Segregation of Duties


Segregation of duties is an important means by which fraudulent or malicious acts can be discouraged or prevented.

A common example of improper segregation of duties is allowing a single person within operations or the help desk to have the responsibility of ordering hardware/software, receiving and managing asset or inventory control. This type of structure could allow a single person to order and receive IT equipment without adding it to the asset-control system and, therefore, creates the opportunity for theft of equipment. In small organizations in which proper segregation of duties is not possible, the IT department must set up compensating controls. In this instance, the IT department could institute a daily/weekly review of all orders by a manager, to ensure that equipment is being added to the asset-control system.

The structure of the organization must consider segregation of incompatible duties, keeping in mind that segregation between operations and programming, as an example, might not be possible in smaller environments. The use of compensating controls, such as audit trails, might be acceptable to mitigate the risk that exists because of improper segregation of duties. IT functions such as systems development, computer operations, and security should be segregated.


The primary purpose of audit trails is to establish accountability and responsibility for processed transactions.




Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net