Separation of duties
Encyclopedia
Separation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud
and error
. The concept is alternatively called segregation of duties or, in the political realm
, separation of powers
. In democracies
, the separation of legislation
from administration
shall serve for unbiased government
. The concept is addressed in technical systems and in information technology
equivalently and generally addressed as redundancy
.
In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals. R. A. Botha and J. H. P. Eloff in the IBM
Systems Journal describe SoD as follows.
Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.
General categories of functions to be separated:
Primarily the individual separation is addressed as the only selection.
In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix , some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.
Depending on a company's size, functions and designations may vary. When duties cannot be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have been assigned SoD incompatible duties. There are several control mechanisms that can help to enforce the segregation of duties:
By contrast, many corporations in the United States
found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role based access control is frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.
To successfully implement separation of duties in information systems a number of concerns need to be addressed:
Fraud
In criminal law, a fraud is an intentional deception made for personal gain or to damage another individual; the related adjective is fraudulent. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and also a civil law violation...
and error
Error
The word error entails different meanings and usages relative to how it is conceptually applied. The concrete meaning of the Latin word "error" is "wandering" or "straying". Unlike an illusion, an error or a mistake can sometimes be dispelled through knowledge...
. The concept is alternatively called segregation of duties or, in the political realm
Politics
Politics is a process by which groups of people make collective decisions. The term is generally applied to the art or science of running governmental or state affairs, including behavior within civil governments, but also applies to institutions, fields, and special interest groups such as the...
, separation of powers
Separation of powers
The separation of powers, often imprecisely used interchangeably with the trias politica principle, is a model for the governance of a state. The model was first developed in ancient Greece and came into widespread use by the Roman Republic as part of the unmodified Constitution of the Roman Republic...
. In democracies
Democracy
Democracy is generally defined as a form of government in which all adult citizens have an equal say in the decisions that affect their lives. Ideally, this includes equal participation in the proposal, development and passage of legislation into law...
, the separation of legislation
Legislation
Legislation is law which has been promulgated by a legislature or other governing body, or the process of making it...
from administration
Administration
The administration of a business consists of the performance or management of business operations and thus the making or implementing of a major decision...
shall serve for unbiased government
Government
Government refers to the legislators, administrators, and arbitrators in the administrative bureaucracy who control a state at a given time, and to the system of government by which they are organized...
. The concept is addressed in technical systems and in information technology
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
equivalently and generally addressed as redundancy
Redundancy
Redundancy may refer to:* Redundancy * Redundancy * Redundancy * Redundancy * Redundancy * Data redundancy* Gene redundancy* Logic redundancy...
.
General description
Separation of duties is a key concept of internal controls. Increased protection from fraud and errors must be balanced with the increased cost/effort required.In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals. R. A. Botha and J. H. P. Eloff in the IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
Systems Journal describe SoD as follows.
Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a cheque.
Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.
Principles
Principally several approaches are optionally viable as partially or entirely different paradigms:- sequential separation (two signatures principle)
- individual separation (four eyes principle)
- spatial separation (separate action in separate locations)
- factorial separation (several factors contribute to completion)
Auxiliary Patterns
A person with multiple functional roles has the opportunity to abuse those powers. The pattern to minimize risk is:- Start with a function that is indispensable, but potentially subject to abuse.
- Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.
- Assign each step to a different person or organization.
General categories of functions to be separated:
- authorization function
- recording function, e.g. preparing source documents or code or performance reports
- custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.
- reconciliation or audit
Primarily the individual separation is addressed as the only selection.
Application in general business and in accounting
The term SoD is already well known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, etc. SoD is fairly new to the IS department, and a high portion of SOX internal control issues come from IT.In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix , some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.
Depending on a company's size, functions and designations may vary. When duties cannot be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have been assigned SoD incompatible duties. There are several control mechanisms that can help to enforce the segregation of duties:
- Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point of origination to its existence on an updated file. Good audit trails should be enabled to provide information on who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
- Reconciliation of applications and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
- Exception reports are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion. A signature of the person who prepares the report is normally required.
- Manual or automated system or application transaction logs should be maintained, which record all processed system commands or application transactions.
- Supervisory review should be performed through observation and inquiry.
- To compensate mistakes or intentional failures by following a prescribed procedure, independent reviews are recommended. Such reviews can help detect errors and irregularities.
Application in information systems
The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.By contrast, many corporations in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role based access control is frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
- Identification of a requirement (or change request); e.g. a business person
- Authorization and approval; e.g. an IT governance board or manager
- Design and development; e.g. a developer
- Review, inspection and approvalSoftware inspectionInspection in software engineering, refers to peer review of any work product by trained individuals who look for defects using a well defined process...
; e.g. another developer or architect. - Implementation in production; typically a software change or system administratorSystem administratorA system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
.
This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.
To successfully implement separation of duties in information systems a number of concerns need to be addressed:
- The process used to ensure a person's authorization rights in the system is in line with his role in the organization.
- The authenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
method used such as knowledge of a password, possession of an object (key, token) or a biometrical characteristic. - Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts. Specific controls such as a review of an activity log may be required to address this specific concern.
General references
- Segregation/separation of duties, Definition, ISACA, retrieved on 03/05/07, http://www.isaca.org/Template.cfm?Section=Glossary3&Template=/CustomSource/Glossary.cfm&char=S&TermSelected=244
- Patterns of Integrity -- Separation of Duties, Nick Szabo, retrieved on 03/05/07, http://szabo.best.vwh.net/separationofduties.html