Segregation of duties can be a tricky concept for many business owners.
For example, if Adam knows how to do systems administration and handles corporate finance too, then why would a company hire a second person to do either job? Wouldn’t that be an unnecessary expense?
It may seem that way, but look forward a few years. Adam has embezzled $200,000 from the company and there’s no way to prove it, because the finance server crashed a month prior—conveniently erasing all records, and prompting Adam to quit the company.
That’s the lesson here: it’s unwise to have one person controlling too many business processes. The duties that make a business run should be segregated among multiple people, so that no single individual amasses so much power that he or she could wreck the business. Segregation of duties is a crucial component of risk management.
“SoD” arises most often when talking about corporate accounting and information security, because the people in those roles can cause tremendous damage to the enterprise even by accident.
Meanwhile, motivations for deliberate misconduct are numerous. An employee might believe that he or she “needs” to commit fraud, to pay off debts or medical expenses. Criminals might blackmail employees into committing misconduct, or pay them handsomely to commit corporate espionage. Resentment over not getting a promotion, the desire to appear powerful to impress romantic partners, political motivations—the list is endless.
Hence senior executives need to give segregation of duties the attention it deserves. It’s crucial to construct roles in the IT security function so that no single person has too much power.
One law that gave force to segregation of duties was the Sarbanes-Oxley Act of 2002. Passed in response to a wave of corporate accounting scandals, SOX made corporate audit committees responsible for the accuracy of published financial statements. As part of implementing that law, the Securities and Exchange Commission said firms must build an effective system of internal controls over financial reporting, and segregation of duties is a key concept for such systems.
Thanks to SOX and similar laws, most financial firms now enforce separation of roles, such as the person developing an application cannot also be the person who tests the application.
How do you implement segregation of duties?
- Perform a risk assessment, where you catalog specific duties and who performs them, even if one person performs multiple roles. To create an SOD framework, you need to know exactly what those duties are, as well as what risks are inherent to each task. Consider which tasks could be easily performed by the same team member and which tasks must be separated to maintain security.
- Use a framework to devise new roles as necessary, where proper segregation of duties is implemented. You may find that the system you previously used doesn’t meet your current security needs. It’s possible that you will need to rearrange existing duties, or hire new team members to fill new roles. Don’t hesitate to reimagine the structure of your organization if necessary; it will be easier to reorganize now than to be unprepared in a crisis later on.
- Where segregation of duties can’t be accomplished because of insufficient manpower, add compensating controls as necessary, such as an additional layer of management review. If these controls need to be tested more regularly, or monitored by multiple managers, build these arrangements into your framework.
- Test all controls to assure they work. Controls are a crucial piece of any information security system. If a control fails, financial and legal repercussions can follow, as well as harm to your corporate reputation, which could prevent you from gaining new clients down the line. By testing your controls thoroughly and frequently you can be sure that they are effective. If a control should fail your test, reexamine your SoD framework and make the appropriate changes as soon as possible.
- Document all roles, responsibilities, and controls. Do not skip this step! All of the important work you’ve done to develop your system can be easily forgotten over time or lost completely when a new employee is brought on. Your best defense is to create detailed documentation of the roles within your organization and the risk ownership of each member of your team.
- Repeat your risk assessment and remediation as necessary—either periodically (say, once a year) or after any significant change in operations (merger, downsizing, new tech vendors, and so forth). Risk management is not a static process, and the framework you create initially may not endure as your organization grows. To make sure your SoD grows with you, reassess your risks and controls on a regular basis and alter them if necessary.
If you’re having trouble determining the best Segregation of Duties for your company, Zen GRC can help. This platform offers you an integrated experience that allows you to track data, risk, and ownership with ease. You’ll also be able to consolidate and automate compliance requirements and monitor third party vendors, all from the same place. Schedule a demo today and learn more about how ZenGRC can help you and your team create a framework that will work for you.