Escolar Documentos
Profissional Documentos
Cultura Documentos
The entire publication and other exam study material can be purchased through the ISACA
bookstore at www.isaca.org/cisabooks.
ISACA has produced this publication as an educational resource to assist individuals preparing
to take the CISA Certification Exam. It was produced independently from the CISA
Certification Board, which has no input into or responsibility for its content. ISACA makes no
claim that the Segregation of Duties Control Matrix is an industry standard. The material is
solely intended as a general guideline to assist in identifying potential conflicts. Functions,
designations, nature of business processes, technology deployed and risks may vary from one
organization to another. In determining the proper controls, the IS auditing professional
should apply his or her own professional judgment to the specific circumstances presented
within an enterprise or information technology environment.
When duties are segregated, access to the computer, the production data library, the
production programs, the programming documentation and the operating system and
associated utilities can be limited. Potential damage from the actions of any one person is
therefore reduced. The IS and end-user departments should be organized to achieve an
adequate segregation of duties. See exhibit 2.2, segregation of duties control matrix, for a
guideline of the job responsibilities that should not be combined.
The segregation of duties control matrix (exhibit 2.2) is not an industry standard, but a
guideline indicating which positions should be separated and which require compensating
controls when combined. The matrix is illustrative of potential segregation of duties issues
and should not be viewed or used as an absolute, rather it should be used to help identify
potential conflicts so proper questions may be asked to identify compensating controls.
In actual practice, functions and designations may vary in different enterprises. Further,
depending on the nature of the business processes and technology deployed, the risks may
vary. However, it is important for an IS auditor to understand the functions of each of the
designations specified in the manual. The IS auditors need to understand the risk of
combining functions indicated in the segregation of duties control matrix.
Compensating controls are internal controls that are intended to reduce the risk of an existing
or potential control weakness when duties cannot be appropriately segregated. The
organization structure and roles should be taken into account in determining the appropriate
controls for the relevant environment. For example, an organization may not have all the
positions described in the matrix or one person may be responsible for many of the roles
described. The size of the IS/IT department may also be an important factor that should be
considered, i.e., certain combinations of roles in an IS/IT department of a certain size should
never be used. However, if for some reason combined roles are required, then mitigating
controls should be described.
The purpose of segregation of duties is to reduce or eliminate business risks through the
identification of compensating controls. The magnitude and probability of risk can be assessed
from low to high, depending on the organization.
Exhibit 2.2
Segregation of Duties Control Matrix
Administrator
Administrator
Administrator
Administrator
Support Mgr.
Programmer
Programmer
Application
Assurance
Computer
Operatoar
Librarian
Systems
Systems
Systems
Network
Security
Control
Analyst
Quality
Group
Entry
User
Tape
Data
End
DB
Control
X X X X X X X X X
Group
Systems
X X X X X X
Analyst
Application
X X X X X X X X X X X
Programmer
End
X X X X X X X X X
User
Data
X X X X X X X X X
Entry
Computer
X X X X X X X X X X
Operator
DB
X X X X X X X X X
Administrator
Network
X X X X X X X X
Administrator
System
X X X X X X X
Administrator
Security
X X X X X X
Administrator
Tape
X X X X X X X X
Librarian
Systems
X X X X X X X X X X
Programmer
Quality
X X
Assurance
TRANSACTION AUTHORIZATION
CUSTODY OF ASSETS
Custody of corporate assets must be determined and assigned appropriately. The data owner
usually is assigned to a particular user department, and their duties should be specific and in
writing. The owner of the data has responsibility for determining authorization levels required
to provide adequate security, while the administration group is often responsible for
implementing and enforcing the security system.
ACCESS TO DATA
Controls over access to data are provided by a combination of physical, system and
application security in the user area and the information processing facility. The physical
environment must be secured to prevent unauthorized personnel from accessing the various
tangible devices connected to the central processing unit and, thereby, permitting access to
data. System and application securities are additional layers of security that may prevent
unauthorized individuals from gaining access to corporate data. Access to data from external
connections is a growing concern since the advent of the Internet. Therefore, IS management
has added responsibilities to protect information assets from unauthorized access.
Access control decisions are based on organizational policy and on two generally accepted
standards of practice—separation of duties and least privilege. Controls for effective use must
not disrupt the usual work flow more than necessary or place too much burden on
administrators, auditors or authorized users. Further access must not be unconditional, and
access controls must adequately protect all of the organization’s resources. To ensure these, it
may be necessary to first categorize the resources.
Policies establish levels of sensitivity, such as top secret, secret, confidential and unclassified,
for data and other resources. These levels should be used for guidance on the proper
procedures for handling information resources. They may be used as a basis for access control
decisions as well. Individuals are granted access to only those resources at or below a specific
level of sensitivity. Labels are used to indicate the sensitivity level of electronically stored
documents. Policy-based controls may be characterized as either mandatory or discretionary.
Refer to the Mandatory and Discretionary Access Controls section, under the topic of
Importance of Information Assets, in chapter 4 for further detail.
AUTHORIZATION FORMS
Managers of user departments must provide IS with formal authorization forms (either hard
copy or electronic) that define the access rights of their employees. In other words, managers
must define who should have access to what. Authorization forms must be evidenced properly
with management-level approval. Generally, all users should be authorized with specific
system access via formal request of management. In large companies or in those with remote
sites, signature authorization logs should be maintained and formal requests should be
compared to the signature log. Access privileges should be reviewed periodically to ensure that
they are current and appropriate to the user’s job functions.
The IS department should use the data from the authorization forms to build and maintain user
authorization tables. These will define who is authorized to update, modify, delete and/or view
data. These privileges are provided at the system, transaction or field level. In effect, these are user
access control lists. These authorization tables must be secured against unauthorized access by
additional password protection or data encryption. A control log should record all user activity,
and appropriate management should review this log. All exception items should be investigated.
In a small business where the IS department may only consist of four to five people,
compensating control measures must exist to mitigate the risk resulting from a lack of
segregation of duties. Compensating controls would include:
● Audit trails—Audit trails are an essential component of all well-designed systems. They
help the IS and user departments as well as the IS auditor by providing a map to retrace
the flow of a transaction. They enable the user and IS auditor to recreate the actual
transaction flow from the point of origination to its existence on an updated file. In the
absence of adequate segregation of duties, good audit trails may be an acceptable
compensating control. The IS auditor should be able to determine who initiated the
transaction, the time of day and date of entry, the type of entry, what fields of information
it contained, and what files it updated.
● Reconciliation—Reconciliation is ultimately the responsibility of the user. In some
organizations, limited reconciliation of applications may be performed by the data
control group with the use of control totals and balancing sheets. This type of
independent verification increases the level of confidence that the application ran
successfully and that the data are in proper balance.
● Exception reporting—Exception reporting should be handled at the supervisory level
and should require evidence, such as initials on a report, noting that the exception has
been handled properly. Management should also ensure that exceptions are resolved in a
timely manner.
● Transaction logs—A transaction log may be manual or automated. An example of a
manual log is a record of transactions (grouped or batched) before they are submitted for
processing. An automated transaction log or journal provides a record of all transactions
processed, and it is maintained by the computer system.
● Supervisory reviews—Supervisory reviews may be performed through observation and
inquiry or remotely.
● Independent reviews—Independent reviews are carried out to compensate for mistakes
or intentional failures in following prescribed procedures. These are particularly important
when duties in a small organization cannot be appropriately segregated. Such reviews will
help detect errors or irregularities.