ISACA PROFESSIONAL RESOURCES

Transcription

1 ISACA PROFESSIONAL RESOURCES SEGREGATION OF DUTIES WITHIN INFORMATION SYSTEMS This is an excerpt from the CISA Review Manual 2005 Chapter 2 - Management, Planning and Organization of IS CISA Review Manual Pages The entire publication and other exam study material can be purchased through the ISACA bookstore at CISA REVIEW MANUAL SEGREGATION OF DUTIES DISCLAIMER ISACA has produced this publication as an educational resource to assist individuals preparing to take the CISA Certification Exam. It was produced independently from the CISA Certification Board, which has no input into or responsibility for its content. ISACA makes no claim that the Segregation of Duties Control Matrix is an industry standard. The material is solely intended as a general guideline to assist in identifying potential conflicts. Functions, designations, nature of business processes, technology deployed and risks may vary from one organization to another. In determining the proper controls, the IS auditing professional should apply his or her own professional judgment to the specific circumstances presented within an enterprise or information technology environment. CISA Review Manual

2 Chapter 2 SEGREGATION OF DUTIES WITHIN IS Actual job titles and organizational structures may vary greatly from one organization to another, depending on the size and nature of the business. However, it is important for an IS auditor to obtain information to assess the relationship among various job functions, responsibilities and authorities in assessing adequate segregation of duties. The segregation of duties avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner and in the normal course of business processes. Segregation of duties is an important means by which fraudulent and or malicious acts can be discouraged and prevented. When duties are segregated, access to the computer, the production data library, the production programs, the programming documentation and the operating system and associated utilities can be limited. Potential damage from the actions of any one person is therefore reduced. The IS and end-user departments should be organized to achieve an adequate segregation of duties. See exhibit 2.2, segregation of duties control matrix, for a guideline of the job responsibilities that should not be combined. The segregation of duties control matrix (exhibit 2.2) is not an industry standard, but a guideline indicating which positions should be separated and which require compensating controls when combined. The matrix is illustrative of potential segregation of duties issues and should not be viewed or used as an absolute, rather it should be used to help identify potential conflicts so proper questions may be asked to identify compensating controls. In actual practice, functions and designations may vary in different enterprises. Further, depending on the nature of the business processes and technology deployed, the risks may vary. However, it is important for an IS auditor to understand the functions of each of the designations specified in the manual. The IS auditors need to understand the risk of combining functions indicated in the segregation of duties control matrix. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated. The organization structure and roles should be taken into account in determining the appropriate controls for the relevant environment. For example, an organization may not have all the positions described in the matrix or one person may be responsible for many of the roles described. The size of the IS/IT department may also be an important factor that should be considered, i.e., certain combinations of roles in an IS/IT department of a certain size should never be used. However, if for some reason combined roles are required, then mitigating controls should be described. The purpose of segregation of duties is to reduce or eliminate business risks through the identification of compensating controls. The magnitude and probability of risk can be assessed from low to high, depending on the organization. 2 CISA Review Manual 2005

3 Exhibit 2.2 Segregation of Duties Control Matrix Control Group Analyst Application Help Desk and Support Mgr. End User Data Entry Computer Operatoar DB Network Security Tape Librarian Quality Assurance Control Group Analyst Application Help Desk and Support Mgr. End User Data Entry Computer Operator DB Network System Security Tape Librarian X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X Quality Assurance X X X Combination of these functions may create a potential control weakness. SEGREGATION OF DUTIES CONTROLS Several control mechanisms can be used to enforce segregation of duties. The controls are described in the following sections. TRANSACTION AUTHORIZATION Transaction authorization is the responsibility of the user department. Authorization is delegated to the degree that it relates to the particular level of responsibility of the authorized individual in the department. Periodic checks must be performed by management and audit to detect the unauthorized entry of transactions. CISA Review Manual

4 Chapter 2 CUSTODY OF ASSETS Custody of corporate assets must be determined and assigned appropriately. The data owner usually is assigned to a particular user department, and their duties should be specific and in writing. The owner of the data has responsibility for determining authorization levels required to provide adequate security, while the administration group is often responsible for implementing and enforcing the security system. ACCESS TO DATA Controls over access to data are provided by a combination of physical, system and application security in the user area and the information processing facility. The physical environment must be secured to prevent unauthorized personnel from accessing the various tangible devices connected to the central processing unit and, thereby, permitting access to data. System and application securities are additional layers of security that may prevent unauthorized individuals from gaining access to corporate data. Access to data from external connections is a growing concern since the advent of the Internet. Therefore, IS management has added responsibilities to protect information assets from unauthorized access. Access control decisions are based on organizational policy and on two generally accepted standards of practice separation of duties and least privilege. Controls for effective use must not disrupt the usual work flow more than necessary or place too much burden on administrators, auditors or authorized users. Further access must not be unconditional, and access controls must adequately protect all of the organization s resources. To ensure these, it may be necessary to first categorize the resources. Policies establish levels of sensitivity, such as top secret, secret, confidential and unclassified, for data and other resources. These levels should be used for guidance on the proper procedures for handling information resources. They may be used as a basis for access control decisions as well. Individuals are granted access to only those resources at or below a specific level of sensitivity. Labels are used to indicate the sensitivity level of electronically stored documents. Policy-based controls may be characterized as either mandatory or discretionary. Refer to the Mandatory and Discretionary Access Controls section, under the topic of Importance of Information Assets, in chapter 4 for further detail. 4 CISA Review Manual 2005

5 AUTHORIZATION FORMS Managers of user departments must provide IS with formal authorization forms (either hard copy or electronic) that define the access rights of their employees. In other words, managers must define who should have access to what. Authorization forms must be evidenced properly with management-level approval. Generally, all users should be authorized with specific system access via formal request of management. In large companies or in those with remote sites, signature authorization logs should be maintained and formal requests should be compared to the signature log. Access privileges should be reviewed periodically to ensure that they are current and appropriate to the user s job functions. USER AUTHORIZATION TABLES The IS department should use the data from the authorization forms to build and maintain user authorization tables. These will define who is authorized to update, modify, delete and/or view data. These privileges are provided at the system, transaction or field level. In effect, these are user access control lists. These authorization tables must be secured against unauthorized access by additional password protection or data encryption. A control log should record all user activity, and appropriate management should review this log. All exception items should be investigated. COMPENSATING CONTROLS FOR LACK OF SEGREGATION OF DUTIES In a small business where the IS department may only consist of four to five people, compensating control measures must exist to mitigate the risk resulting from a lack of segregation of duties. Compensating controls would include: Audit trails Audit trails are an essential component of all well-designed systems. They help the IS and user departments as well as the IS auditor by providing a map to retrace the flow of a transaction. They enable the user and IS auditor to recreate the actual transaction flow from the point of origination to its existence on an updated file. In the absence of adequate segregation of duties, good audit trails may be an acceptable compensating control. The IS auditor should be able to determine who initiated the transaction, the time of day and date of entry, the type of entry, what fields of information it contained, and what files it updated. Reconciliation Reconciliation is ultimately the responsibility of the user. In some organizations, limited reconciliation of applications may be performed by the data control group with the use of control totals and balancing sheets. This type of independent verification increases the level of confidence that the application ran successfully and that the data are in proper balance. Exception reporting Exception reporting should be handled at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been handled properly. Management should also ensure that exceptions are resolved in a timely manner. Transaction logs A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed, and it is maintained by the computer system. Supervisory reviews Supervisory reviews may be performed through observation and inquiry or remotely. Independent reviews Independent reviews are carried out to compensate for mistakes or intentional failures in following prescribed procedures. These are particularly important when duties in a small organization cannot be appropriately segregated. Such reviews will help detect errors or irregularities. CISA Review Manual