Separation of duties

From Wikipedia, the free encyclopedia

Separation of duties (SoD) is the concept of having more than one person required to complete a task. It is alternatively called segregation of duties or, in the political realm, separation of powers.

[edit] Pattern

The separation of duties pattern is applied to functions the performance of which requires power that can be abused. The pattern is:

1. Start with a function that is indispensable, but potentially subject to abuse.

2. Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.

3. Assign each step to a different person or organization.

Three general categories of functions must be separated:

authorization function
recording function, e.g. preparing source documents or code or performance reports
custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.

[edit] Application

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.

By contrast, many corporations found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:

Identification of a requirement (or change request); e.g. a business person
Authorization and approval; e.g. an IT governance board or manager
Design and development; e.g. a developer
Review, inspection and approval; e.g. another developer or architect.
Implementation in production; typically a software change or database administrator.

This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

The process used to ensure a persons authorization rights in the system is in line with their role in the organization.
The authentication method used such as knowledge such as a password, possession of an object (key, token) or a biometrical characteristic.
Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts (e.g. SAPALL). Specific controls such as a review of an activity log may be required to address this specific concern.