4 Tips for Separation of Duties Excellence
Separation of Duties is an essential component of both risk management and business-related internal controls. The fundamental principles of Separation of Duties are based on a simple premise of shared responsibility for all fundamental processes that inevitably have to disperse the critical functions to more than one department or person. Without these crucial key process separations, the negative business scenarios, such as frauds and error risks are very likely to occur. The very purpose of Separation of Duties controls implementation is to eliminate or minimize a possibility for any of these disastrous outcomes to affect your business in the first place. Here are some of the most useful Separation of Duties implementation tips:
1 There CAN’T be only one!
Your business’ essential functions simply can’t be carried out by only one person. For instance, the IT Engineer who’s developing the queries for your enterprise reports can’t be the person, who approves these questions. Establishing a simple Separation of Duties control, in this case, will help ensure that two eyes look at the problem, not one.
2 Separation of Duties vs. Risk Management
Every business has a unique tolerance level when it comes to risks. However, the catch is to come up with a healthy and acceptable ratio between the most probable risk occurrence and economic value associated with the losses of these risks. How much is acceptable to your business? In other words, a company will accept the risk to a certain level without even bothering to come up with a set of controls to minimize these harmful probabilities. The Separation of Duties concept insists on the elimination of all potential risks associated across multiple business scenarios.
3 Separation of Duties & Access Control Management
The so-called “root level access” or the access control management of the OS (Operating Systems) administrative rights is a serious challenge for any IT environment. The goal is to prevent unauthorized access to essential and most sensitive systems and databases. Here’s how the Separation of Duties can help you achieve this objective:
- You need to keep under tight control your group of administrators, which also has to have a strictly limited number of members, including the secure log files of all of their activities,
- You need to use a pseudo root log process as much as possible, and finally
- You need to ensure the support for these activities with a proper policy that prohibits your administrators reviewing files associated with both useful and business content.
4 Using the “Responsibilities & Roles” functions
Maintaining and updating a Separation of Duties diary/workbook for all of your critical business processes is always a good idea. Your central control can strongly benefit from the Separation of Duties workbook by creating a stable and an efficient control mechanism, on the one side, and by providing you with a reliable management tool for managing available resources, on the other hand. However, if you fail to structure the roles and responsibilities according to the Separation of Duties requirements, then you can’t expect the satisfactory minimizations of all risks nor the full impact of the desirable level of organizational control