Segregation of Duties: Analysis and Remediation for Systems Access
Written by Blake Elder, CISA January 2010
Across organizations and industries, while the definition may vary, the goal of Segregation of Duties (SoD), also known as Separation of Duties, is to prevent, or decrease, the risk of errors or irregularities by assuring that no single individual has control over multiple incompatible phases of a process. For example, in a well controlled environment, the same individual should not have access to initiate, approve and reconcile a transaction. While SoD is nothing new to the financial accounting world, the topic has received increasing attention due to a number of external drivers. Sarbanes-Oxley (SOX) and other regulatory requirements, along with increasing fraud and data privacy concerns, are forcing companies to increase the awareness of and accountability for their employees' actions within the company.
As the importance and awareness of SoD increases, executives and management are lending more attention, time and resources to the subject. Governance, Risk, and Compliance (GRC) solutions that enable automated monitoring, such as SAP Business Objects Access Control and Approva Bizrights, are becoming increasingly popular. This increased attention has required the assistance of consultants with the requisite knowledge and expertise to implement these tools and assist with remediation process. Nevertheless, many organizations still struggle to grasp the complexity of the problem and to define a clear approach to Segregation of Duties.
In order to successfully analyze and mitigate the risk from Segregation of Duties, organizations should develop a framework for defining and maintaining adequate SoD at the enterprise level.
