Which of the following would be an example of separation of duties?
The basic principle of separation of duties is that no individual person, role, or group, should be able to execute all parts of a transaction or process. A simple example serves to clarify this principle: a single person should not be judge, jury, and executioner. Show
In practice, separation of duties is a loss-control measure designed to reduce the risk of accidental or intentional damage to the integrity, confidentiality, and availability of a transaction or process. It serves three primary purposes:
A risk-based approach to separation of dutiesThere is “no one size fits all” plan that organizations can use to ensure separation of duties. Each organization must consider the risks it faces, as well as the compliance mandates it must meet. Creating a separation of duties plan applicable for your organization requires conducting a risk-assessment, which involves four steps:
What to considerAlthough the results of your risk assessment will be unique to your organization, in general, separation of duties controls should ensure that:
These separation of duties controls create a robust ‘checks and balances’ system that prevents any individual person, role, or group from:
Practices to facilitate or enforce separation of dutiesThe following practices are recommended for facilitating or enforcing separation of duties.
Learn how Imperva solutions can support separation of duties. Separation of duties (SoD), also known as segregation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises. In the political realm, it is known as the separation of powers, as can be seen in democracies where the government is separated into three independent branches: a legislature, an executive, and a judiciary. General description[edit]Separation of duties is a key concept of internal controls. Increased protection from fraud and errors must be balanced with the increased cost/effort required. In essence, SoD implements an appropriate level of checks and balances upon the activities of individuals. R. A. Botha and J. H. P. Eloff in the IBM Systems Journal describe SoD as follows.
Actual job titles and organizational structure may vary greatly from one organization to another, depending on the size and nature of the business. Accordingly, rank or hierarchy are less important than the skillset and capabilities of the individuals involved. With the concept of SoD, business critical duties can be categorized into four types of functions: authorization, custody, record keeping, and reconciliation. In a perfect system, no one person should handle more than one type of function. Principles[edit]Principally several approaches are optionally viable as partially or entirely different paradigms:
Auxiliary Patterns[edit]A person with multiple functional roles has the opportunity to abuse those powers. The pattern to minimize risk is:
General categories of functions to be separated:
Primarily the individual separation is addressed as the only selection. Application in general business and in accounting[edit]The term SoD is already well known in financial accounting systems. Companies in all sizes understand not to combine roles such as receiving cheques (payment on account) and approving write-offs, depositing cash and reconciling bank statements, approving time cards and have custody of pay cheques, etc. SoD is fairly new to most Information Technology (IT) departments, but a high percentage of Sarbanes-Oxley internal audit issues come from IT.[2] In information systems, segregation of duties helps reduce the potential damage from the actions of one person. IS or end-user department should be organized in a way to achieve adequate separation of duties. According to ISACA's Segregation of Duties Control matrix,[3] some duties should not be combined into one position. This matrix is not an industry standard, just a general guideline suggesting which positions should be separated and which require compensating controls when combined. Depending on a company's size, functions and designations may vary. When duties cannot be separated, compensating controls should be in place. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness. If a single person can carry out and conceal errors and/or irregularities in the course of performing their day-to-day activities, they have been assigned SoD incompatible duties. There are several control mechanisms that can help to enforce the segregation of duties:
Application in information systems[edit]The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice. By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role-based access control is frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:
This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties. To successfully implement separation of duties in information systems a number of concerns need to be addressed:
References[edit]
External links[edit]
What does separation of duties mean quizlet?Separation of duties refers to: Individuals who have physical responsibility for assets should not also have access to accounting records. Having an independent party assess each year the adequacy of the company's internal control procedures is an example of which detective control? Audits. You just studied 10 terms!
Which of the following is the segregation of duties an example of?Examples of segregation of duties:
The person who requisitions the purchase of goods or services should not be the person who approves the purchase. The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.
Which of the following are duties should be separated from the others?Segregation of Duties
Generally, the primary incompatible duties that need to be segregated are: Authorization or approval. Custody of assets. Recording transactions.
What is the purpose of separation of duties?Separation of duties is critical to effective internal control because it reduces the risk of both erroneous and inappropriate actions. All units should attempt to separate functional responsibilities to ensure that errors, intentional or unintentional, cannot be made without being discovered by another person.
|