[Source](https://reciprocity.com/resources/what-is-segregation-of-duties-in-auditing/)
Published July 2, 2020
Retrieved July 13, 2022 

- Segregation of duties is a fundamental element of internal controls. 
- Principle: no one person or group of employees should be in a position to commit and conceal errors or fraud in their day-to-day jobs.
- General concept: prevent one person from having access to assets as well as responsibility for maintaining the accountability of those assets.

In a perfect system, no one person should handle more than one type of the following functions:

1. Authorization (giving approval for a transaction)
2. Custody (care and maintenance of assets)
3. Record keeping (administration)
4. Reconciliation (making accounts consistent)

(COBIT 5 uses Verification instead of Reconciliation, see [this note](Implementing%20Segregation%20of%20Duties%20ISACA.md)).

Different levels of SOD:
- Individual: different people perform different duties, e.g. a manager authorizes an employee to make a payment.
- Unit-level: different departments perform different duties, e.g. sales creates a project proposal, risk management approves it. 
- Company-level: different entities perform operations, e.g. a holding company authorizes an investment of a subsidiary, or an accountancy firm performs a third-party audit.

Examples of internal control mechanisms for enforcing segregation of duties:
- Audit trails, to recreate the transaction flow from origin to registration in an audit file. The audit trail should provide information on:
	- who initiated the transaction
	- date and timeof entry
	- type of entry
	- fields of information it contained
	- what files the transaction updated.
- exception reports should be handled by supervisors
- exceptions should be documented to prove proper and timely handling, the document should be signed by the author
- Log should be kept or generated for all processed system commands or application transactions.
- Independent reviews of reports and logs should be conducted.