Segregation of duty
A lack of segregation of duties is a significant contributing factor in almost
all occurrences of fraud and is often found to be a weakness during postanalysis of system compromises. Segregation of duties means the steps in
key processes are divided among two or more people so no one individual
can act alone to subvert a process for his or her own gain or purposes. The
segregation of duties is an area that comes under close scrutiny during
compliance reviews of employees’ work can catch improper activities, but
they’ll never be effective at preventing fraud and other malicious activities as
well-documented, implemented and enforced duty segregation for in-house
and contracted personnel. Where possible, implement assignment rotations
for personnel and ensure employees are forced to take at least one two-week
holiday a year. A mandatory vacation policy is a must as system abuse can
come to light if a cover worker notices irregularities in the vacationing
person’s work. These types of practices will assist in identifying long-standing
undesirable activities.
B. Pyhsical security
Physical security is often overlooked and its importance underestimated
in favor of more technical threats such as hacking and malware. However,
breaches of physical security can be carried out with brute force and little or
no technical knowledge on the part of an attacker. Physical security has three
important compenents which are access control, surveillance and testing.
Obstacles should be placed in the way of potential attackers and physical
sites should be hardened against accidents, attacks or enviromental disaters.
Such hardening measurers include fencing, locks, access control cards,
boemetric access control systems. Second, physical locations should be
monitored using surveillance cameras and notification systems. Third,
disaster recovery policies and procedures should be tested on a regular basis
to ensure safety and to reduce the time it takes to recover from disruptive
man-made or natural disasters.

C. Authorization and approval
An important control activity is authorization and approval. Authorization
is the delegation of authorization it may be general or specific. Giving a
department permission to expend funds from an approved budget is an
example of general authorization. Specific authorization relates to individual









documentation and is satisfied that the transaction is appropriate, accurate
and complies with applicable laws, regulations, policies and procedures.
Approvers should review supporting documentation, question unusual items,
and make sure that necessary information is present to justify the transaction
before they sign in. Signing blank forms should not be done.
D. Supervision
The auditor, in planning the audit, to take into consideration, among other
matters, his judgement about matearility levels for audit purposes. That
judgement may not be qualified.
E. Documentation
The documentation of internal control should be commensurate with the
nature, size and complexity of the entity. The ISA also suggests that the
extent of the documentation should also be appropriate to the experience
and capabilities of the audit management team, as less experienced
members of the audit team may require more detailed documentation to
assist them to obtain appropriate understanding of the entity and its control.