Two fundamental elements of internal control are restricted access and segregation of certain key duties. Segregation of duties (SOD) and system access controls are used to prevent fraud and safeguard information assets, intellectual property, personally identifiable information (PII) and protected health information (PHI).
The underlying idea behind SOD is that no employee or group of employees should be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties. The principal duties typically outlined as incompatible and which should be segregated are:
- Custody of assets
- Authorization or approval of related transactions affecting those assets
- Recording or reporting of related transactions
In Information Technology (IT), privilege controls are usually restricted according to user role. With today’s evolving technologies, SOD for information technology processes are critical to maintain safe and reliable data and protect against fraud. A consistent framework should also encompass management duties (e.g., granting or revoking the proper rights to the appointed people, reporting and managing any exception to the procedures) and governance duties (evaluating, directing and monitoring SOD rules and practices in accordance with corporate governance).
This alternate model encompasses some management duties within the authorization of access granted and segregates them from the other duties.
Learning Objectives
- Explore the basic tenets of segregation of duties (SOD) as it relates to information technology (IT) processes.
- Identify user categories for segregation of duties (SOD) related to information technology (IT).
- Explore role based access controls (RBAC).
- Discover methods to “scope” IT SOD through scoping of:
- Assets as boundaries
- Processes as boundaries
- Identify the criticality of mapping activities with duties
- Evaluation of systems and applications
- Detecting conflicts that may arise
- Discover the National Institute of Standards and Technology (NIST) categories of RBAC.
16 Reviews (69 ratings)
Prerequisites
No advanced preparation or prerequisites are required for this course.