Home > Articles

  • Print
  • + Share This
This chapter is from the book

Understanding Personnel Roles and Responsibilities

Individuals can hold any number of roles or responsibilities within an organization. The responsibilities each employee has and to whom he or she reports should be noted. An auditor's first option for determining this information should be an organizational chart. After obtaining and reviewing the organizational chart, the auditor should spend some time reviewing each employee's area to see how the job description matches actual activities. The areas to focus attention on include these:

  • Help desk
  • End-user support manager
  • Quality assurance manager
  • Data manager
  • Rank and file employees
  • Systems-development manager
  • Software-development manager

Employee Roles and Duties

Most organizations have clearly defined controls that specify what each job role is responsible for. An auditor should be concerned with these common roles within the IS structure:

  • Librarian—Responsible for all types of media, including tapes, cartridges, CDs, DVDs, and so on. Librarians must track, store, and recall media as needed. They also must document when the data was stored and retrieved, and who accessed it. If data moves off-site, librarians track when it was sent and when it arrived. They may also be asked to assist in an audit to verify what type of media is still being held at a vendor's site.
  • Data-entry employee—Although most data-entry activities are now outsourced, in the not-too-distant past, these activities were performed in-house at an information processing facility (IPF). During this time, a full-time data-entry person was assigned the task of entering all data. Bar codes, scanning, and web entry forms have also reduced the demand for these services. If this role is still used, key verification is one of the primary means of control.
  • Systems administrator—This employee is responsible for the operation and maintenance of the LAN and associated components such as mid-range or mainframe systems. Although small organizations might have only one systems administrator, larger organizations have many.
  • Quality-assurance employee—Employees in a quality-assurance role can fill one of two roles: quality assurance or quality control. Quality-assurance employees make sure programs and documentation adhere to standards; quality-control employees perform tests at various stages of product development to make sure they are free of defects.
  • Database administrator—This employee is responsible for the organization's data and maintains the data structure. The database administrator has control over all the data; therefore, detective controls and supervision of duties must be observed closely. This is usually a role filled by a senior information systems employee because these employees have control over the physical data definition, implementing data definition controls and defining and initiating backup and recovery.
  • Systems analyst—These employees are involved in the system development lifecycle (SDLC) process. They are responsible for determining the needs of users and developing requirements and specifications for the design of needed software programs.
  • Network administrators—These employees are responsible for maintenance and configuration of network equipment, such as routers, switches, firewalls, wireless access points, and so on.
  • Security architect—These employees examine the security infrastructure of the organization's network.

Segregation of Duties

Job titles can be confusing because different organizations sometimes use different titles for various positions. It helps when the title matches the actual job duties the employee performs. Some roles and functions are just not compatible. For an auditor, concern over such incompatibility centers on the risks these roles represent when combined. Segregation of duties usually falls into four areas of control:

  • Authorization—Verifying cash, approving purchases, and approving changes
  • Custody—Accessing cash, merchandise, or inventories
  • Record keeping—Preparing receipts, maintaining records, and posting payments.
  • Reconciliation—Comparing dollar amounts, counts, reports, and payroll summaries

Table 2.6 lists some of the duties that should not be combined because they can result in a control weakness.

Table 2.6. Separation of Duties

First Job Role

Combined (Yes/No)

Second Job Role

Systems analyst

No

Security administrator

Application programmer

Yes

Systems analyst

Help desk

No

Network administrator

Data entry

Yes

Quality assurance

Computer operator

No

Systems programmer

Database administrator

Yes

Systems analyst

System administrator

No

Database administrator

Security administrator

No

Application programmer

Systems programmer

No

Security administrator

Compensating Controls

Because of the problems that can occur when certain tasks are combined, separation of duties is required to provide accountability and control. When it cannot be used, compensating controls should be considered. In small organizations, it is usually very difficult to adequately separate job tasks. In these instances, one or more of the following compensating controls should be considered:

  • Job rotation—The concept is to not have one person in one position for too long a period of time. This prevents a single employee from having too much control.
  • Audit trail—Although audit trails are a popular item after a security breach, they should be examined more frequently. Audit trails enable an auditor to determine what actions specific individuals performed; they provide accountability.
  • Reconciliation—This is a specific type of audit in which records are compared to make sure they balance. Although they're primarily used in financial audits, they are also useful for computer batch processing and other areas in which totals should be compared.
  • Exception report—This type of report notes errors or exceptions. Exception reports should be made available to managers and supervisors so that they can track errors and other problems.
  • Transaction log—This type of report tracks transactions and the time of occurrence. Managers should use transaction reports to track specific activities.
  • Supervisor review—Supervisor reviews can be performed through observation or inquiry, or remotely using software tools and applications.
  • + Share This
  • 🔖 Save To Your Account