺乏職責分離不會導致詐欺或管理覆蓋的潛在原因,以及控制措施如何降低實質錯誤風險的理由。例如,實體可能具有替代或補償控制措施,以減輕由不相容職責引起的風險。
根據所進行的分析,我們可以得出結論,與不相容職責相關的實質錯誤風險較低,因為已實施了對潛在錯誤有反應的控制措施。在這種情況下,我們會記錄缺乏職責分離不會導致詐欺或管理覆蓋的潛在原因,以及控制措施如何降低實質錯誤風險的理由。例如,實體可能具有替代或補償控制措施,以減輕由不相容職責引起的風險。
If we conclude the risk of combining certain duties is not sufficiently low, we identify a control deficiency and follow the guidance in PwC Audit 6101 and PwC Audit 8300.4.
如果我們得出結論認為結合某些職責的風險不夠低,我們將確認控制缺陷並遵循普華永道審計 6101 和普華永道審計 8300.4 中的指導。
如果我們得出結論認為結合某些職責的風險不夠低,我們將確認控制缺陷並遵循普華永道審計 6101 和普華永道審計 8300.4 中的指導。
Example: 例子:
An organization that provides on-site warranty services via field technicians driving trucks containingspare parts, may hold the technicians responsible for: maintaining custody of the inventory; recording inventory usage via handheld wireless data input devices; and directly purchasing and replenishing the inventory. While typically we would not expect to see such duties combined for any one individual, determining whether the combination creates an internal control deficiency requires further consideration of the risk of material misstatement to the financial statements due to error or fraud, such as:
通過駕駛卡車提供現場保修服務的組織,可能要求技術人員負責:保管庫存;通過手持無線數據輸入設備記錄庫存使用情況;直接購買和補充庫存。雖然通常我們不會期望看到這些職責合併在一個人身上,但確定這種組合是否造成內部控制缺陷需要進一步考慮由於錯誤或欺詐對財務報表造成實質錯誤的風險。
通過駕駛卡車提供現場保修服務的組織,可能要求技術人員負責:保管庫存;通過手持無線數據輸入設備記錄庫存使用情況;直接購買和補充庫存。雖然通常我們不會期望看到這些職責合併在一個人身上,但確定這種組合是否造成內部控制缺陷需要進一步考慮由於錯誤或欺詐對財務報表造成實質錯誤的風險。
- How material is the inventory to the financial statements, and how vulnerable is the inventory to misuse or theft based on its nature and value to others?
存貨對財務報表的重要性如何,以及根據其性質和對他人的價值,存貨對濫用或盜竊的脆弱程度如何? - Is the risk of fraud or error spread among a very large number of independent service technicians or is itconcentrated with a few?
詐欺或錯誤的風險是分散在眾多獨立的服務技術人員之間,還是集中在少數人身上? - Are there alternative or compensating controls such as periodic physical inventory counts performed by internal audit or regional supervisors or other independent parties?
是否有替代或補償控制措施,例如內部審計或區域主管或其他獨立方進行定期的實物盤點?
If we conclude that the combination of activities the technicians perform represents a deficiency in internal control, we follow the guidance in PwC Audit 6101.
如果我們得出結論,技術人員執行的活動組合代表內部控制的不足,我們將遵循普華永道審計 6101 的指導。
如果我們得出結論,技術人員執行的活動組合代表內部控制的不足,我們將遵循普華永道審計 6101 的指導。
Based on the analysis performed we may conclude there is a lower risk of incompatible duties as alternative or compensating controls exist. In such situations we document the rationale for why the lack of segregation of duties does not present the potential for fraud or management override and how alternative controls mitigate the risks arising from the lack of SoD.
根據所進行的分析,我們可以得出結論,由於存在替代或補償控制,不相容職責的風險較低。在這種情況下,我們會記錄為什麼職責分離的缺乏不會導致詐欺或管理覆蓋的潛在可能性的基本原因,以及替代控制如何減輕由於職責分離不足而產生的風險。
根據所進行的分析,我們可以得出結論,由於存在替代或補償控制,不相容職責的風險較低。在這種情況下,我們會記錄為什麼職責分離的缺乏不會導致詐欺或管理覆蓋的潛在可能性的基本原因,以及替代控制如何減輕由於職責分離不足而產生的風險。
Guidance addressing segregation of duties in less-complex entities is included in PwC Audit 36o6.6.
PwC Audit 36o6.6 中包含了針對較簡單實體的職責分離指引。
PwC Audit 36o6.6 中包含了針對較簡單實體的職責分離指引。
3606.3.2 Definition and Assignment of Roles and Responsibilities
3606.3.2 定義和分配角色和責任
Global PwC Guidance 全球 PwC 指南
Dividing or segregating incompatible duties among different people reduces the risk of error or of fraudulent actions. This division of responsibilities generally consists of assigning different people to the roles for:
將不相容的職責分配給不同的人有助於降低錯誤或欺詐行為的風險。責任的分工通常包括將不同的人分配到以下角色中:
將不相容的職責分配給不同的人有助於降低錯誤或欺詐行為的風險。責任的分工通常包括將不同的人分配到以下角色中:
- Authorizing transactions
授權交易 - Performing controls related to recording and processing transactions
執行與記錄和處理交易相關的控制 - Monitoring those controls
監控這些控制 - Maintaining accounting records
維護會計記錄 - Having physical access or custody of assets or key records/documents
具有資產或關鍵記錄/文件的實際存取或保管權
Examples of the division or segregation of incompatible duties
不相容職責的分工或隔離的例子
- To reduce the risk of error, management may establish procedures for the review and approval of monthly reconciliations of a control account by a supervisory level employee who does not perform the reconciliations.
為了降低錯誤風險,管理層可以建立程序,由不執行對帳的監督級員工進行對月度對帳的審查和批准。 - To reduce the risk of fraud, the ability to mark goods as "shipped" and the ability to generate invoices in the application are segregated, to prevent the theft of inventory from the warehouse being concealed as sales.
為了降低詐騙風險,應用程式中標記商品為“已發貨”和生成發票的功能是分開的,以防止從倉庫偷竊庫存並掩蓋為銷售的情況發生。 - To help prevent unauthorized changes, IT developers do not have access to migrate changes to the production environment. Having the ability to develop and implement changes in the production environment might allow for circumvention of change management controls that, in turn, may result in ineffective information processing controls or allow direct manipulation of financial transactions and data.
為了防止未經授權的更改,IT 開發人員無法存取以遷移更改至生產環境。在生產環境中具有開發和實施更改的能力可能會繞過變更管理控制,進而導致信息處理控制失效,或允許直接操縱財務交易和數據。 - To help prevent unauthorized changes, 'super user' access is granted only to a limited number of users within the IT department and the system logs of their activities are monitored on a periodic basis by an independent individual in the IT department, with appropriate authority and understanding of the activities performed by the IT team.
為了防止未經授權的更改,「超級使用者」權限僅授予 IT 部門內有限數量的使用者,並由 IT 部門內具有適當權限和對 IT 團隊執行的活動有理解的獨立個人定期監控其活動系統日誌。 - Access to the production environment is controlled using Firefighter access controls. Firefighter access controls mean that access to change or update the production environment is provided only for authorized changes that have been tested and approved in the test environment. There are restrictions over which users are granted this access and there is a time limit set. The logs of changes are reviewed as part of change management controls (see PwC Audit 3606.2.5.1.2 for further considerations relating to firefighter access).
生產環境的存取是透過消防員存取控制進行控制的。消防員存取控制意味著只有經過測試並在測試環境中獲得批准的授權更改才能訪問或更新生產環境。對於獲得此類存取權限的用戶有限制,並設有時間限制。更改日誌作為變更管理控制的一部分進行審查(有關消防員存取的進一步考慮,請參見 PwC Audit 3606.2.5.1.2)。
Assigning roles and responsibilities within the IT environment:
在 IT 環境中分配角色和責任:
In the case of segregation of duties within the IT environment, we consider:
在 IT 環境中的職責分離情況下,我們考慮:
在 IT 環境中的職責分離情況下,我們考慮:
- The specific activity that needs to be segregated within the application or other aspects of the IT environment. We obtain this understanding as part of our understanding of the IT environment and identification of controls relevant to the preparation of the financial statements.
需要在應用程式或其他 IT 環境的特定活動進行隔離。我們通過對 IT 環境的理解和識別與財務報表準備相關的控制來獲得這種理解。 - The entity's policies and procedures and the definition of the roles or profiles that ensure the segregation of duties for each of those activities. If the definition of roles and responsibilities is not formalized by the entity, this does not necessarily preclude the entity from implementing appropriate segregation of duties. In these circumstances, we still obtain an understanding of, and evaluate, if appropriate, whether the entity has implemented appropriate segregation of duties and assess the impact on our risk assessment (error and fraud).
實體的政策和程序以及確保每項活動的職責分離的角色或配置文件的定義。如果實體未正式確定角色和責任,這並不一定排除實體實施適當的職責分離。在這些情況下,我們仍然瞭解並評估實體是否實施了適當的職責分離,並評估對我們風險評估(錯誤和欺詐)的影響。 - Inherent authority workflows within the application (also known as maker-checker controls). Many applications have approval workflows in the processing of transactions (e.g., an application does not allow the same user creating a journal to approve it). We consider whether any of the data or functionality we have identified as relevant to the audit is impacted by these workflows. When they are inherent to the application, it is unlikely the entity will be able to modify the segregation of duties the workflows provide. However, when the entity has developed its own approval workflows and/or they are configurable within the application, our testing approach would typically focus on ensuring the segregation of duties is maintained throughout the period.
應用程式內在權限工作流程(也稱為製造商-檢查者控制)。許多應用程式在處理交易時都有審批工作流程(例如,一個應用程式不允許同一用戶創建日記帳並批准它)。我們會考慮我們已確定與審計相關的任何數據或功能是否受這些工作流程的影響。當它們是應用程式的固有部分時,實體很可能無法修改工作流程提供的職責分離。然而,當實體已經開發了自己的審批工作流程和/或它們可以在應用程式內進行配置時,我們的測試方法通常會著重於確保在整個期間內保持職責分離。 - Whether the entity uses single sign-on ("SSO"). To facilitate the administration of access, many entities grant a network user ID which allows the users to only sign-on to the system once and access all the applications or other aspects of the IT environment their role or profile grants them. When the entity does not use SSO, it may result in multiple user accounts or IDs for a single
無論實體是否使用單一登入("SSO")。為了方便訪問管理,許多實體授予網絡用戶 ID,該 ID 允許用戶僅登錄系統一次並訪問其角色或配置文件授予的所有應用程序或 IT 環境的其他方面。當實體不使用 SSO 時,可能導致單個用戶有多個用戶帳戶或 ID。
person. 人。
When the assignment, maintenance and monitoring of segregation of duties within the IT environment is automated through, for example, the use of identity management or governance, risk and compliance tools, we identify whether the tool is an IT application, in which case we follow the guidance in PwC Audit 3606.2 for the identification of risks arising from the use of these tools and the ITGCs the entity has implemented to address those risks; or an End User Computing (EUC) tool and follow the guidance in PwC Audit 5107.5.
當在 IT 環境中的職責分離的分配、維護和監控是通過自動化進行的,例如通過身份管理或治理、風險和合規性工具的使用,我們確定該工具是否為 IT 應用程序,如果是的話,我們將遵循 PwC Audit 3606.2 中的指導,以確定由於使用這些工具而產生的風險,以及實體已實施的 ITGCs 來應對這些風險;或者是一個終端用戶計算(EUC)工具,並遵循 PwC Audit 5107.5 中的指導。
當在 IT 環境中的職責分離的分配、維護和監控是通過自動化進行的,例如通過身份管理或治理、風險和合規性工具的使用,我們確定該工具是否為 IT 應用程序,如果是的話,我們將遵循 PwC Audit 3606.2 中的指導,以確定由於使用這些工具而產生的風險,以及實體已實施的 ITGCs 來應對這些風險;或者是一個終端用戶計算(EUC)工具,並遵循 PwC Audit 5107.5 中的指導。
3606.3.3 Access Rights and Restriction
3606.3.3 存取權限和限制
Global PwC Guidance 全球 PwC 指南
The ability to achieve effective segregation of duties is enhanced by implementing proper controls over access to applications or other aspects of the IT environment, data, documents or assets. Such access is restricted to authorized individuals commensurate with the duties assigned to them in the design of internal control. When controls over access rights are subject to our design and implementation evaluation and our operating effectiveness tests, including ITGC test results, we consider the results of this access testing to obtain evidence over the entity's segregation of duties controls.
通過對應用程序或 IT 環境的其他方面、數據、文件或資產的訪問實施適當的控制,可以增強實現有效職責分離的能力。這種訪問僅限於根據內部控制設計中分配給他們的職責的授權人員。當訪問權限控制受到我們的設計和實施評估以及我們的運行有效性測試,包括 ITGC 測試結果的影響時,我們考慮這些訪問測試的結果以獲取有關實體職責分離控制的證據。
通過對應用程序或 IT 環境的其他方面、數據、文件或資產的訪問實施適當的控制,可以增強實現有效職責分離的能力。這種訪問僅限於根據內部控制設計中分配給他們的職責的授權人員。當訪問權限控制受到我們的設計和實施評估以及我們的運行有效性測試,包括 ITGC 測試結果的影響時,我們考慮這些訪問測試的結果以獲取有關實體職責分離控制的證據。
Logical segregation of duties
職責的邏輯分離
When the initiation, recording, review, authorization and/or approval of activities is supported by IT, segregation of duties within the IT environment is implemented through the role and associated access rights granted to that user based on the role. Roles' definitions, including associated access rights, are used as a basis for provisioning, maintaining and removing access rights within the IT environment.
當活動的啟動、記錄、審查、授權和/或批准得到資訊科技的支持時,資訊科技環境內的職責分離是通過基於角色授予給用戶的角色和相關訪問權限來實施的。角色的定義,包括相關的訪問權限,被用作在資訊科技環境內提供、維護和移除訪問權限的基礎。
當活動的啟動、記錄、審查、授權和/或批准得到資訊科技的支持時,資訊科技環境內的職責分離是通過基於角色授予給用戶的角色和相關訪問權限來實施的。角色的定義,包括相關的訪問權限,被用作在資訊科技環境內提供、維護和移除訪問權限的基礎。
Physical segregation of duties
職責的物理分離
Physical controls are commonly needed for restricting physical access to assets such as cash, securities or inventory or other items that might easily be converted to cash or misappropriated for personal use. These controls are often evaluated through observation & inquiry procedures.
通常需要物理控制來限制對現金、證券、庫存或其他可能輕易轉換為現金或被挪用作個人用途的資產的物理存取。這些控制通常通過觀察和詢問程序進行評估。
通常需要物理控制來限制對現金、證券、庫存或其他可能輕易轉換為現金或被挪用作個人用途的資產的物理存取。這些控制通常通過觀察和詢問程序進行評估。
Examples: 例子:
- The design of controls over sales transactions may include the segregation of billing and shipping duties. However, the desired level of control may not be achieved if an individual responsible for processing shipping transactions also has the ability, through inappropriate user access rights, to process billing transactions on the system.
銷售交易控制的設計可能包括帳單和運輸職責的分離。然而,如果負責處理運輸交易的個人也具有通過不當的用戶訪問權限在系統上處理帳單交易的能力,則可能無法達到所需的控制水平。 - The design of controls over cost of sales may require physical custody of inventory to be segregated from other inventory processing and accounting responsibilities. However, the desired level of control may not be achieved if inventory is easily accessible to individuals other than those charged with custodial responsibility.
成本銷售控制的設計可能需要將庫存的實際監管與其他庫存處理和會計責任分開。然而,如果庫存對除了負責監管責任的人以外的個人來說很容易接觸,則可能無法達到所需的控制水平。
Establishing appropriate access rights also contributes to the achievement of the information processing objectives.
建立適當的存取權限也有助於達成資訊處理目標。
建立適當的存取權限也有助於達成資訊處理目標。
Related Guidance 相關指導
See PwC Audit 3606.4 for guidance on information processing objectives and PwC Audit 5107.4.3 for further guidance on testing restricted access.
請參閱 PwC Audit 3606.4 以獲取有關信息處理目標的指導,並參閱 PwC Audit 5107.4.3 以獲取有關測試受限訪問的進一步指導。
請參閱 PwC Audit 3606.4 以獲取有關信息處理目標的指導,並參閱 PwC Audit 5107.4.3 以獲取有關測試受限訪問的進一步指導。
3606.3.4 Evaluation of Segregation of Duties
3606.3.4 職責分離評估
Global PwC Guidance 全球 PwC 指南
Below are procedures that may be considered in an audit where reliance is expected to be placed on segregation of duties as a control. We focus on understanding segregation of duty controls in areas where there is a reasonable possibility of a material misstatement due to fraud or error, depending on the assessment of risks and the nature of the entity's approach to mitigating fraud risk (see PwC Audit 3606.1 for guidance on identification of controls that address risk of material misstatement).
在預期將依賴職責分離作為控制措施的審計中,可能會考慮以下程序。我們專注於了解職責分離控制在存在詐欺或錯誤可能導致實質錯誤的領域中的情況,這取決於風險評估和實體應對詐欺風險的方法的性質(參見 PwC Audit 3606.1,以獲得有關識別控制措施的指引,以應對實質錯誤風險)。
在預期將依賴職責分離作為控制措施的審計中,可能會考慮以下程序。我們專注於了解職責分離控制在存在詐欺或錯誤可能導致實質錯誤的領域中的情況,這取決於風險評估和實體應對詐欺風險的方法的性質(參見 PwC Audit 3606.1,以獲得有關識別控制措施的指引,以應對實質錯誤風險)。
When evaluating segregation of duties controls, we consider the skills and experience needed to perform the procedure and consider whether resources such as Risk Assurance or forensic specialists are to be involved. When evaluating segregation of duties, we employ the following 6 steps:
在評估職責分離控制時,我們考慮執行程序所需的技能和經驗,並考慮是否需要牽涉風險保證或法證專家等資源。在評估職責分離時,我們採用以下六個步驟:
在評估職責分離控制時,我們考慮執行程序所需的技能和經驗,並考慮是否需要牽涉風險保證或法證專家等資源。在評估職責分離時,我們採用以下六個步驟:
Step 1 - Understand the entity's control environment and related assignment of functional duties
步驟 1 - 了解實體的控制環境和相關的職能分配
步驟 1 - 了解實體的控制環境和相關的職能分配
An understanding of the components of the entity's system of internal control is important in evaluating the effectiveness of segregation of duties.
對實體內部控制系統組成部分的了解對評估職責分離的有效性至關重要。
對實體內部控制系統組成部分的了解對評估職責分離的有效性至關重要。
A further understanding is obtained at the information processing level when reliance on controls is planned or whenever properly assigned and segregated duties are important for evaluating the components of the entity's system of internal controls. Judging whether duties need to be segregated to properly mitigate the risks of fraud or error will take into account the particular circumstances of the client. It is not uncommon for organizations to combine functions or duties that would ideally be segregated where the risks of combining them are sufficiently low or are otherwise mitigated. Consequently, we apply judgement to evaluate the need for segregation of duties in light of circumstances that may vary widely from entity to entity.
在計劃依賴控制或當適當分配和分離職責對於評估實體內部控制系統的組件至關重要時,可以在信息處理層次上獲得進一步的理解。判斷是否需要分離職責以適當地減輕欺詐或錯誤風險,將考慮客戶的特定情況。組織合併功能或職責並不罕見,這些功能或職責在理想情況下應該是分離的,而風險組合它們的風險足夠低或以其他方式得到減輕。因此,我們運用判斷力來評估根據可能因實體而異的情況來考慮職責分離的需要。
在計劃依賴控制或當適當分配和分離職責對於評估實體內部控制系統的組件至關重要時,可以在信息處理層次上獲得進一步的理解。判斷是否需要分離職責以適當地減輕欺詐或錯誤風險,將考慮客戶的特定情況。組織合併功能或職責並不罕見,這些功能或職責在理想情況下應該是分離的,而風險組合它們的風險足夠低或以其他方式得到減輕。因此,我們運用判斷力來評估根據可能因實體而異的情況來考慮職責分離的需要。
Step 2 - Obtain evidence that duties are actually being carried out in accordance with individuals' assigned roles and responsibilities
第 2 步 - 獲取證據,證明職責實際上是根據個人被分配的角色和責任執行的
It is important to obtain evidence, not only that the roles and responsibilities are properly assigned (Step 1), but also that they have been implemented as designed. Procedures to obtain such evidence as part of understanding and evaluating controls might include targeted inquiry of individuals with varying duties and responsibilities throughout the transactions cycle, combined with direct observation of their respective activities.
重要的是獲取證據,不僅是角色和責任被正確分配(步驟 1),還要確保它們按照設計實施。作為理解和評估控制的一部分獲取這樣的證據的程序可能包括對在交易週期中擁有不同職責和責任的個人進行有針對性的詢問,並結合對其相應活動的直接觀察。
重要的是獲取證據,不僅是角色和責任被正確分配(步驟 1),還要確保它們按照設計實施。作為理解和評估控制的一部分獲取這樣的證據的程序可能包括對在交易週期中擁有不同職責和責任的個人進行有針對性的詢問,並結合對其相應活動的直接觀察。
Step 3 - Understand the entity's approach for defining and assigning rights to access applications, data or other aspects of the IT environment, documents or assets. Evaluate whether system and physical access rights are appropriately assigned to achieve effective segregation of duties control(s) design
第三步 - 了解實體定義和分配訪問應用程序、數據或 IT 環境的其他方面、文件或資產的權利的方法。評估系統和物理訪問權利是否適當分配以實現有效的職責分離控制設計。
第三步 - 了解實體定義和分配訪問應用程序、數據或 IT 環境的其他方面、文件或資產的權利的方法。評估系統和物理訪問權利是否適當分配以實現有效的職責分離控制設計。
Obtain an understanding of management's approach to security and evaluate how management's establishment of access rights and restrictions supports segregation of duties. This step can be technically challenging, depending on the complexity of the entity's systems/processes and the entity's approach to managing system security (e.g., by transactions, role based, by the person, using governance risk and compliance (GRC) tools). Note that inappropriate access rights and restrictions do not just affect segregation of duties. Delegation of authority and information processing objectives may also be adversely affected. For example, access to a sensitive transaction such as the ability to update vendor master file records may be granted to an excessive number of individuals without commensurate duties or authority.
瞭解管理層對安全性的方法,並評估管理層建立存取權限和限制如何支持職責分離。這一步驟可能在實體系統/流程的複雜性和實體管理系統安全的方法(例如,通過交易、基於角色、通過人員、使用治理風險和合規(GRC)工具)方面具有技術挑戰性。請注意,不當的存取權限和限制不僅影響職責分離。授權委派和信息處理目標也可能受到不利影響。例如,對於更新供應商主文件記錄等敏感交易的存取權可能授予過多個人,而其職責或權限不相稱。
瞭解管理層對安全性的方法,並評估管理層建立存取權限和限制如何支持職責分離。這一步驟可能在實體系統/流程的複雜性和實體管理系統安全的方法(例如,通過交易、基於角色、通過人員、使用治理風險和合規(GRC)工具)方面具有技術挑戰性。請注意,不當的存取權限和限制不僅影響職責分離。授權委派和信息處理目標也可能受到不利影響。例如,對於更新供應商主文件記錄等敏感交易的存取權可能授予過多個人,而其職責或權限不相稱。
Role based security will have additional considerations which typically would include the assignment of transactional capabilities to the roles and how changes can be made to the capabilities assigned to those roles. If role based security is not utilized, considerations may include determining how segregation of duties are considered when granting access as well as recertifying access. In a role-based security model, the recertification of access may typically include a periodic recertification of the transaction capabilities assigned to roles, including segregation of duties considerations. For example, there may be a segregation of duties check at the time of provisioning, a periodic segregation of duties review to identify conflicting access, and / or a periodic recertification of transactional capabilities within the roles. Additionally, any changes to roles would generally be expected to follow management's change management controls.
基於角色的安全性將有額外的考慮因素,通常包括將交易能力分配給角色以及如何對分配給這些角色的能力進行更改。如果未使用基於角色的安全性,則考慮因素可能包括確定在授予訪問權限時如何考慮職責分離,以及重新確認訪問權限。在基於角色的安全性模型中,對訪問權限的重新確認通常包括定期對分配給角色的交易能力進行重新確認,包括職責分離的考慮因素。例如,在設備時可能會進行職責分離檢查,定期進行職責分離審查以識別衝突訪問,和/或定期對角色內的交易能力進行重新確認。此外,對角色的任何更改通常應遵循管理的變更管理控制。
基於角色的安全性將有額外的考慮因素,通常包括將交易能力分配給角色以及如何對分配給這些角色的能力進行更改。如果未使用基於角色的安全性,則考慮因素可能包括確定在授予訪問權限時如何考慮職責分離,以及重新確認訪問權限。在基於角色的安全性模型中,對訪問權限的重新確認通常包括定期對分配給角色的交易能力進行重新確認,包括職責分離的考慮因素。例如,在設備時可能會進行職責分離檢查,定期進行職責分離審查以識別衝突訪問,和/或定期對角色內的交易能力進行重新確認。此外,對角色的任何更改通常應遵循管理的變更管理控制。
As part of this, we understand ITGCs and related monitoring activities and evaluate whether they are properly designed to preserve the ongoing integrity and appropriateness of access rights and restrictions supporting segregation of duties. Also refer to PwC Audit 5107 for guidance on ITGCs.
作為其中的一部分,我們了解 ITGC 和相關的監控活動,並評估它們是否被適當設計以保持持續的完整性和適當性,以支持職責分離的存取權和限制。也可參考 PwC 審計 5107 指南中的 ITGC。
作為其中的一部分,我們了解 ITGC 和相關的監控活動,並評估它們是否被適當設計以保持持續的完整性和適當性,以支持職責分離的存取權和限制。也可參考 PwC 審計 5107 指南中的 ITGC。
These procedures are ideally performed as an integral part of our understanding of the business processes.
這些程序最好作為我們對業務流程理解的一部分來執行。
這些程序最好作為我們對業務流程理解的一部分來執行。
Step 4 -Test the operating effectiveness of ITGCs and monitoring controls
第四步 - 測試 ITGCs 和監控控制的運作有效性
This step is necessary if we plan to place reliance on ITGCs and/or monitoring controls. ITGCs may provide evidence of the continued reliability of segregation of duties IT dependencies if they operate at a level which includes specific evaluation of segregation of duties in line with users' roles and responsibilities. An example of such an ITGC is "access requests to the application/database/operating system/network are properly reviewed and authorized by management", if that review considers SoD before the access request is authorized.
如果我們計劃依賴 ITGC 和/或監控控制,這一步是必要的。如果 ITGC 在特定評估用戶角色和責任的情況下運作,可能提供有關職責分離 IT 依賴持續可靠性的證據。這樣的 ITGC 示例是“應用程序/數據庫/操作系統/網絡的訪問請求應由管理層進行適當審查和授權”,如果該審查在授權訪問請求之前考慮了職責分離。
如果我們計劃依賴 ITGC 和/或監控控制,這一步是必要的。如果 ITGC 在特定評估用戶角色和責任的情況下運作,可能提供有關職責分離 IT 依賴持續可靠性的證據。這樣的 ITGC 示例是“應用程序/數據庫/操作系統/網絡的訪問請求應由管理層進行適當審查和授權”,如果該審查在授權訪問請求之前考慮了職責分離。
When we plan to test the operating effectiveness of access ITGCs to obtain evidence over the reliability of segregation of duties within the IT environment, our testing approach needs to consider and evaluate whether the roles and responsibilities assignment and access rights are included within the operation of the ITGCs including whether the users are assigned the right access or right roles through the access provisioning process and whether individuals could have multiple user IDs with different roles assigned to them.
當我們計劃測試存取 ITGC 的操作有效性以獲取有關 IT 環境內職責分離可靠性的證據時,我們的測試方法需要考慮並評估角色和責任分配以及存取權限是否包含在 ITGC 的運作中,包括用戶是否通過存取設置流程被分配了正確的存取權限或正確的角色,以及個人是否可能擁有多個用戶 ID,並被分配不同的角色。
當我們計劃測試存取 ITGC 的操作有效性以獲取有關 IT 環境內職責分離可靠性的證據時,我們的測試方法需要考慮並評估角色和責任分配以及存取權限是否包含在 ITGC 的運作中,包括用戶是否通過存取設置流程被分配了正確的存取權限或正確的角色,以及個人是否可能擁有多個用戶 ID,並被分配不同的角色。
Depending on the complexity of the application or other aspects of the IT environment, the setup of roles and responsibilities and how the entity manages segregation of duties within the IT environment (including how changes to access rights are managed), the understanding of whether ITGCs provide direct support to restricted access IT dependencies and the testing of these ITGCs may warrant the support from a Risk Assurance specialist. It is important for the engagement team to collaborate with Risk Assurance in the evaluation of the design and assignment of roles because typically the Risk Assurance specialists does not have the same level of understanding of the entity's roles as the core engagement team. This understanding is important to properly assess whether, for example, the role "payroll manager" within the payroll application has been assigned to the right individual.
根據應用程式的複雜性或 IT 環境的其他方面,角色和責任的設置以及實體如何在 IT 環境內管理職責分離(包括如何管理訪問權限的更改),了解 ITGCs 是否直接支持受限訪問 IT 依賴並測試這些 ITGCs 可能需要風險保證專家的支持。對於參與團隊來說,與風險保證合作評估設計和角色分配是重要的,因為通常風險保證專家對實體角色的理解程度不如核心參與團隊。這種理解對於正確評估例如“薪資經理”這樣的角色是否已分配給正確的個人是重要的。
根據應用程式的複雜性或 IT 環境的其他方面,角色和責任的設置以及實體如何在 IT 環境內管理職責分離(包括如何管理訪問權限的更改),了解 ITGCs 是否直接支持受限訪問 IT 依賴並測試這些 ITGCs 可能需要風險保證專家的支持。對於參與團隊來說,與風險保證合作評估設計和角色分配是重要的,因為通常風險保證專家對實體角色的理解程度不如核心參與團隊。這種理解對於正確評估例如“薪資經理”這樣的角色是否已分配給正確的個人是重要的。
Step 5 - Obtain evidence that physical access and/or access rights to applications and/or other aspects of the IT environment are actually granted to and/or restricted from individuals in accordance with their assigned access rights and restrictions
第 5 步 - 獲取證據,證明實際授予或限制個人根據其分配的訪問權限和限制對應用程序和/或 IT 環境的其他方面的物理訪問權限和/或訪問權限
It is important to obtain evidence, not only that access rights are properly assigned in the design of controls (Step 3), but also that access rights have actually been granted to, or restricted from, personnel according to the design (e.g., testing that the actual access granted is appropriate based on the individuals' job responsibilities and enforces the segregation of duties contemplated in the design). This step is generally performed as of a point in time and the nature, timing and extent of our work can vary depending on the results of work performed in the other steps as well as the results of testing the design and operating effectiveness of ITGCs (e.g., provisioning, termination and recertification controls).
重要的是獲取證據,不僅要確保在控制設計(第 3 步)中正確分配了訪問權限,還要確保根據設計實際授予或限制了人員的訪問權限(例如,測試實際授予的訪問權限是否基於個人的工作職責並實施了設計中考慮的職責分離)。這一步通常是在某一時間點執行的,我們的工作性質、時間和範圍可能會根據在其他步驟中執行的工作結果以及測試 ITGCs(例如,供應、終止和重新認證控制)的設計和運行效果的結果而有所不同。
重要的是獲取證據,不僅要確保在控制設計(第 3 步)中正確分配了訪問權限,還要確保根據設計實際授予或限制了人員的訪問權限(例如,測試實際授予的訪問權限是否基於個人的工作職責並實施了設計中考慮的職責分離)。這一步通常是在某一時間點執行的,我們的工作性質、時間和範圍可能會根據在其他步驟中執行的工作結果以及測試 ITGCs(例如,供應、終止和重新認證控制)的設計和運行效果的結果而有所不同。
Examples 例子
- If our work on ITGCs indicates that the process for granting application user access rights is ineffective, we may want to perform more extensive testing of actual access rights granted to evaluate segregation of duties contemplated in the design. In cases where a significant risk relating to security and access has been identified, a substantive response would be needed. Often this substantive response would include evaluating the appropriateness of the actual access rights assigned and enforcement of segregation of duties. Note: For significant risks, we perform substantive procedures, including tests of details, that are specifically responsive to the assessed risks.
如果我們在 ITGCs 的工作中發現授予應用程式使用者訪問權限的流程是無效的,我們可能需要進行更廣泛的測試,以評估設計中考慮的職責分離的實際訪問權限。在已經識別出存在與安全性和訪問相關的重大風險的情況下,將需要採取實質性的應對措施。通常,這種實質性的應對措施將包括評估分配的實際訪問權限的適當性以及職責分離的執行。注意:對於重大風險,我們執行實質性程序,包括對細節的測試,這些測試是專門響應評估風險的。 - If our assessment based on the first four steps is that the entity has an effective combination of preventive and detective controls and a long, validated history of little or no issues related to the establishment of system access rights and restrictions, then we may be able to reduce the nature and extent of work needed to test actual system access rights and restrictions based on our understanding, evaluation and testing of the ITGCs and related monitoring activities. For example, we might be able to limit our testing of actual access rights and restrictions to a sampling of higher risktransaction types or users, rather than a more extensive testing of perhaps all users' rights and restrictions.
如果我們根據前四個步驟的評估認為實體具有有效的預防和檢測控制組合,並且在系統訪問權限和限制的建立方面具有長期驗證的歷史,那麼我們可能能夠根據我們對 ITGCs 和相關監控活動的理解、評估和測試,減少測試實際系統訪問權限和限制所需的工作性質和範圍。例如,我們可能能夠將我們對實際訪問權限和限制的測試限制在對高風險交易類型或用戶的抽樣測試,而不是對所有用戶的權限和限制進行更廣泛的測試。
It is likely that most entity environments will require some combination of preventive and detective controls to maintain appropriate day-to-day access rights and restrictions. The required frequency of monitoring will vary depending upon the risks and effectiveness of preventive controls. Any exceptions identified in this test of access rights would also be evaluated to consider what impact those results may have regarding our conclusion on the overall effectiveness of ITGCs.
大多數實體環境可能需要一些預防性和偵測性控制的組合,以維護適當的日常訪問權限和限制。 監控的所需頻率將根據預防控制的風險和效果而有所不同。 在這次訪問權限測試中識別的任何例外情況也將被評估,以考慮這些結果可能對我們對 ITGC 整體有效性的結論產生的影響。
大多數實體環境可能需要一些預防性和偵測性控制的組合,以維護適當的日常訪問權限和限制。 監控的所需頻率將根據預防控制的風險和效果而有所不同。 在這次訪問權限測試中識別的任何例外情況也將被評估,以考慮這些結果可能對我們對 ITGC 整體有效性的結論產生的影響。
Step 6 - Evaluate and respond to segregation of duties deficiencies
第 6 步 - 評估並回應職責分離不足
If reliance was planned on segregation of duties as a selected control and deficiencies are noted within the segregation of duties controls, we document the deficiency and evaluate the severity and the impact of the deficiency on our audit approach. In evaluating the impact on our audit approach, wefollow the guidance in PwC Audit 6101.
如果計劃依賴職責分離作為一種選定的控制措施,並且在職責分離控制措施中發現缺陷,我們將記錄該缺陷並評估缺陷對我們審計方法的嚴重性和影響。在評估對我們審計方法的影響時,我們將遵循普華永道審計 6101 的指導。
如果計劃依賴職責分離作為一種選定的控制措施,並且在職責分離控制措施中發現缺陷,我們將記錄該缺陷並評估缺陷對我們審計方法的嚴重性和影響。在評估對我們審計方法的影響時,我們將遵循普華永道審計 6101 的指導。
In evaluating the design effectiveness of segregation of duties controls, consider other internal control components as follows:
在評估職責分離控制的設計有效性時,請考慮其他內部控制組件如下:
在評估職責分離控制的設計有效性時,請考慮其他內部控制組件如下:
內部控制組件
|
Considerations 考慮 | ||||||||||||
| Control environment 控制環境 | 管理是否建立了一個考慮權力和責任的關鍵領域的組織結構,建立適當的報告線路,並定義與責任相稱的授權和限制權力的框架?
|
||||||||||||
實體的風險評估過程
|
管理層是否考慮由於缺乏適當的職責分離或不當的訪問權限而導致錯誤或欺詐風險,進而對財務報表產生實質錯誤的風險?
|
||||||||||||
實體監控內部控制系統的過程
|
管理部門是否監控存取權限和限制控制,以確保它們隨著時間的推移仍然合適?此類監控活動可能包括:定期測試系統存取權限和限制,以補充實體的 ITGCs 並監控其有效性。這項活動類似於定期進行實物庫存盤點,以補充和監控永續庫存週期中的預防控制的做法。評估(定期和事件驅動)業務、流程或系統變化對角色和責任以及指定存取權限和限制的影響。
|
||||||||||||
信息系統和通訊
|
管理層是否清楚地傳達角色和責任以及職能職責,以支持相關的內部控制目標?
|
Using technology solutions to evaluate segregation of duties
使用技術解決方案來評估職責分離
There are a variety of audit tools and practice aids to assist us in evaluating segregation of duties and restricted access of certain Enterprise Resource Planning (ERP) applications_and technical platforms. Automated tools exist for a few of the more common ERP applications and technical platforms which can be used to assist the team in testing access rights assigned within the entity's systems. When we make use of these tools, we follow the guidance for documentation of work performed using technology solutions as part of an audit in PwC Audit 1304.3. The use of these tools does not exempt us from understanding and evaluating the controls relating to the entity's assignment of roles, responsibilities and how these are translated into access rights within applications and /or other aspects of the IT environment.
有各種審計工具和實踐輔助工具可幫助我們評估職責分離和某些企業資源規劃(ERP)應用程序和技術平台的受限訪問。自動化工具適用於一些常見的 ERP 應用程序和技術平台,可用於協助團隊測試實體系統中分配的訪問權限。當我們使用這些工具時,我們遵循 PwC Audit 1304.3 中使用技術解決方案記錄工作的指導方針。使用這些工具並不免除我們了解和評估與實體分配角色、責任以及這些如何轉化為應用程序和/或 IT 環境其他方面的訪問權限相關的控制。
有各種審計工具和實踐輔助工具可幫助我們評估職責分離和某些企業資源規劃(ERP)應用程序和技術平台的受限訪問。自動化工具適用於一些常見的 ERP 應用程序和技術平台,可用於協助團隊測試實體系統中分配的訪問權限。當我們使用這些工具時,我們遵循 PwC Audit 1304.3 中使用技術解決方案記錄工作的指導方針。使用這些工具並不免除我們了解和評估與實體分配角色、責任以及這些如何轉化為應用程序和/或 IT 環境其他方面的訪問權限相關的控制。
Management may use similar tools to facilitate their assessment. If we plan to leverage management's use of such tools, we consider both the IT dependencies relating to use of the tool (typically automated controls) and the tool as an application or an End User Computing (EUC) tool. We also consider the manual controls surrounding the use of the tool. We may consider the effectiveness and reliability of management's tool and its output through an evaluation ofthe system logic and/or our own independent testing.
管理層可能使用類似的工具來促進他們的評估。如果我們計劃利用管理層使用這些工具,我們會考慮與工具使用相關的 IT 依賴(通常是自動控制)以及工具作為應用程序或終端用戶計算(EUC)工具。我們還會考慮圍繞使用該工具的手動控制。我們可能會通過評估系統邏輯和/或我們自己的獨立測試來考慮管理工具的效力和可靠性以及其輸出。
管理層可能使用類似的工具來促進他們的評估。如果我們計劃利用管理層使用這些工具,我們會考慮與工具使用相關的 IT 依賴(通常是自動控制)以及工具作為應用程序或終端用戶計算(EUC)工具。我們還會考慮圍繞使用該工具的手動控制。我們可能會通過評估系統邏輯和/或我們自己的獨立測試來考慮管理工具的效力和可靠性以及其輸出。