Segregation of duties (SoD), also called separation of duties, is a fundamental aspect to sustainable internal controls and risk management. SoD is designed to prevent fraud and errors by ensuring at least two individuals are responsible for separate areas of a task. By dispersing the critical functions of any process into multiple segments, it ensures that no single person is completely in control of the process. With this, it limits the amount of control over a task and prevents a single person from conducting unauthorized or illegal tasks, such as perpetrating fraud or embezzling organization funds.  

Consider what would happen if a single person was responsible for a weapons system error, emotion, blackmail, and fraud could lead to a disastrous outcome. While this is a more extreme example, it shows the importance of segregation of duties: preventing one-sided actions from happening in crucial areas.  

SoD and Compliance Risk  

Segregation of duties is an important element for compliance with regulations such as Sarbanes-Oxley Act of 2002 (SOX). SOX requires segregation of duties compliance across a variety of standards and regulations, making it illegal to defraud shareholders of publicly traded companies through filing misleading financial reports. With this, it is vital to maintain strong internal control over technology-enabled processes to document the existence and enforcement of segregation of duties regarding information technology. If companies do not meet compliance requirements, executives can face fines of up to one million dollars and ten years of prison for knowingly certifying reports that don’t comply with SOX, if reports are willingly certified, even harsher penalties can occur.  

SoD and Risk Management 

Segregation of duties policies can also help manage risk in information technology by preventing control failures surrounding access control. By segregating workflow duties, it ensures the same person isn’t responsible for multiple areas of the access control process. In doing so, it ensures a single person isn’t responsible for creating access control policies and approving them — as this could lead to persons receiving too much access or a potential malicious actor receiving access. For example, Admin A may be able to write a policy, however, this needs to be approved by Admin B, if the policy needs to be updated, Admin C will be able to make changes. Not only does this work to limit an abuse of power, but SoD can also be used to help avoid accidental human errors, helping improve efficiency among teams across the enterprise.  

For more information on implementing SoD, please watch our Automating IT, Business Processes, and Security Controls to Improve Compliance and Reduce Risk webinar.