Segregation of functions in risk management

The GDPR has given clear rules for the correct handling of information, including through the adoption of specific organisational measures. There are some that are closely related to the technical department that deserve further consideration, and among these is certainly the segregation of duties.

What is segregation of duties

‘Segregation of duties’ (SoD), translated as ‘separation of duties’, is an internal control principle that is applied within an organisation to mitigate the risk of fraud, error or abuse. The fundamental concept of segregation of duties is that critical responsibilities and tasks are divided among several individuals or departments, so that no one person or entity has complete control over a process or transaction from start to finish. This division serves to ensure that no individual can perform or complete a transaction without the involvement or supervision of others.

For example, in a business context, segregation of duties could be applied in the process of authorising and paying invoices. In a well-segregated system, the person authorising the purchase should not be the same person who authorises the payment of the invoice, nor the same person who has access to the funds to make the payment. This ensures that multiple individuals must act in collaboration to complete a financial transaction, thus reducing the risk of fraud or errors.

Segregation of duties is a key practice in internal control and risk management policies in organisations, and is often incorporated in regulations and standards such as SOX (Sarbanes-Oxley Act) in the United States or the ISO/IEC 27001 guidelines for information security management. In particular, ISO 27001:2002 also mentions it inAnnex A to Security Control 5.3.

Conflicting duties and conflicting areas of responsibility shall be segregated.

Conflicting tasks and areas of responsibility must be separated.

The importance of SoD in cyber risk mitigation

In risk mitigation processes, it is important to understand, therefore, whether there is processing and information that requires segregation of duties. From a technical point of view, it is clear that segregating functions also means segregating data, through roles, privileges, and suitably restricted access folders. The segregation of functions is not an extraordinary feature but has a direct link with the quality management of information. Organisations implementing ISO 9001, for example, could develop internal procedures and policies to control access to relevant documents and files to ensure confidentiality, integrity and availability of information. In these internal procedures, it might be useful to define the roles and responsibilities of persons authorised to access different types of documents or files. Having said this, it is clear that segregation, technically, can be achieved in several ways and for several purposes: from single files, to the establishment of virtual network segments reserved for each department/sector/office (the VLANs).

A practical example: the SOX regulation

The Sarbanes-Oxley Act (SOX⁾¹ is a US federal law enacted in 2002 in response to a series of financial scandals involving large US corporations. SOX is designed to improve financial transparency and corporate responsibility, and includes provisions requiring segregation of duties as part of the internal controls of publicly traded companies in the United States. SOX requires public companies to implement effective internal controls to ensure the reliability and integrity of financial information. These controls must include segregation of duties to reduce the risk of fraud or manipulation of financial information. In the context of SOX, segregation of duties may involve:

1. Separation of key functions: critical or sensitive functions, such as the authorisation of transactions, the execution of transactions and the recording of transactions, must be assigned to different persons to ensure that no one person has complete control over a financial process from start to finish.
2. Task rotation: SOX may require companies to implement task rotation policies to ensure that key financial responsibilities are distributed among multiple individuals over time, thus reducing the risk of fraudulent collusion.
3. Access control and authorisations: SOX may require companies to implement strict controls on access to financial systems and that authorisations for access and financial transactions are restricted to authorised persons only.

In summary, SOX incorporates segregation of duties as a key element of internal controls, with the aim of improving the integrity and reliability of financial information.

Points of attention and potential critical issues

Segregation of duties requires, however, that the organisation be adequately equipped to accommodate this capability. There are, in fact, inherent risks in implementing SoD, including:

1. Operational complexity: an excessive division of functions may lead to an excessive increase in operational complexity. If tasks are divided too finely, it may become difficult to coordinate and communicate between the departments or individuals involved. This may slow down decision-making processes and cause operational inefficiencies.
2. Delay in decision-making processes: the need to involve several individuals or departments in a decision-making process may cause delays. If decisions require the consensus or cooperation of several parties, it may be difficult to reach a timely agreement, thus slowing down the progress of projects or initiatives.
3. Increased costs: segregation of functions may increase operational costs. Dividing responsibilities among several individuals or departments may require additional resources for training personnel, creating and maintaining documented procedures and managing complex workflows.
4. Undefined responsibility: if responsibilities are divided too much, an eventuality may occur where no individual holds himself or herself responsible for the entire process or outcome. This may lead to a lack of accountability and an increased risk of errors or inefficiencies.

To mitigate these risks, it is important to balance segregation of functions with operational efficiency and clearly defined responsibility. Organisations should carefully weigh the advantages and disadvantages of function segregation and adopt a balanced approach that takes into account their needs and objectives. However, it is also essential to keep SoD under control with iterative monitoring cycles in order to stabilise its efficiency and optimise its costs.

Conclusions

The establishment of information segregation control cannot be performed solely at the technological level. First of all, it is an organisational choice that must be appropriately studied on the basis of the information assets and their flows. Subsequently, a technological approach to support the segregation activity is implemented, as a guarantee of the desired effect to be achieved. Therefore, it is certainly possible to implement an access restriction process, but only after having correctly identified the roles and information flows affected by the technical measure.

1. For more information see also ‘Interventions of the Sarbanes-Oxley Act of 2002 on Corporate Responsibility in US Listed Companies’ by S. Cammarata, Centro Ricerche per il Diritto d’Impresa, LUISS, 2002, available here ↩︎