Separation of Duties - Application in Information Systems

Application in Information Systems

The accounting profession has invested significantly in separation of duties because of the understood risks accumulated over hundreds of years of accounting practice.

By contrast, many corporations in the United States found that an unexpectedly high proportion of their Sarbanes-Oxley internal control issues came from IT. Separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code or data without detection. Role based access control is frequently used in IT systems where SoD is required. Strict control of software and data changes will require that the same person or organizations performs only one of the following roles:

• Identification of a requirement (or change request); e.g. a business person
• Authorization and approval; e.g. an IT governance board or manager
• Design and development; e.g. a developer
• Review, inspection and approval; e.g. another developer or architect.
• Implementation in production; typically a software change or system administrator.

This is not an exhaustive presentation of the software development life cycle, but a list of critical development functions applicable to separation of duties.

To successfully implement separation of duties in information systems a number of concerns need to be addressed:

• The process used to ensure a person's authorization rights in the system is in line with his role in the organization.
• The authentication method used such as knowledge of a password, possession of an object (key, token) or a biometrical characteristic.
• Circumvention of rights in the system can occur through database administration access, user administration access, tools which provide back-door access or supplier installed user accounts. Specific controls such as a review of an activity log may be required to address this specific concern.