article

Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers.

Pattern

The separation of duties pattern is applied to functions the performance of which requires power that can be abused. The pattern is:

1. Start with a function that is indispensable, but potentially subject to abuse.

2. Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.

3. Assign each step to a different person or organization.

Three general categories of functions must be separated:

  • authorization function
  • recording function, e.g. preparing source documents or code or performance reports
  • custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.

Application

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice. Except in the smallest of firms, the person who receives money cannot be the person who records the receipt.

By contrast, many corporations that found an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:

  • Identification of a requirement (or change request); e.g. a business person
  • Authorization and approval; e.g. an IT governance board or manager
  • Design and development; e.g. a developer
  • Review, inspection and approval; e.g. another developer or architect.
  • Implementation in production; typically a software change or database administrator.

This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

  • The process used to ensure a persons authorization rights in the system is in line with their role in the organization.
  • The authentication method used such as knowledge such as a password, possession of an object (key, token) or a biometrical characteristic.
  • Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts (e.g. SAPALL). Specific controls such as a review of an activity log may be required to address this specific concern.

References

Nick Szabo's essay on Separation of Duties

Auditing Information Security: segregation of duties

Segregation/separation of duties definition from ISACA

Internal Control Concepts

Datamation article dated Jan 18, 2006: Segregate Duties to Lessen Security Risks

Human resource management

 

This article is licensed under the GNU Free Documentation License. It uses material from the "Separation of duties".

Home Pageartsbusinesscomputersgameshealthhospitalshomekids & teensnewsphysiciansrecreationreferenceregionalscienceshoppingsocietysportsworld