Separation of duties

Last updated July 26, 2023

Separation of duties (SoD), also known as segregation of duties, is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises. In the political realm, it is known as the separation of powers, as can be seen in democracies where the government is separated into three independent branches: a legislature, an executive, and a judiciary.

General description

Separation of duties is a key concept of internal controls. Increased protection from fraud and errors must be balanced with the increased cost/effort required.

In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals. R. A. Botha and J. H. P. Eloff in the IBM Systems Journal describe SoD as follows.

Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a cheque.^[1]

Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. Accordingly, rank or hierarchy are less important than the skillset and capabilities of the individuals involved. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function.

Principles

Principally several approaches are optionally viable as partially or entirely different paradigms:

sequential separation (two signatures principle)
individual separation (four eyes principle)
spatial separation (separate action in separate locations)
factorial separation (several factors contribute to completion)

Auxiliary Patterns

A person with multiple functional roles has the opportunity to abuse those powers. The pattern to minimize risk is:

Start with a function that is indispensable, but potentially subject to abuse.
Divide the function into separate steps, each necessary for the function to work or for the power that enables that function to be abused.
Assign each step to a different person or organization.

General categories of functions to be separated:

authorization function
recording function, e.g. preparing source documents or code or performance reports
custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.
reconciliation or audit
splitting one security key in two (more) parts between responsible persons

Primarily the individual separation is addressed as the only selection.

Application in general business and in accounting

The term SoD is already well known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving cheques (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay cheques, etc. SoD is fairly new to most Information Technology (IT) departments, but a high percentage of Sarbanes-Oxley internal audit issues come from IT.^[2]

In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix,^[3] some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined.

Depending on a company's size, functions and designations may vary. Smaller companies with a lack of SoD typically face concerns in disbursement cycles where unauthorized purchases and payments can occur.^[4] When duties cannot be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have been assigned SoD incompatible duties. There are several control mechanisms that can help to enforce the segregation of duties:

Audit trails enable IT managers or Auditors to recreate the actual transaction flow from the point of origination to its existence on an updated file. Good audit trails should be enabled to provide information on who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated.
Reconciliation of applications and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
Exception reports are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion. A signature of the person who prepares the report is normally required.
Manual or automated system or application transaction logs should be maintained, which record all processed system commands or application transactions.
Supervisory review should be performed through observation and inquiry.
To compensate mistakes or intentional failures by following a prescribed procedure, independent reviews are recommended. Such reviews can help detect errors and irregularities.

Application in information systems

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.

By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role-based access control is frequently used in IT systems where SoD is required. More recently, as the number of roles increases in a growing organization, a hybrid access control model with Attribute-based access control is used to resolve the limitations of its role-based counterpart.^[5]

Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:

Identification of a requirement (or change request); e.g. a business person
Authorization and approval; e.g. an IT governance board or manager
Design and development; e.g. a developer
Review, inspection and approval; e.g. another developer or architect.
Implementation in production; typically a software change or system administrator.

This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

The process used to ensure a person's authorization rights in the system is in line with his role in the organization.
The authentication method used such as knowledge of a password, possession of an object (key, token) or a biometrical characteristic.
Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts. Specific controls such as a review of an activity log may be required to address this specific concern.

Related Research Articles

<span class="mw-page-title-main">Information security</span> Protecting information by mitigating risk

Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control (DAC).

<span class="mw-page-title-main">Authorization</span> Function of specifying access rights and privileges to resources

Authorization or authorisation is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff are normally authorized to access employee records and this policy is often formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer software and other hardware on the computer.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Change management auditing is the process by which companies can effectively manage change within their information technology systems. Changes to computer software must be monitored in order to reduce the risk of data loss, corruption, malware, errors, and security breaches.

Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems Applications Products. It is a system that provides users with a soft real-time business application. It contains a user interface and is considered very flexible. In an SAP audit the two main areas of concern are security and data integrity.

A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 2013), COSO published the Internal Control - Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification program as well as other micro-certificates.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

<span class="mw-page-title-main">Trusted Computer System Evaluation Criteria</span>

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.

Multi-party authorization (MPA) is a process to protect a telecommunications network, data center or industrial control system from undesirable acts by a malicious insider or inexperienced technician acting alone. MPA requires that a second authorized user approve an action before it is allowed to take place. This pro-actively protects data or systems from an undesirable act.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module must be able to access only the information and resources that are necessary for its legitimate purpose.

<span class="mw-page-title-main">Computer access control</span>

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

ERP Security is a wide range of measures aimed at protecting Enterprise resource planning (ERP) systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the organization including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management.

References

↑ R. A. Botha; J. H. P. Eloff (2001). "Separation of Duties for Access Control Enforcement in Workflow Environments". IBM Systems Journal. 40 (3): 666–682. doi:10.1147/sj.403.0666. Archived from the original on December 18, 2001.
↑ Alyson Behr; Kevin Coleman (August 3, 2017). "Separation of Duties and IT Security". csoonline.com.
↑ "Segregation of Duties Control matrix". ISACA. Archived from the original on 2011-07-03. Retrieved 2022-07-17.
↑ Gramling, Audrey; Hermanson, Dana; Hermanson, Heather; Ye, Zhongxia (2010-07-01). "Addressing Problems with the Segregation of Duties in Smaller Companies". Faculty Publications.
↑ Soni, Kritika; Kumar, Suresh (2019-02-01). "Comparison of RBAC and ABAC Security Models for Private Cloud". 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon). pp. 584–587. doi:10.1109/COMITCon.2019.8862220. ISBN 978-1-7281-0211-5. S2CID 204231677.

External links

Nick Szabo's essay on Separation of Duties at the Wayback Machine (archived March 6, 2016)
"Segregation/separation of duties definition", ISACA
"Segregate Duties to Lessen Security Risks", Datamation
"Transparency, Partitioning, Separation, Rotation and Supervision of Responsibilities", ISM3

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] R. A. Botha; J. H. P. Eloff (2001). "Separation of Duties for Access Control Enforcement in Workflow Environments". IBM Systems Journal. 40 (3): 666–682. doi:10.1147/sj.403.0666. Archived from the original on December 18, 2001.

[2] Alyson Behr; Kevin Coleman (August 3, 2017). "Separation of Duties and IT Security". csoonline.com.

[3] "Segregation of Duties Control matrix". ISACA. Archived from the original on 2011-07-03. Retrieved 2022-07-17.

[4] Gramling, Audrey; Hermanson, Dana; Hermanson, Heather; Ye, Zhongxia (2010-07-01). "Addressing Problems with the Segregation of Duties in Smaller Companies". Faculty Publications.

[5] Soni, Kritika; Kumar, Suresh (2019-02-01). "Comparison of RBAC and ABAC Security Models for Private Cloud". 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon). pp. 584–587. doi:10.1109/COMITCon.2019.8862220. ISBN 978-1-7281-0211-5. S2CID 204231677.

[1]

[2]

[3]

[4]

[5]

v t e Separation of powers
Typical branches	Executive Legislature Judiciary
Additional branches	Fourth Estate Civil service commission Auditory Electoral Prosecutory
By country	Australia Hong Kong Singapore United Kingdom United States
See also	Fusion of powers Separation of duties Judicial independence Judicial review Dual mandate