Segregation of Duties

IT常见术语及其详细解释(供看CISA的MANUAL对照使用)Salami Technique.色粒米技术(腊肠术)一种计算机舞弊方法。

利用计算机码指示计算机从一个已授权的计算机交易中，舍去其零星金额，并复位路径将此零星金额累积于犯罪者账户中。

Scheduling.排程法决定并建立计算机作业之处理顺序之一种方法。

Screening Routers.用一组授权规则，允许或不允许流量通过的一种路由器。

SDLC (System Development Life Cycle).系统发展生命周期开发或购置系统之所有阶段，通常包括可行性分析、需求分析、需求界定、细部设计、程序撰写、测试、建置和建置后之复核等阶段。

Security Administrator.安全管理员负责建置、监视和实施由管理阶层授权且建立之安全控管程序之人员。

Security Software.安全软件用来管理逻辑安全的软件，通常包括使用者的授权，与事前预设好的规则授与存取、监督、及产生报表的功能。

Segregation of Duties.职责划分工作责任之划分，以防止或监视个人因偶发或蓄意之错误、疏忽、或对公司资产之误用。

Separation of Duties.Sequence Check.序号检查验证供控制用之号码系序号使用，且未依序号之句柄将被拒绝或注记于例外报表中供进一步追踪。

Sequential File.循序档案一笔记录接续一笔记录储存计算机档案之储存格式。

这些记录只能被顺序存取，如磁带即要求此种档案储存格式。

Service Bureau.服务中心提供数据处理服务给客户之计算机机构。

Smart Card.智慧卡这种程序省略了传统登录代码和密码之需要。

使用者利用一种个人之掌上型设备(具有经演算后仅供一次使用之密码)登入系统。

使用者利用通讯线路签入后，主机将传送一个已加密之密码至掌上型设备，此时掌上型设备会将密码解密，并且由使用者再输入至此设备以送回至主机供验证，以验证使用者登入系统之有效性及合法性。

Segregation of Duties – SoDApplies to:Segregation of Duties GRC SAP Access Control Suite.SummaryUnder growing pressure of various regulatory standards by different governments such as SOX, an US accounting law, it is clear that there should be properly defined and implemented access controls. SoD or Segregation of Duties says that an individual should not have access rights to a function/process end-to-end. There needs to be a well defined Strategy for doing Segregation of Duties effectively in an Organization that is spread across various systems and various Geographies.Author:Nuzhat KhanCompany: HCL TechnologiesCreated on: 19 Oct 2007Author BioNuzhat Khan is an Associate Consultant working with HCL TechnologiesTable of ContentsSegregation of Duties (3)Segregation of Duties and Role Matrix (4)SoD and SOX Compliance (4)SoD Implementation (5)Related Content (6)Disclaimer and Liability Notice (7)Segregation of DutiesUnder growing pressure of various regulatory standards and measures issued by different government, it is clear that there should be properly defined access controls and implemented effectively. Access Control, ensures that there is proper segregation of duties. SoD or Segregation of Duties is an important factor while dealing with different responsibilities and job profiles across an enterprise.Across an enterprise there are various functions and these functions are performed, together by a set of roles/responsibilities. SoD says that these set of Roles/responsibilities should be assigned in such a way that, across an enterprise, any individual should not have end to end access rights over any function. The Roles and Responsibilities for the function should be divided in such a way that one person does not full right over the function that the risk of malicious activity of manipulation of the function is reduced. The more critical the function is, greater and clearer Segregation of Duties should be.Segregation of Duties deals with access controls. Access Control ensures that one individual should not have access to two or more than two incompatible duties. Some examples of incompatible duties are: •Creating vendor and initiate payment to him.•Creating invoices and modifying them.•Processing inventory, and posting payment.•Receiving Checks and writing pay-offs.Ideally, single individual must not have authority of creation, modification, reviewing and deletion for any transaction / tasks / resources.If any individual has access rights to creation and modification, he can create and after getting it reviewed, he can modify it to do some fraudulent exercises. Similarly if an individual has creation and deletion rights he can create, initiate payment and later delete any transaction logs that can track his activity.Segregation of Duties ensures that:•There are no errors, as SoD ensures cross check of roles/responsibilities.•Risk of Fraud is reduced as fraud will involve two or more than two individuals.•Clear separation of Roles/Responsibilities across various functions in organization. Segregation of Duties must be so performed that it reduces the risk associated with a function/process that can be mal-functioned to practice any fraudulent exercises. If proper SoD does not exist in an organization, then:•There are ineffective internal access controls.•There is improper use of materials, money, financial assets and resources.•Estimation of financial condition may be wrong.•Financial documents produced for audits and review may be incorrect.There are circumstances where proper Segregation of Duties cannot be implemented. In such cases there should be a mitigating control designed in order to keep a check on the unresolved SoD. For Example, if in case it is necessary, under some circumstances that an individual must have creation and modification rights then there should be a mitigating control designed to keep a track over the individual’s activities. For example, there could be a mitigating control that could keep a check on database that is where his creation and modification transactional data is saved, or may be a review of transactional logs can be a mitigating control.Segregation of Duties and Role MatrixSegregation of Duties can be represented over a role matrix. Role Matrix is a two dimensional matrix. All the roles/responsibilities and functions/processes in an enterprise are recognized and they are represented over each axis of matrix. Then it is identified by putting a flag, across each set ofroles/responsibilities and function/processes, over x and y – axis, whether they are conflicting or not. Here is a sample role matrix. This role matrix has been identified for a set six processes and a set of six responsibilities, one for each process.X - Existence of ConflictSoD and SOX ComplianceSOX is an US Accounting law that deals with the financial accounting of the companies. In order to comply with SOX requirements, it is required that there should be well documented IT Processes. Over each of the IT Processes there should be well designed and documented internal controls and these controls should be well implemented and tracked and monitored. There should be effective controls over the key security and financial processes.The SOX IT audit tries to identify that there are processes and controls in place and are being followed and tracked. In case of large and geographical organizations, it is not adequate for manual or paper-based processes and controls to be sufficient. There needs to be a proof that these processes are well followed and tracked.In order to comply with section 404 of SOX, we should:•Identify and document processes and SoD controls across key IT Security and financial processes.•Design mitigating controls and document then, where appropriate SoD cannot be implemented.•Design monitoring controls for critical processes and critical roles.•Implement SoD and mitigating controls.•Ensure continuous compliance by monitoring and tracking of controls.SoD ImplementationFor implementing SoD Controls across an enterprise, we need to do a heavy exercise. Therefore implementation SoD is done in form of a project. The implementation can be done by outlining the following steps as described below:•Identify what is the objective of organization, hierarchy and nature of Organization, and job profiles in the organization, by doing an Organization scan.•Identify the processes that are being followed in organization.•Identify the current state of roles/responsibilities and authorization in the enterprise.•Create the Role Matrix. Mark roles on one axis of Matrix and functions on other axis. Identify will there be any SoD conflict if role access to particular function is given to a single individual. Yes or No, flag the position in matrix accordingly, clearly.•After analyzing the SoD conflict from role matrix, discuss with management and make the required changes in order to resolve SoD conflicts.•In role matrix at position where SoD Conflicts cannot be resolved, design the mitigating controls.•According to findings in role matrix, generate the roles and mitigating controls within the enterprise system.•Create a document that will well-define the changes required in a simple and organized manner.•Document various roles, processes and mitigating controls for auditing and reporting.•Inform and report the changes required to management and as well as to those affected, to make sure changes are implemented in well organized and smooth manner.SoD is critical in helping managing risks. SoD issues and controls come up frequently when there are audits and reviews. SoD controls can be use as step to measure and resolve the risks associated with the different roles and access to functions. To resolve the conflicts, we can design roles as per the business needs of various function/processes being executed in an enterprise.Related ContentFollowing web sites were referenced:••/wiki•/columns••https://Note: For more info on the Access Control Risk management have a look at the link:https:///irj/sdn/go/portal/prtroot/docs/library/uuid/0043a8ab-bdae-2910-d8bc-cf4abd4d6bedDisclaimer and Liability NoticeThis document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.。

财务制度付款制度英语IntroductionFinancial policies are essential in any organization as they provide a framework for financial management, control, and decision-making. The payment system within an organization is crucial as it ensures that vendors, suppliers, and employees are paid promptly and accurately. This policy outlines the procedures and guidelines for the payment system within the organization.ObjectiveThe primary objective of this payment system policy is to ensure timely and accurate payments to vendors, suppliers, and employees. It aims to streamline the payment process, minimize errors, and enhance transparency and accountability in financial transactions.ScopeThis policy applies to all employees involved in the payment process, including finance staff, procurement staff, and department heads. It covers all payments made by the organization to vendors, suppliers, and employees, including but not limited to, invoices, reimbursements, salaries, and benefits.Payment Procedures1. AuthorizationAll payments must be authorized by the appropriate personnel as per the organization's delegation of authority policy. The authorized signatories must review and approve all payment requests before processing.2. Invoice VerificationAll received invoices must be verified for accuracy and authenticity before processing payment. The finance department must ensure that the goods or services mentioned in the invoice were received and are in accordance with the terms of the contract.3. Payment ProcessingPayments can be made through various methods, including checks, electronic transfers, and online payment platforms. The finance department is responsible for processing payments in a timely manner and ensuring that all necessary documentation is attached to the payment request.4. Vendor and Supplier PaymentsVendor and supplier payments are typically made within the terms of the contract or agreement. It is essential to maintain positive relationships with vendors and suppliers by making timely payments and resolving any payment issues promptly.5. Employee PaymentsEmployee payments, including salaries, benefits, and reimbursements, are processed according to the organization's payroll schedule. The payroll department must ensure that all payments are accurate and comply with labor laws and regulations.6. ReconciliationThe finance department must reconcile all payments made with the corresponding invoices, receipts, and bank statements to ensure accuracy and completeness. Any discrepancies must be investigated and resolved promptly.Compliance and Controls1. Segregation of DutiesTo prevent fraud and errors, the organization must implement segregation of duties in the payment process. Different employees should be responsible for initiating, approving, and processing payments.2. Internal ControlsThe organization must establish robust internal controls to safeguard assets and ensure compliance with financial policies and procedures. This includes regular audits, reviews, and reconciliations of financial transactions.3. ComplianceAll payments must comply with applicable laws, regulations, and organizational policies. The finance department must stay updated on changes in financial regulations and ensure that payments are in compliance with them.4. Transparency and AccountabilityTransparency and accountability in the payment process are essential to ensure that funds are used appropriately and efficiently. The organization must maintain accurate records of all payments and make them available for audit and review.ConclusionA well-defined payment system policy is critical for the efficient and effective management of an organization's finances. By establishing clear procedures, guidelines, and controls for payments, the organization can minimize errors, prevent fraud, and ensure compliance withfinancial regulations. It is essential for all employees involved in the payment process to adhere to the policy and work together to achieve the organization's financial goals.。

sod权限管理矩阵
SOD（Segregation of Duties）权限管理矩阵是一种用于管理
系统中用户权限的工具，它旨在确保一个用户在系统中的权限不会
足以让其实施欺诈行为或者滥用权限。

SOD权限管理矩阵通常包括
了以下几个方面：
1. 角色定义，SOD权限管理矩阵首先需要定义系统中的角色，
包括每个角色所拥有的权限和职责。

这些角色可以是基于工作职能的，比如财务主管、审计员、出纳等，也可以是基于系统功能的，
比如审批支付、修改客户信息等。

2. 权限分析，对系统中的各项权限进行分析，包括读取、修改、删除等操作。

这一步需要明确每项权限的具体作用和影响范围。

3. 冲突定义，在SOD权限管理矩阵中，需要定义哪些权限之间
存在冲突，即不应该由同一个人拥有的权限。

比如，一个拥有财务
审批权限的人员不应该同时拥有财务报表修改权限，以防止其恶意
篡改数据。

4. 角色分配，在SOD权限管理矩阵中，需要规定哪些角色可以
被分配给同一个用户，以及一个用户可以拥有多少个角色。

这有助于限制一个用户所拥有的权限范围，减少潜在的滥用风险。

5. 审计和监控，SOD权限管理矩阵也需要包括对权限分配和使用情况的审计和监控机制，以及相应的违规处理流程。

这有助于确保权限的合理使用，及时发现和纠正权限滥用行为。

总的来说，SOD权限管理矩阵是一个综合性的权限管理工具，通过对角色、权限、冲突、分配和监控等方面进行全面管理，可以有效地降低系统内部欺诈和滥用权限的风险，保障系统安全和数据完整性。

doa授权管理制度英文IntroductionDelegation of Authority (DOA) is an essential component of any organization's governance structure. It defines the levels of authority and responsibility within the organization and ensures that decision-making processes are clear, efficient, and transparent. A DOA Authorization Management System is a set of policies, procedures, and controls that govern the delegation of authority within an organization. This system helps ensure that the right people have the right level of authority to make decisions and take actions on behalf of the organization.This document outlines the key components of a DOA Authorization Management System, including the roles and responsibilities of different stakeholders, the process for authorizing and managing delegation of authority, as well as the controls and procedures that need to be in place to ensure compliance with organizational policies and regulations.Roles and Responsibilities1. Board of Directors/Executive Management- The Board of Directors or Executive Management is responsible for defining the overall governance structure of the organization, including the levels of authority and responsibility within the organization.- They are responsible for approving the delegation of authority policies and ensuring that they are implemented effectively.- They are responsible for reviewing and approving any changes to the delegation of authority framework.2. Chief Executive Officer (CEO)- The CEO is responsible for overseeing the implementation of the delegation of authority policies within the organization.- They are responsible for ensuring that the delegation of authority framework is aligned with the organization's strategic objectives.- They are responsible for approving any changes to the delegation of authority framework that are proposed by management.3. Chief Financial Officer (CFO)- The CFO is responsible for managing the financial delegation of authority within the organization.- They are responsible for defining the financial limits for different levels of authority within the organization.- They are responsible for ensuring that the financial delegation of authority framework is aligned with the organization's financial policies and regulations.4. Department Heads/Managers- Department heads and managers are responsible for requesting and managing the delegation of authority for their teams.- They are responsible for ensuring that the individuals within their teams have the appropriate level of authority to carry out their duties effectively.- They are responsible for monitoring and reviewing the delegation of authority within their teams on a regular basis.Process for Authorizing and Managing Delegation of Authority1. Request for Delegation of Authority- Department heads or managers can submit a request for the delegation of authority to the appropriate authority (e.g. CFO, CEO, Board of Directors).- The request should include the reason for the delegation of authority, the individual(s) who will be delegated authority, the specific level of authority being requested, and any other relevant information.2. Approval of Delegation of Authority- The request for delegation of authority will be reviewed by the appropriate authority (e.g. CFO, CEO, Board of Directors).- The approval will be granted only if it is determined that the individual(s) have the necessary skills, knowledge, and experience to exercise the delegated authority effectively.- The approval will be communicated to the relevant department heads or managers, and the delegation of authority will be documented in writing.3. Monitoring and Review- The delegation of authority will be monitored and reviewed on a regular basis to ensure that it is being exercised effectively and in accordance with the organization's policies and regulations.- Any deviations from the approved delegation of authority will be investigated and appropriate actions will be taken to address them.- Any changes to the delegation of authority framework will be communicated to all relevant stakeholders.Controls and Procedures1. Segregation of Duties- The organization should ensure that there is a clear segregation of duties between individuals who have been delegated authority.- This helps reduce the risk of fraud or error and ensures that no single individual has complete control over a particular process or activity.2. Authorization Limits- The organization should define clear authorization limits for different levels of authority within the organization.- These limits should be based on the complexity and risk associated with the decisions being made and should be periodically reviewed and updated as necessary.3. Documentation and Reporting- All delegations of authority should be documented in writing, including the reason for the delegation, the individuals involved, and the specific limits of authority granted.- Regular reports should be generated to track the delegation of authority within the organization and to ensure that it is being exercised effectively.ConclusionA DOA Authorization Management System is essential for any organization to ensure that decision-making processes are clear, efficient, and transparent. By defining the levels of authority and responsibility within the organization, delegating authority effectively, and implementing appropriate controls and procedures, organizations can ensure that the right people have the right level of authority to make decisions and take actions on behalf of the organization. Implementing a DOA Authorization Management System can help improve organizational efficiency, reduce the risk of fraud or error, and ensure compliance with organizational policies and regulations.。

英文会计知识点总结归纳IntroductionAccounting is a fundamental aspect of any business, as it involves the recording, analyzing, and reporting of financial transactions. It provides businesses with essential information to make informed decisions, assess their financial health, and comply with regulatory requirements. In this article, we will summarize and consolidate key accounting knowledge points that are crucial for understanding the principles and practices of accounting.1. Basics of Accounting1.1. Definition of AccountingAccounting is the process of recording, analyzing, and interpreting financial transactions of an organization. It provides a systematic and comprehensive record of all financial activities and enables the preparation of financial statements.1.2. Accounting EquationThe accounting equation, also known as the balance sheet equation, is a fundamental principle of accounting that states:Assets = Liabilities + EquityThis equation represents the relationship between a company's assets, liabilities, and equity, and must always remain in balance.1.3. Types of AccountingThere are several types of accounting, including financial accounting, management accounting, cost accounting, and tax accounting. Each type serves a specific purpose and audience, such as external stakeholders, internal management, and regulatory authorities.2. Financial Statements2.1. Balance SheetThe balance sheet is a financial statement that provides a snapshot of a company's financial position at a specific point in time. It lists the company's assets, liabilities, and equity, and is used to assess its solvency and liquidity.2.2. Income StatementThe income statement, also known as the profit and loss statement, summarizes a company's revenues and expenses over a specific period. It provides insights into the company's profitability and performance.2.3. Cash Flow StatementThe cash flow statement tracks the inflow and outflow of cash within an organization. It categorizes cash flows into operating, investing, and financing activities, and helps assess the company's ability to generate cash and meet its obligations.3. Principles of Accounting3.1. Accrual Basis vs. Cash Basis AccountingAccrual basis accounting recognizes revenues and expenses when they are incurred, regardless of when cash is exchanged. Cash basis accounting, on the other hand, records transactions only when cash is received or paid. Accrual basis accounting provides a more accurate representation of a company's financial performance.3.2. Matching PrincipleThe matching principle requires that expenses be recognized in the same period as the revenues to which they relate. This principle ensures that a company's financial statements accurately reflect its profitability.3.3. Revenue RecognitionRevenue recognition dictates when and how revenue should be recorded in a company's financial statements. It is crucial for determining a company's financial performance and must adhere to generally accepted accounting principles (GAAP).4. Assets and Liabilities4.1. Types of AssetsAssets are resources owned by a company and can be categorized into current assets (e.g., cash, inventory) and non-current assets (e.g., property, plant, and equipment). Understanding the nature and value of an organization's assets is vital for assessing its financial health.4.2. Types of LiabilitiesLiabilities represent an organization's obligations to outside parties and can include accounts payable, long-term debt, and accrued expenses. Managing and tracking liabilities is crucial for maintaining financial stability.5. Internal Controls5.1. Importance of Internal ControlsInternal controls are processes and procedures that a company implements to safeguard its assets, ensure accuracy in financial reporting, and comply with regulations. They help prevent fraud, errors, and mismanagement of funds.5.2. Segregation of DutiesSegregation of duties involves dividing responsibilities among different individuals to prevent the occurrence of fraud and errors. It ensures that no single individual has control over critical financial processes.6. Auditing6.1. Purpose of AuditingAuditing is the process of examining a company's financial statements and accounting records to ensure accuracy, integrity, and compliance with laws and regulations. It provides independent assurance to stakeholders regarding the company's financial performance.6.2. Types of AuditsThere are different types of audits, such as external audits conducted by independent accounting firms, internal audits performed by a company's internal audit department, and government audits carried out by regulatory agencies.7. Taxation7.1. Tax PlanningTax planning involves the structuring of financial activities to minimize tax liabilities within the boundaries of the law. It requires an in-depth understanding of tax laws, regulations, and incentives.7.2. Tax Deductions and CreditsUnderstanding tax deductions and credits is essential for businesses to optimize their tax positions and reduce their tax burden. Deductions lower taxable income, while credits directly reduce the amount of tax owed.8. Financial Analysis8.1. Ratio AnalysisRatio analysis involves the use of financial ratios to evaluate a company's performance, liquidity, solvency, and efficiency. Common ratios include profitability ratios, liquidity ratios, and leverage ratios.8.2. Trend AnalysisTrend analysis involves comparing financial data over different periods to identify patterns, changes, and potential areas for improvement. It helps in assessing a company's financial health and predicting future performance.ConclusionAccounting is a critical aspect of business that provides insights into an organization's financial performance, health, and compliance. Understanding the basics of accounting, financial statements, principles, assets and liabilities, internal controls, auditing, taxation, and financial analysis is essential for business owners, managers, and financial professionals to make informed decisions and ensure the financial success of their organizations. By consolidating and summarizing these key accounting knowledge points, individuals can gain a comprehensive understanding of the principles and practices of accounting.。