Management, Planning and Organization of IS

ISACA PROFESSIONAL RESOURCES

SEGREGATION OF DUTIES WITHIN INFORMATION SYSTEMS

This is an excerpt from the CISA Review Manual 2005

Chapter 2 - Management, Planning and Organization of IS
CISA Review Manual 2005 - Pages 88-91

The entire publication and other exam study material can be purchased through the ISACA
bookstore at www.isaca.org/cisabooks.

CISA® REVIEW MANUAL

SEGREGATION OF DUTIES DISCLAIMER

ISACA has produced this publication as an educational resource to assist individuals preparing
to take the CISA Certification Exam. It was produced independently from the CISA
Certification Board, which has no input into or responsibility for its content. ISACA makes no
claim that the Segregation of Duties Control Matrix is an industry standard. The material is
solely intended as a general guideline to assist in identifying potential conflicts. Functions,
designations, nature of business processes, technology deployed and risks may vary from one
organization to another. In determining the proper controls, the IS auditing professional
should apply his or her own professional judgment to the specific circumstances presented
within an enterprise or information technology environment.

CISA Review Manual 2005 1

Chapter 2

SEGREGATION OF DUTIES WITHIN IS

Actual job titles and organizational structures may vary greatly from one organization to
another, depending on the size and nature of the business. However, it is important for an IS
auditor to obtain information to assess the relationship among various job functions,
responsibilities and authorities in assessing adequate segregation of duties. The segregation of
duties avoids the possibility that a single person could be responsible for diverse and critical
functions in such a way that errors or misappropriations could occur and not be detected in a
timely manner and in the normal course of business processes. Segregation of duties is an
important means by which fraudulent and or malicious acts can be discouraged and prevented.

When duties are segregated, access to the computer, the production data library, the
production programs, the programming documentation and the operating system and
associated utilities can be limited. Potential damage from the actions of any one person is
therefore reduced. The IS and end-user departments should be organized to achieve an
adequate segregation of duties. See exhibit 2.2, segregation of duties control matrix, for a
guideline of the job responsibilities that should not be combined.

The segregation of duties control matrix (exhibit 2.2) is not an industry standard, but a
guideline indicating which positions should be separated and which require compensating
controls when combined. The matrix is illustrative of potential segregation of duties issues
and should not be viewed or used as an absolute, rather it should be used to help identify
potential conflicts so proper questions may be asked to identify compensating controls.

In actual practice, functions and designations may vary in different enterprises. Further,
depending on the nature of the business processes and technology deployed, the risks may
vary. However, it is important for an IS auditor to understand the functions of each of the
designations specified in the manual. The IS auditors need to understand the risk of
combining functions indicated in the segregation of duties control matrix.

Compensating controls are internal controls that are intended to reduce the risk of an existing
or potential control weakness when duties cannot be appropriately segregated. The
organization structure and roles should be taken into account in determining the appropriate
controls for the relevant environment. For example, an organization may not have all the
positions described in the matrix or one person may be responsible for many of the roles
described. The size of the IS/IT department may also be an important factor that should be
considered, i.e., certain combinations of roles in an IS/IT department of a certain size should
never be used. However, if for some reason combined roles are required, then mitigating
controls should be described.

The purpose of segregation of duties is to reduce or eliminate business risks through the
identification of compensating controls. The magnitude and probability of risk can be assessed
from low to high, depending on the organization.

2 CISA Review Manual 2005

 Management, Planning and Organization of IS

Exhibit 2.2
Segregation of Duties Control Matrix

Help Desk and

Administrator
Administrator
Administrator

Administrator
Support Mgr.
Programmer

Programmer
Application

Assurance
Computer
Operatoar

Librarian
Systems

Systems

Systems
Network

Security
Control

Analyst

Quality
Group

Entry
User

Tape
Data
End

DB
Control
X X X X X X X X X
Group

Systems
X X X X X X
Analyst

Application
X X X X X X X X X X X
Programmer

Help Desk and

X X X X X X X X X X
Support Mgr.

End
X X X X X X X X X
User

Data
X X X X X X X X X
Entry

Computer
X X X X X X X X X X
Operator

DB
X X X X X X X X X
Administrator

Network
X X X X X X X X
Administrator

System
X X X X X X X
Administrator

Security
X X X X X X
Administrator

Tape
X X X X X X X X
Librarian

Systems
X X X X X X X X X X
Programmer

Quality
X X
Assurance

X—Combination of these functions may create a potential control weakness.

SEGREGATION OF DUTIES CONTROLS

Several control mechanisms can be used to enforce segregation of duties. The controls are
described in the following sections.

TRANSACTION AUTHORIZATION

Transaction authorization is the responsibility of the user department. Authorization is

delegated to the degree that it relates to the particular level of responsibility of the authorized
individual in the department. Periodic checks must be performed by management and audit
to detect the unauthorized entry of transactions.

CISA Review Manual 2005 3

Chapter 2

CUSTODY OF ASSETS

Custody of corporate assets must be determined and assigned appropriately. The data owner
usually is assigned to a particular user department, and their duties should be specific and in
writing. The owner of the data has responsibility for determining authorization levels required
to provide adequate security, while the administration group is often responsible for
implementing and enforcing the security system.

ACCESS TO DATA

Controls over access to data are provided by a combination of physical, system and
application security in the user area and the information processing facility. The physical
environment must be secured to prevent unauthorized personnel from accessing the various
tangible devices connected to the central processing unit and, thereby, permitting access to
data. System and application securities are additional layers of security that may prevent
unauthorized individuals from gaining access to corporate data. Access to data from external
connections is a growing concern since the advent of the Internet. Therefore, IS management
has added responsibilities to protect information assets from unauthorized access.

Access control decisions are based on organizational policy and on two generally accepted
standards of practice—separation of duties and least privilege. Controls for effective use must
not disrupt the usual work flow more than necessary or place too much burden on
administrators, auditors or authorized users. Further access must not be unconditional, and
access controls must adequately protect all of the organization’s resources. To ensure these, it
may be necessary to first categorize the resources.

Policies establish levels of sensitivity, such as top secret, secret, confidential and unclassified,
for data and other resources. These levels should be used for guidance on the proper
procedures for handling information resources. They may be used as a basis for access control
decisions as well. Individuals are granted access to only those resources at or below a specific
level of sensitivity. Labels are used to indicate the sensitivity level of electronically stored
documents. Policy-based controls may be characterized as either mandatory or discretionary.

Refer to the Mandatory and Discretionary Access Controls section, under the topic of
Importance of Information Assets, in chapter 4 for further detail.

4 CISA Review Manual 2005

 Management, Planning and Organization of IS

AUTHORIZATION FORMS

Managers of user departments must provide IS with formal authorization forms (either hard
copy or electronic) that define the access rights of their employees. In other words, managers
must define who should have access to what. Authorization forms must be evidenced properly
with management-level approval. Generally, all users should be authorized with specific
system access via formal request of management. In large companies or in those with remote
sites, signature authorization logs should be maintained and formal requests should be
compared to the signature log. Access privileges should be reviewed periodically to ensure that
they are current and appropriate to the user’s job functions.

USER AUTHORIZATION TABLES

The IS department should use the data from the authorization forms to build and maintain user
authorization tables. These will define who is authorized to update, modify, delete and/or view
data. These privileges are provided at the system, transaction or field level. In effect, these are user
access control lists. These authorization tables must be secured against unauthorized access by
additional password protection or data encryption. A control log should record all user activity,
and appropriate management should review this log. All exception items should be investigated.

COMPENSATING CONTROLS FOR LACK OF SEGREGATION OF DUTIES

In a small business where the IS department may only consist of four to five people,
compensating control measures must exist to mitigate the risk resulting from a lack of
segregation of duties. Compensating controls would include:
● Audit trails—Audit trails are an essential component of all well-designed systems. They
help the IS and user departments as well as the IS auditor by providing a map to retrace
the flow of a transaction. They enable the user and IS auditor to recreate the actual
transaction flow from the point of origination to its existence on an updated file. In the
absence of adequate segregation of duties, good audit trails may be an acceptable
compensating control. The IS auditor should be able to determine who initiated the
transaction, the time of day and date of entry, the type of entry, what fields of information
it contained, and what files it updated.
● Reconciliation—Reconciliation is ultimately the responsibility of the user. In some
organizations, limited reconciliation of applications may be performed by the data
control group with the use of control totals and balancing sheets. This type of
independent verification increases the level of confidence that the application ran
successfully and that the data are in proper balance.
● Exception reporting—Exception reporting should be handled at the supervisory level
and should require evidence, such as initials on a report, noting that the exception has
been handled properly. Management should also ensure that exceptions are resolved in a
timely manner.
● Transaction logs—A transaction log may be manual or automated. An example of a
manual log is a record of transactions (grouped or batched) before they are submitted for
processing. An automated transaction log or journal provides a record of all transactions
processed, and it is maintained by the computer system.
● Supervisory reviews—Supervisory reviews may be performed through observation and
inquiry or remotely.
● Independent reviews—Independent reviews are carried out to compensate for mistakes
or intentional failures in following prescribed procedures. These are particularly important
when duties in a small organization cannot be appropriately segregated. Such reviews will
help detect errors or irregularities.

CISA Review Manual 2005 5