Separation Of Duties Article Index for
Separation Of 		Website Links For
Separation 		 

Information About

Separation Of Duties
  CATEGORIES ABOUT SEPARATION OF DUTIES
   
human resource management
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...




PATTERN

The separation of duties pattern is applied to functions the performance of which requires power that can be abused. The pattern is:

1. Start with a function that indispensable, yet potentially subject to abuse.

2. Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.

3. Assign each step to a different person or organization.

Three general categories of functions must be separated:

  • authorization function

  • recording function, e.g. preparing source documents or code or performance reports

  • custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.



APPLICATION

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice. Except in the smallest of firms, the person who receives money cannot be the person who records the receipt.

By contrast, many corporations that found an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
  • Identification of a requirement (or change request); e.g. a business person

  • Authorization and approval; e.g. an IT governance board or manager

  • Design and development; e.g. a developer

  • Review, Inspection And Approval ; e.g. another developer or architect.

  • Implementation in production; typically a software change or database administrator.


This is not an exhaustive presentation of the Software Development Life Cycle , but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

  • The process used to ensure a persons authorization rights in the system is in line with their role in the organization.

  • The Authentication method used such as knowledge such as a password, possession of an object (key, token) or a biometrical characteristic.

  • Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts (e.g. SAPALL ). Specific controls such as a review of an activity log may be required to address this specific concern.



REFERENCES

Nick Szabo's essay on Separation of Duties

Segregation/separation of duties definition from ISACA

Internal Control Concepts

Datamation article dated Jan 18, 2006: Segregate Duties to Lessen Security Risks