One of our most efficient controls over insiders is to involve multiple parties in sensitive duties. We assign roles and duties in such a way that:
- individuals, simply by doing their job, act as a control upon others
- increases the probability that errors will be detected and corrected
- such as to limit temptation or the ability to commit fraud
- such that cooperation would be required to both convert an asset and conceal that conversion.
- so as to improve transparency and accountability
We separate the Information Technology function and application development from their managers and users.
Within Information Technology we may separate:
- Data Entry
- System Architecture
- System Programming
- Application Design
- Application Coding
- Program Testing
The little monks, specifically Luca Pacioli and his colleagues, that documented the idea of double-entry bookkeeping in the late 15th Century, suggested certain minimum rules that we use today as tests.
They suggested that the individual who creates and authorizes an account should be separate from the ones who processes transactions within the account. For example, the person who assigns the account number for a new customer or vendor, and enters the descriptive information like name, address, Duns number, credit information etc. should be separate from the person who processes debits and credits. Normally, managers or officers authorize new accounts while clerks, cashiers, or tellers process orders, payments, deposits and withdrawals.
Applying these tests to program development suggests that:
- authorizing, naming, and specifying a program
- be separated from coding
- and maintenance
can be usefully separated.