Separation of duties


Separation of duties

Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers.

General description

Separation of duties is one of the key concepts of internal control and is the most difficult and sometimes the most costly one to achieve. In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals. R. A. Botha and J. H. P. Eloff of IBM describe SoD as follows.

Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check. [R. A. Botha and J. H. P. Eloff, [http://www.research.ibm.com/journal/sj/403/botha.html Separation of Duties for Access Control Enforcement in Workflow Environments] ]

Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.

The term SoD is already well-known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, etc. SoD is fairly new to the IS department, and a high portion of SOX internal control issues come from IT.Fact|date=August 2007

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix [ [http://www.isaca.org/AMTemplate.cfm?Section=CISA1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40835 ISACA's Segregation of Duties Control matrix] ] , some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.

Depending on a company's size, functions and designations may vary. When duties can not be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have been assigned SoD incompatible duties. There are several control mechanisms that can help to enforce the segregation of duties:

# Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point of origination to its existence on an updated file. Good audit trails should be enabled to provide information on who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
#Reconciliation of applications and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
#Exception reports are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion. A signature of the person who prepares the report is normally required.
#Manual or automated system or application transaction logs should be maintained, which record all processed system commands or application transactions.
#Supervisory review should be performed through observation and inquiry.
#To compensate mistakes or intentional failures by following a prescribed procedure, independent reviews are recommended. Such reviews can help detect errors and irregularities.

Pattern

The separation of duties pattern is applied to functions the performance of which requires power that can be abused. The pattern is:
#Start with a function that is indispensable, but potentially subject to abuse.
#Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.
#Assign each step to a different person or organization.

Three general categories of functions must be separated:
* authorization function
* recording function, e.g. preparing source documents or code or performance reports
* custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.

Application

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.

By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
* Identification of a requirement (or change request); e.g. a business person
* Authorization and approval; e.g. an IT governance board or manager
* Design and development; e.g. a developer
* Review, inspection and approval; e.g. another developer or architect.
* Implementation in production; typically a software change or system administrator.

This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

* The process used to ensure a persons authorization rights in the system is in line with their role in the organization.
* The authentication method used such as knowledge of a password, possession of an object (key, token) or a biometrical characteristic.
* Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts. Specific controls such as a review of an activity log may be required to address this specific concern.

References

General references

* Segregation/separation of duties, Definition, ISACA, retrieved on 03/05/07, http://www.isaca.org/Template.cfm?Section=Glossary3&Template=/CustomSource/Glossary.cfm&char=S&TermSelected=244
* Patterns of Integrity -- Separation of Duties, Nick Szabo, retrieved on 03/05/07, http://szabo.best.vwh.net/separationofduties.html

External links

* [http://szabo.best.vwh.net/separationofduties.html Nick Szabo's essay on Separation of Duties]
* [http://www.isaca.org/Template.cfm?Section=Glossary3&Template=/CustomSource/Glossary.cfm&char=S&TermSelected=244 Segregation/separation of duties definition from ISACA]
* [http://www.isaca.org/AMTemplate.cfm?Section=CISA1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40835 Segregation of Duties Within IS (ISACA CISA Review Manual 2008)]
* [http://accounting.rutgers.edu/raw/aies/www.bus.orst.edu/faculty/brownc/lectures/controls/control1.htm Internal Control Concepts]
* [http://itmanagement.earthweb.com/columns/article.php/3578216 Datamation article dated Jan 18, 2006: Segregate Duties to Lessen Security Risks]
* [http://www.ism3.com Transparency, Partitioning, Separation, Rotation and Supervision of Responsibilities in ISM3]


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Separation of powers — Balance of powers redirects here. For other uses, see Balance of power. The separation of powers, often imprecisely used interchangeably with the trias politica principle,[1] is a model for the governance of a state. The model was first developed …   Wikipedia

  • Separation of church and state in the United States — The phrase separation of church and state (sometimes wall of separation between church and state ), attributed to Thomas Jefferson and others, and since quoted by the Supreme Court of the United States, expresses an understanding of the intent… …   Wikipedia

  • Separation of powers under the United States Constitution — This article refers to the separation of powers specifically in the United States. For the article on the theory of separation of powers, see: Separation of Powers Separation of powers is a political doctrine under which the executive,… …   Wikipedia

  • separation — /sep euh ray sheuhn/, n. 1. an act or instance of separating or the state of being separated. 2. a place, line, or point of parting. 3. a gap, hole, rent, or the like. 4. something that separates or divides. 5. Law. a. cessation of conjugal… …   Universalium

  • Fundamental Rights, Directive Principles and Fundamental Duties of India — The Fundamental Rights, Directive Principles of State Policy and Fundamental Duties are sections of the Constitution of India that prescribe the fundamental obligations of the Statefn|° to its citizens and the duties of the citizens to the State …   Wikipedia

  • segregation of duties — The separation of individual employees’ duties and responsibilities to enhance an organization’s *internal controls. A fundamental aspect of segregation of duties is the notion that persons having the custody of control of assets should not also… …   Auditor's dictionary

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Mainframe audit — A mainframe audit is a comprehensive inspection of computer processes , security , and procedures ,with recommendations for improvement. Contents 1 Definition of mainframe 2 Considerations 2.1 The Operating System …   Wikipedia

  • Database security — concerns the use of a broad range of information security controls to protect databases (potentially including the data, the database applications or stored functions, the database systems, the database servers and the associated network links)… …   Wikipedia

  • Comparison of relational database management systems — Programming language comparisons General comparison Basic syntax Basic instructions Arrays Associative arrays String operations …   Wikipedia