Separation of duties (SoD) is a vital role in internal controls. This goal is accomplished by distributing 
the responsibilities and related rights for a certain security process to a wide range of individuals.
In financial accounting systems, the concept of SoD is already well-known. Companies of all sizes realize that functions like receiving checks (paying on account) and allowing write-offs, depositing cash and reconciling bank statements, reviewing time cards and having custody of paychecks, and so on should not be combined.
When it comes to security, SoD has two basic goals.
- Avoidance of real or perceived conflicts of interest, wrongdoing, fraud, abuse, and errors.
- Detection of control failures such as data theft, security breaches, and security control circumvention.
Correct SoD is required to reduce people having conflicting responsibilities.
Importance of SoD
The problem of SoD insecurity is still a major concern. To decrease the danger of unauthorized activity or access to operational systems or data, there must be a separation between operations, security development and testing, and all controls. Individual responsibilities must be given in such a way that the software’s provisions are mandated, and the risk of unauthorized users and fraud is avoided.
An easy test for SoD
First, determine whether a single person has the ability to alter or destroy your financial data without being detected. Second, determine whether or not a single person has the ability to steal or exfiltrate important information. Third, find out if anyone person has responsibility for the design, execution, and reporting of the policy’s efficacy.
All of these questions should be answered with a resounding “no.” If you answered yes to any of them, you’ll need to rethink your organizational chart to align with proper SoD.
Here are a few approaches for obtaining optimal SoD:
- Make a report to the chairman of the audit committee from the person in charge of information security.
- Use a third party to keep an eye on security and perform unexpected security audits and testing. They report to the audit committee chairman or the executive team.
- Have a person in charge of information security (CISO) report to the board of directors.
Simple Example
Accounts receivable is a term that refers to the money owed to you. One person keeps track of the money consumers give them, while another generates credit memos for them. This lowers the chances of an employee diverting an incoming payment from a customer and covering the theft with a corresponding credit to the customer’s account.