Generally speaking, segregation of duties is the concept of having more than one individual required to complete a task. In business, the segregation of duties involves sharing of duties, by more than one individual, as an internal control which is intended to further reduce the risk of fraud and erroneous upset. The concept of segregation of duties, in technical systems and the information technology realm, is sometimes known as redundancy.

Segregation of Duty Basics

As stated, segregation of duties (SoD) is a core concept of internal controls. It ensures increased protection from fraud and error with the essential trade-off of increased effort and cost afforded by the affiliated organization. In a basic sense, segregation of duties allows and appropriate level of checks and balances on the individuals involved in any given process.

In the IBM Systems Journal, R.A. Botha and J.H.P Eloff define Segregation of Duties (SoD) as follows:

Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a cheque.

At a basic level, segregation of duties keeps an organization honest, with its clients, it’s staff and with its established goals and principles. The defined job titles and organizational composition will vary significantly from one organization to the next, depending heavily on the size and nature of the business. Consequently, the chain of command is less important than the defined skillset and competencies of the involved individuals. Within the working model of segregation of duties, business-critical duties are typically defined by four key functions: custody, record keeping, authorization and reconciliation. In the ideal scenario, no one individual would handle more than one of these individually defined functions.

General Approach, Purpose and Principles

As stated, segregation of duties refers to practices where the knowledge and/or privileges required to satisfy a process, from start to finish, are broken up and divided among multiple individuals so that no single individual is proficient to control said process by themselves.

The main purpose to apply segregation of duties is to thwart the execution and concealment of fraud and error in the normal course of the activities. By encompassing more than one individual to perform any given task, an organization can minimize the opportunity for misconduct and increases the opportunities in place to identify it, as well as to discover unintentional errors.

When it comes to segregation of duties, there are several defined approaches that vary according to their defined application. Briefly, we’ve summarized a few of the working models below, to provide context.

 The key principles that can be applied to segregation of duties are:   Sequential separation, when an activity is broken into steps performed by different persons (e.g., authorization and implementation of access rights) Individual separation, when at least two persons must approve an activity before it is done (e.g., vendor payment) Spatial separation, when different activities are performed at different locations (e.g., locations to store and process raw material) Factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).    

Steps in Segregation of Duties

In any business venture, an individual with multiple functional roles has the opportunity to abuse their authority. In order to remove or reduce this risk, the standard pattern is:

  1. Begin with a function that is indispensable, but holds the potential for abuse.
  2. Divide the function into multiple steps, each one necessary for the function to work, or for the power that function holds to be abused.
  3. Assign a different individual or organization for each step in the function.

Segregation of Duties in Information Technology

The Sarbanes-Oxley Act of 2002 is a federal law that established auditing and financial regulations for public companies. Federal lawmakers created the legislation to help protect shareholders, employees and the general public from accounting errors and fraudulent financial practices. Segregation of Duties is relatively new to most Information Technology (IT) departments, however, a high percentage of Sarbanes-Oxley internal audit issues come from IT.

Segregation of duties is frequently used in large IT organizations so that no single individual is in a position to introduce fraudulent or malicious code or data without detection. Role-based access control is commonly used in IT systems where segregation of duties is required. As an example, in the software development life cycle, careful control of software and data changes require that the same person or organizations performs only one of the following roles:

  • Identification of a requirement; e.g. a sales manager or business person
  • Authorization and approval; e.g. an IT manager or CISO
  • Design and development; e.g. web developer
  • Review, inspection and approval; e.g. a third-party web developer or web architect.
  • Implementation in production; a system administrator

While the above is by no means meant to be an exhaustive list, it is a good example of segregation of duties with respect to information systems.

Summary

No matter the size of the organization, segregation of duties is increasing in global importance. Across all industries, it is imperative that there be strict separation between the development, operation and testing of security and all in-place controls. Responsibilities must be assigned to individuals in such a way as to establish checks and balances within the system and minimize the opportunity of fraud and unauthorized access to organizational data.

Packetlabs has helped guide organizations in the right direction with respect to segregation of duties and has also performed security maturity assessments to assure that procedures are being followed.  In addition to this, at Packetlabs, we have a team of cybersecurity professionals that specialize in delivering the very best of penetration testing and web application testing.  If you would like more information about our services we can offer you, please contact us.