Home » , » Segregation of Functions in IT System

Segregation of Functions in IT System

Written By YCS on Monday, February 16, 2015 | 8:22 AM

In manual system, one of control principles is segregation of functions/duties. This controls is to mitigate the risk of collusion among functions, control override, and fraudulent actions. This segregation of functions generally entail dividing the responsibility for recording (accounting), approving transactions (authorizing), and handling asset (custody), as well as access control to data.
If the segregation of duties/ functions is not practical and not cost effective, than management must develop alternative control activities (compensating controls). The same principle is also applied in IT System, but with different implementation due to different process. (see below: Compensating Controls for Lack if Segregation of Duties).

Segregation of Functions in IT System

The IT environment tends to consolidate activities. A single application may authorize, process, and record all aspects of a transaction. Thus, the focus of segregation control shifts from the operational level (transaction processing tasks that computers now perform) to higher-level organizational relationships within the computer services function. Segregation of functions in applications is less visible and to be consolidated, meanwhile segregation of functions in IT unit is manageable.
If management fails to develop a segregation of functions, then company will face the risk of:
  • Hardware/ applications is not compatible with business requirements.
  • The failure of hardware / applications, which then will cause the business operations to stop.
  • The deterioration of the integrity of programs and database. Programs and database can be manipulated for fraudulent practices, either by personal or by organizations.
  • Deteriorating organization’s reputations and loss of clients.
  • Misappropriation of assets
  • Misstated financial statements.
  • Inaccurate financial documentation (i.e. errors of irregularities)
  • Improper use of funds or modification of data could go undetected.
  • Unauthorized or erroneous changes or modification of data and programs may not be detected.
The cost of the improper general controls will be huge. So, it is important for management to establish a appropriate segregation of funtions in IT System.
Segregation of Functions Related Risk
Systems Development / Programmer, from:
Computer Operations/ User (and software admin)
With detailed knowledge of the application’s logic and control parameters and access to the computer’s operating system and utilities, an individual could make unauthorized changes to the application during its execution. Such changes may be temporary (“on the fly”) and will disappear without a trace when the application terminates.
Database Administration, from:
Other Functions (example: operations, system develop-ment, and maintenance)
DBA function is responsible for a number of critical tasks pertaining to database security, including creating the database schema and user views, assigning database access authority to users, monitoring database usage, and planning for future expansion. Delegating these responsibilities to others who perform incompatible tasks threatens database integrity.
Progammer from:
Testing Unit
Manipulation of testing results.
Inappropiarte testing documentations.
New Systems Development/ Programmer, from:
Maintenance (for in-house system development)
The programming group codes the programs. Under this approach, the programmer who codes the original programs also maintains the system during the maintenance phase of the systems development life cycle. Although a common arrangement, this approach is associated with two types of control problems: inadequate documentation and the potential for program fraud.
Segregation in Networks:
Segregate: groups of information services, users, and information systems.
• Unauthorized / inappropriate access to data/ system,
• System failure, malware.
• Data manipulation/ stolen.
Authorization of transactions, from
Data processing
• Manipulation of data before entry.
• Data/ material transactions processed by the information system are not valid and not in accordance with management’s objectives.

Access Controls:
1. Users’ direct access capability should be restricted by the operating system and database.
2. Users’ access rights should be approved and documented by management.
3. User master records should be assigned for each user to prevent sharing of IDs and passwords.
4. Passwords should be kept confidential and should be difficult to divulge.
5. Passwords should be changed regularly.
6. Management should regularly review and follow up on any access violations.
7. Access to the SAP system during nonworking hours should be minimized and adequately controlled.

Example of Segregation of Functions in IT Unit

Here is the example of segregation of functions in IT Unit. Keep in mind that the organization structure of IT Unit should be based on the complexity and the identified risks of organization, as well as related rules/ laws.
Segregation of Function IT Unit
Segregation of Function IT Unit

Compensating Controls for Lack of Segregation of Duties

In a small business where the IS department may only consist of four to five people, compensating control measures must exist to mitigate the risk resulting from a lack of segregation of duties. Before relying on system generated reports or functions as compensating controls, the IS auditor should carefully evaluate the reports. applications and related processes for appropriate controls, including testing and access controls to make changes to the reports or functions. Compensating controls include:
a. Audit trails.
Audit trails help the IS, user department, and IS auditor, by providing a map to retrace the flow of a transaction. Audit trails able to determine who initiated the transaction, time of day and date of entry, type of entry, what fields of information it contained, and what files it updated.
b. Reconciliation.
In some organizations limited reconciliation of applications may be performed by the data control group with the use of control totals and balance sheets. This type of independent verification increases the level of confidence that the application processed successfully and the data in  proper balance.
c. Exception reporting.
Exception reporting should be •handled• at the supervisory level and should require evidence, such as initials on a report, noting that the exception has been hand led properly.
d. Transaction logs.
A transaction log may be manual or automated. An example of a manual log is a record of transactions (grouped or batched) before they are submitted for processing. An automated transaction log or journal provides a record of all transactions processed and is maintained by the  computer system.
Example of transaction logs:
Segregation of Function Transaction Log
Segregation of Function Transaction Log

e. Supervisory reviews.
Supervisory reviews may be performed through observation and inquiry or remotely.
f. Independent reviews.
Independent reviews are carried out to compensate for mistakes or intentional failures. Such reviews will help detect errors or irregularities.
Share this article :


  1. Very extensive and complete research, thanks!

  2. This comment has been removed by a blog administrator.

  3. Hello I am so delighted I located your blog, I really located you by mistake, while I was watching on google for something else, Anyways I am here now and could just like to say thank for a tremendous post and a all round entertaining website. Please do keep up the great work. IT application development


Total Pageviews

  • Posts
  • Comments
  • Pageviews

Support : IIA Website | CPA Room | Your Link
Copyright © 2015. Internal Auditor's Corner - All Rights Reserved
Template Created by Creating Website Modified by CaraGampang.Com
Proudly powered by Blogger