Segregation of Duties (Dictionary Entry)
Segregation of Duties
Alternative Forms
Separation of Duties
Synonym
Separation of Privileges
Obsolete
SoD
Acronym
Definitions
Definition 1
SoD is a fundamental component of internal control. It is a class of control policy prescribing that two or more people are required to perform some operation in such a way as to prevent the perpetration or concealment of fraud or error, whether by commission or omission.
Its goal is to mitigate operational risks of misappropriation, destruction or waste of organizational assets by employees. It accomplishes this by making collusion between agents a necessary condition, thus effectively increasing the difficulty and risk of perpetrating or concealing fraud or error.
SoD may be decomposed into SoD requirements, SoD policies, SoD rules and SoD controls. SoD requirements prescribe the implementation of SoD policies. SoD policies enact the implementation of SoD requirements within an organization. SoD rules operationalize SoD policies by stating which functions or activities must be segregated and how. SoD controls verify compliance with SoD rules and manage deviations. SoD controls may be detective (i.e. after the occurrence of the loss event) with the effect of reducing the likelihood of concealment, or preventive (i.e. before the occurrence of the loss event) with the effect of reducing the likelihood of loss event occurrence.
SoD may be implemented organizationally and/or supported by computer systems.
Note - SoD in Computer Systems
In computer systems, SoD controls have two main variants: static SoD and dynamic SoD.
SoD controls may be implemented within or across applications.
Note - SoD Costs
SoD controls impose constraints on organizational processes which may incur costs or lead to acceptance issues. As for any control, the assumption of SoD is that its costs be balanced with its expected benefits.
Note - SoD in Smaller Organizations
In general, implementing SoD is more challenging in smaller organizations (COSO, 2013, Gramling et al., 2010).
Note - SoD and Principal-Agent Theory
SoD may be explained from the perspective of the principal-agent theory. Principals need transparent information and optimal decisions in their interest. Agents have custody of assets and take decisions that affect their value. Asymmetric communication, imperfect alignment of agents’ interests and imperfect incentives increase costs. SoD may reduce these costs and improve communication by distributing duties such as asset custody, valuation, decision making, authorization, transaction recording, supervision, reporting and review across independent agents.
Note - SoD and Third Parties
A natural method to implement SoD is to involve third parties, such as suppliers and clients. For example by requiring that purchase orders or invoices reflecting the terms and prices of transactions by issued by the third party and recorded as evidences.
Note - SoD and RBAC
SoD may be facilitated or enabled by RBAC.
Conceptual Diagram
Related Terms
Collusion
Conflict of Interest
Dynamic Separation of Duty
History-Based Separation of Duty
Named Protection Domains (NPDs)
Object-based Separation of Duty
Operational Separation of Duty
Policy Composability
Restricted Role
Role-Based Access Control (RBAC)
Static Separation of Duty
Strong Exclusion
Toxic Rights
Weak Exclusion
Quotes
Segmenting roles and responsibilities should occur at many levels in many different ways in regard to users and devices. You are encouraged to design this segmentation with what works best for you and your environment. However, no individual should have excessive system access that enables him to execute actions across an entire environment without checks and balances.
Many regulations demand segregation of duties. Developers shouldn’t have direct access to the production systems touching corporate financial data, and users who can approve a transaction shouldn’t be given access to the accounts payable application. A sound approach to this problem is to continually refine role-based access controls. For example, the “sales executive” role can approve transactions but never access the accounts payable application; no one can access the developer environment except developers and their direct managers; and only application managers can touch production systems.
(Brotherston and Berlin, 2017, p. 165)
A fundamental element of internal control is the maintenance of adequate segregation of duties (SoD), the allocation of work so that an individual cannot both perpetrate and conceal errors or fraud in the normal course of their duties.
(Kobelsky, 2014, p. 1)
Separation of Duty is a security principle used to formulate multi-person control policies, requiring that two or more different people be responsible for the completion of a task or set of related tasks. The purpose of this principle is to discourage fraud by spreading the responsibility and authority for an action or task over multiple people, thereby raising the risk involved in committing a fraudulent act by requiring the involvement of more than one individual.
(Zurko and Simon, 2011, p. 1182)
Auditor demands and compliance requirements mean that more specific controls must be implemented for discrete functions within regulated applications to ensure that critical functions are properly secured - or that toxic combinations of access that result in separation of duty violations are eliminated.
(Gebel and Wang, 2010, p.120)
Alteration of Cash Receipts Documentation
A lack of segregation of duties can create an opportunity for that employee to misappropriate company funds. For example, if the same person is responsible for both collecting and depositing the cash receipts, then this person has the ability to remove funds from the business for his or her own personal use and conceal such theft through the deposits. This is often the case in smaller organizations in which there are few personnel to divide the daily operations between. A variation of this scheme is to mutilate or destroy the cash receipt documentation in order to thwart any attempt to reconcile the cash deposited with the cash receipts.
(Kovacich, 2008, p. 113)
91. Separation of Duties – Mutually exclusive acccess or roles. This involves dividing responsibility for sensitive information or risky actions so that no individual acting alone can compromise a system. As a security principle, it has as its primary objective the prevention of fraud and errors. This principle is demonstrated in the occasional requirement for two signatures on a bank cheque, or by preventing a person from authorising their own workflow requests.
As a security principle, separation of duty (SoD) has had wide application in business, industry, and government [3, 4, 7]. Its purpose is to ensure that failures of omission or commission within an organization are caused only by collusion among individuals and, therefore, are riskier and less likely, and that chances of collusion are minimized by assigning individuals of different skills or divergent interests to separate tasks.
(Gligor et al., 1998, p. 172)
Bibliography
See Also
-
ALAmri, 2021 (Bibliography)
-
Ferraiolo, 1995 (Bibliography)
-
Gligor et al., 1998 (Bibliography)
-
Kobelsky, 2013 (Bibliography)
-
Kobelsky, 2014 (Bibliography)
-
Li et al., 2007 (Bibliography)
-
Mastering the SoD Process (McWhirter, 2020) (Articles)
-
Segregation of Duties (Dictionary Entry) (Dictionary)
-
Simon and Zurko, 1997 (Bibliography)
-
SoD (Dictionary Entry) (Dictionary)
-
Stone, 2009 (Bibliography)
-
Zurko and Simon, 2011 (Bibliography)
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.