Separation of duties

From Wikipedia, the free encyclopedia

Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers.

Separation of duties (SoD) is one of the key concepts of internal control and is the most difficult and sometimes the most costly one to achieve. SoD in basic terms that is no single individuals should have controls over two or more phases of a transaction or operation, so that a deliberate fraud is more difficult to occur because it requires collusion of two or more individuals or parties.

Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. With the concept of SoD, business critical duties can be categorized into four types of functions, authorization, custody, record keeping and reconciliation. In a perfect system, no one person should handle more than one type of function.

Separation of duties in legislation systems is called separation of power. The term SoD is already well-known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, etc. However SoD is fairly new to the IS department, and high portion of SOX internal control issues come from IT.

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to the segregation of duties control matrix See Figure 1.1 that provided by ISACA (Information Systems Audit and Control Association), some duties should not be combine into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.

Depends upon companies size, functions and designations may vary. When duties can not be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. Actually it is not hard to determine whether control weakness exists. If a single person can carry out and conceal errors and/or irregularities in the course of performing his/her day-to-day activities, he/she has been assigned a SoD incompatible duties. Several control mechanisms that can help to enforce the segregation of duties.

1. Audit trails enable IT managers or Auditors recreate the actual transaction flow from the point of origination to its existence on an updated file. Good audit trails should be enable to provide information on who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.

2. Reconciliation of applications, an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confident that application ran successfully.

3. Exception reports are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion. Signature of the person who prepares the report normally is required.

4. Manual or automated system or application transaction logs should be maintained, which record all processed system commands or application transactions.

5. Supervisory review should performed through observation and inquiry or remotely.

6. To compensate mistakes or intentional failures by following a prescribed procedure, independent reviews are recommended. Such reviews can help detect errors and irregularities.

References:

Segregation/separation of duties, Definition, ISACA, retrieved on 03/05/07, http://www.isaca.org/Template.cfm?Section=Glossary3&Template=/CustomSource/Glossary.cfm&char=S&TermSelected=244

Separation of duties, definition, Wilipedia.com retrieved on 03/05/2007, http://en.wikipedia.org/wiki/Separation_of_duties

Patterns of Integrity -- Separation of Duties, Nick Szabo, retrieved on 03/05/07, http://szabo.best.vwh.net/separationofduties.html

ISACA Professional Resources, ISACA, retrieved on 03/05/07, http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf

The separation of duties pattern is applied to functions the performance of which requires power that can be abused. The pattern is:

1. Start with a function that is indispensable, but potentially subject to abuse.

2. Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.

3. Assign each step to a different person or organization.

Three general categories of functions must be separated:

  • authorization function
  • recording function, e.g. preparing source documents or code or performance reports
  • custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.

By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:

  • Identification of a requirement (or change request); e.g. a business person
  • Authorization and approval; e.g. an IT governance board or manager
  • Design and development; e.g. a developer
  • Review, inspection and approval; e.g. another developer or architect.
  • Implementation in production; typically a software change or system administrator.

This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

  • The process used to ensure a persons authorization rights in the system is in line with their role in the organization.
  • The authentication method used such as knowledge such as a password, possession of an object (key, token) or a biometrical characteristic.
  • Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts (e.g. SAP*). Specific controls such as a review of an activity log may be required to address this specific concern.

Nick Szabo's essay on Separation of Duties

Auditing Information Security: segregation of duties

Segregation/separation of duties definition from ISACA

Internal Control Concepts

Datamation article dated Jan 18, 2006: Segregate Duties to Lessen Security Risks

Transparency, Partitioning, Separation, Rotation and Supervision of Responsibilities in ISM3


SAP segregation of duties matrix

Retrieved from "http://en.wikipedia.org../../../s/e/p/Separation_of_duties.html"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.