Accountancy | |
---|---|
Key concepts | |
Accountant · Accounting period · Bookkeeping · Cash and accrual basis · Cash flow forecasting · Chart of accounts · Journal · Special journals · Constant item purchasing power accounting · Cost of goods sold · Credit terms · Debits and credits · Double-entry system · Mark-to-market accounting · FIFO and LIFO · GAAP / IFRS · General ledger · Goodwill · Historical cost · Matching principle · Revenue recognition · Trial balance | |
Fields of accounting | |
Cost · Financial · Forensic · Fund · Management · Tax (U.S.) | |
Financial statements | |
Balance sheet · Cash flow statement · Statement of retained earnings · Income statement · Notes · Management discussion and analysis · XBRL | |
Auditing | |
Auditor's report · Financial audit · GAAS / ISA · Internal audit · Sarbanes–Oxley Act | |
Accounting qualifications | |
CA · CPA · CCA · CGA · CMA · CAT · CFA · CIIA · IIA · CTP · ACCA |
Separation of duties (SoD) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task shall prevent from fraud and error. The concept is alternatively called segregation of duties or, in the political realm, separation of powers. In democracies, the separation of legislation from administration shall serve for unbiased government. The concept is addressed in technical systems and in information technology equivalently and generally addressed as redundancy.
Contents |
Separation of duties is a key concept of internal controls. Increased protection from fraud and errors must be balanced with the increased cost/effort required.
In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals. R. A. Botha and J. H. P. Eloff in the IBM Systems Journal describe SoD as follows.
Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a cheque.[1]
Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.
Principally several approaches are optionally viable as partially or entirely different paradigms:
A person with multiple functional roles has the opportunity to abuse those powers. The pattern to minimize risk is:
General categories of functions to be separated:
Primarily the individual separation is addressed as the only selection.
The term SoD is already well known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving checks (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay checks, etc. SoD is fairly new to the IS department, and a high portion of SOX internal control issues come from IT.[2]
In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix [3], some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.
Depending on a company's size, functions and designations may vary. When duties cannot be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have been assigned SoD incompatible duties. There are several control mechanisms that can help to enforce the segregation of duties:
The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.
By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role based access control is frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.
To successfully implement separation of duties in information systems a number of concerns need to be addressed: