Roles and Responsibilities of IS Functions (Including Segregation of Duties)

The combination of a defined organization structure, policies and procedures, and clearly defined job functions ensures that the IT organization can meet the continuing needs of the organization. The IT department continually faces challenges in the form of competing priorities, shifts in business priorities, and operational firefighting. The fast pace of business demands that the IT function be flexible and prepared for changes, as well as stay focused on the long- and short-term goals of the organization. If the IT function is unable to control change introduced into the environment by internal or external factors, IT staff will find themselves disregarding internal controls and will lead themselves and the organization into chaos.

The IT organization has to perform two high-level functions:

• Support the ongoing operational structure through sound methodologies. This includes support of the network devices, applications, data, and system users. Policies and procedures (controls) must be followed to reduce overall business and security risk to the organization. Confidentiality, availability, and integrity of systems, applications, and data must be ensured.

• Support the development and implementation of new technologies, applications, data, and procedures into the organization. A proven methodology must be provided that aligns IT with the business strategy while mitigating risk in the organization. The introduction of new systems, applications, and data must not put the organization or existing systems at risk.

In most cases, clearly defined procedures and controls ensure that the IT organization can continue its operational mission while introducing new technology. The use of the security function, quality assurance, and the IS auditor assist IT leadership in maintaining and improving these controls.

Senior IT leadership is responsible for ensuring that the IT functions provide value to the organization. One of the top priorities is to ensure that the IT strategy aligns with the organization's strategy; if this strategy is not aligned, IT will move from a position of value within the organization to a cost center with little or no value.

Most IT structures are defined along specific functions such as system development, computer security, computer operations, and user support. During the definition of the structure, management must keep in mind the segregation of incompatible duties. There are four areas of segregation:

• Authorization

  • Verifying cash collections and daily balancing reports

  • Approving purchase requisitions or purchase orders

  • Approving time sheets, payroll certifications, leave requests, and cumulative leave records

  • Approving change orders, computer system design, or programming changes

• Custody

  • Access to any funds through the collection of funds or processing of payments

  • Access to safes, lock boxes, file cabinets, or other places where money, checks, or other assets are stored

  • Custodian of a petty cash or change fund

  • Receipt of any goods or services

  • Maintenance of inventories

  • Handling or distribution of paychecks and advances, limited purchase checks, or other checks

• Record keeping

  • Preparing cash receipt backups or billings, purchase requisitions, payroll certifications, and leave records

  • Entering charges or posting payments to an accounts-receivable system

  • Maintaining inventory records

• Reconciliation

  • Comparing billing documents to billing summaries

  • Comparing funds collected to accounts-receivable postings

  • Comparing collections to deposits

  • Performing surprise counts of funds

  • Comparing payroll certifications to payroll summaries