Separation of duties
As James Madison said :
We need to separate from duties
because people are not angels
Separation of duties : is the concept of having more than one person required to complete a task.
In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error.
SOD implements an appropriate level of checks and balances upon the activities of individuals.
Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors.
This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users.
This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a cheque.
Business critical duties can be categorized into four types of functions:
- authorization
- custody
- record keeping
- reconciliation
In a perfect system, no one person should handle more than one type of function.
Principles
- sequential separation
- individual separation
- spatial separation
- factorial separation
Patterns
- A person with multiple functional roles has the opportunity to abuse those powers. The pattern to minimize risk is:
- Start with a function that is indispensable, but potentially subject to abuse.
- Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.
- Assign each step to a different person or organization.
The term SOD is already well known in financial accounting systems.
Companies in all sizes understand not to combine roles such as receiving checks and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, etc.
- segregation of duties helps reduce the potential damage from the actions of one person.
- Depending on a company's size, functions and designations may vary.
- Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness.
- Separation of duties is important because it insures that more than one person is necessary to steal from a firm.
- Collusion between two or more individuals would be necessary ?!?!?!?!
Two examples of a separation of duties.
- Division of duties in the handling of cash is one of the most effective ways to ensure control over this asset.
- A person other than the cashier or receivable bookkeeper is to make the bank deposit.
There are several control mechanisms that can help to enforce the segregation of duties:
- Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point of origination to its existence on an updated file.
- Reconciliation of applications and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
- Exception reports are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion.
- Manual or automated system or application transaction logs should be maintained, which record all processed system commands or application transactions.
- Supervisory review should be performed through observation and inquiry.
- To compensate mistakes or intentional failures by following a prescribed procedure, independent reviews are recommended.
Such reviews can help detect errors and irregularities.
Application in information systems
- The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.
- By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT.
- Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection.
Role based access control is frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
- Identification of a requirement (e.g. a business person)
- Authorization and approval (e.g. an IT governance board or manager)
- Design and development ( e.g. a developer)
- Review, inspection and approval (e.g. another developer or architect.)
- Implementation in production typically a software change or system administrator.
- list of critical development functions applicable to separation of duties.
- To successfully implement separation of duties in information systems a number of concerns need to be addressed:
- The process used to ensure a person's authorization rights in the system is in line with his role in the organization.
- The authentication method used such as knowledge of a password.
- Circumvention of rights in the system can occur through database administration access, user administration access.
Thank You!