2 KiB
2 KiB
Source Published July 2, 2020 Retrieved July 13, 2022
- Segregation of duties is a fundamental element of internal controls.
- Principle: no one person or group of employees should be in a position to commit and conceal errors or fraud in their day-to-day jobs.
- General concept: prevent one person from having access to assets as well as responsibility for maintaining the accountability of those assets.
In a perfect system, no one person should handle more than one type of the following functions:
- Authorization (giving approval for a transaction)
- Custody (care and maintenance of assets)
- Record keeping (administration)
- Reconciliation (making accounts consistent)
(COBIT 5 uses Verification instead of Reconciliation, see this note).
Different levels of SOD:
- Individual: different people perform different duties, e.g. a manager authorizes an employee to make a payment.
- Unit-level: different departments perform different duties, e.g. sales creates a project proposal, risk management approves it.
- Company-level: different entities perform operations, e.g. a holding company authorizes an investment of a subsidiary, or an accountancy firm performs a third-party audit.
Examples of internal control mechanisms for enforcing segregation of duties:
- Audit trails, to recreate the transaction flow from origin to registration in an audit file. The audit trail should provide information on:
- who initiated the transaction
- date and timeof entry
- type of entry
- fields of information it contained
- what files the transaction updated.
- exception reports should be handled by supervisors
- exceptions should be documented to prove proper and timely handling, the document should be signed by the author
- Log should be kept or generated for all processed system commands or application transactions.
- Independent reviews of reports and logs should be conducted.