richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up Literature folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 12:48:01 +02:00
parent 73a6380034
commit fe5eda4e05
586 changed files with 53911 additions and 2475 deletions
Download patch file Download diff file Expand all files Collapse all files

34
Corpus/ISMS/Segregation of Duties in Auditing.md Normal file
View file

@ -0,0 +1,34 @@
[Source](https://reciprocity.com/resources/what-is-segregation-of-duties-in-auditing/)
Published July 2, 2020
Retrieved July 13, 2022
- Segregation of duties is a fundamental element of internal controls.
- Principle: no one person or group of employees should be in a position to commit and conceal errors or fraud in their day-to-day jobs.
- General concept: prevent one person from having access to assets as well as responsibility for maintaining the accountability of those assets.
In a perfect system, no one person should handle more than one type of the following functions:
1. Authorization (giving approval for a transaction)
2. Custody (care and maintenance of assets)
3. Record keeping (administration)
4. Reconciliation (making accounts consistent)
(COBIT 5 uses Verification instead of Reconciliation, see [this note](Implementing%20Segregation%20of%20Duties%20ISACA.md)).
Different levels of SOD:
- Individual: different people perform different duties, e.g. a manager authorizes an employee to make a payment.
- Unit-level: different departments perform different duties, e.g. sales creates a project proposal, risk management approves it. 
- Company-level: different entities perform operations, e.g. a holding company authorizes an investment of a subsidiary, or an accountancy firm performs a third-party audit.
Examples of internal control mechanisms for enforcing segregation of duties:
- Audit trails, to recreate the transaction flow from origin to registration in an audit file. The audit trail should provide information on:
- who initiated the transaction
- date and timeof entry
- type of entry
- fields of information it contained
- what files the transaction updated.
- exception reports should be handled by supervisors
- exceptions should be documented to prove proper and timely handling, the document should be signed by the author
- Log should be kept or generated for all processed system commands or application transactions.
- Independent reviews of reports and logs should be conducted.