richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/ISMS/Segregation of Duties in Auditing.md

34 lines
2 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[Source](https://reciprocity.com/resources/what-is-segregation-of-duties-in-auditing/)
Published July 2, 2020
Retrieved July 13, 2022
- Segregation of duties is a fundamental element of internal controls.
- Principle: no one person or group of employees should be in a position to commit and conceal errors or fraud in their day-to-day jobs.
- General concept: prevent one person from having access to assets as well as responsibility for maintaining the accountability of those assets.
In a perfect system, no one person should handle more than one type of the following functions:
1. Authorization (giving approval for a transaction)
2. Custody (care and maintenance of assets)
3. Record keeping (administration)
4. Reconciliation (making accounts consistent)
(COBIT 5 uses Verification instead of Reconciliation, see [this note](Implementing%20Segregation%20of%20Duties%20ISACA.md)).
Different levels of SOD:
- Individual: different people perform different duties, e.g. a manager authorizes an employee to make a payment.
- Unit-level: different departments perform different duties, e.g. sales creates a project proposal, risk management approves it. 
- Company-level: different entities perform operations, e.g. a holding company authorizes an investment of a subsidiary, or an accountancy firm performs a third-party audit.
Examples of internal control mechanisms for enforcing segregation of duties:
- Audit trails, to recreate the transaction flow from origin to registration in an audit file. The audit trail should provide information on:
- who initiated the transaction
- date and timeof entry
- type of entry
- fields of information it contained
- what files the transaction updated.
- exception reports should be handled by supervisors
- exceptions should be documented to prove proper and timely handling, the document should be signed by the author
- Log should be kept or generated for all processed system commands or application transactions.
- Independent reviews of reports and logs should be conducted.
Reference in a new issue View git blame Copy permalink