On this page
- Quick Reference (60 Seconds)
- What the Standard Actually Requires
- Why Segregation of Duties Matters
- Scope and Applicability
- Key Definitions and Terminology
- Relationship to Other Controls
- Implementation Roadmap (Week-by-Week)
- Detailed Implementation Guidance
- Tools, Technologies, and Solutions
- Policy and Procedure Templates
- Risk Assessment and Treatment
- Audit and Compliance Checklist
- Metrics and KPIs
- Common Pitfalls and How to Avoid Them
- Illustrative Scenarios
- Multi-Framework Mapping
- Regulatory and Industry Context
- Roles and Responsibilities (RACI) for A.5.3 Implementation
- Documentation and Evidence Requirements
- Continuous Improvement
- FAQ
- References and Further Reading
Quick Reference (60 Seconds)
Control: A.5.3, Segregation of Duties
Purpose: Prevent fraud, errors, and unauthorized activities by dividing critical tasks among multiple people so that no single person has complete control over a sensitive process.
Who it applies to: All organizations with processes involving financial transactions, sensitive data, system administration, or any critical business function where a single person could cause significant harm.
Minimum viable actions:
- Identify critical processes where a single person could cause fraud, errors, or unauthorized access
- Split these processes into separate duties (e.g., requester, approver, executor, reviewer)
- Assign each duty to a different person or role
- Implement technical controls (access controls, workflows, logging) to enforce separation
- Review and audit segregation quarterly
Key deliverables: Segregation of Duties Policy, Critical Process SoD Matrix, Access Control SoD Matrix, Compensating Controls Register, SoD Audit Report.
Audit questions you should be able to answer:
- Which processes have segregation of duties applied?
- How do you prevent a single person from approving and executing their own transactions?
- What compensating controls exist where SoD cannot be implemented?
- How do you audit and review SoD effectiveness?
What the Standard Actually Requires
Annex A 5.3 asks organizations to separate duties that conflict, so no single person can commit or conceal fraud, error, or misuse.
This control requires organizations to:
- Identify conflicting duties, Find tasks where a single person could both initiate and approve an action, or both create and validate a transaction
- Segregate responsibilities, Split these duties across different people or roles
- Implement controls, Use technical and procedural controls to enforce separation
- Apply compensating controls, Where segregation is not feasible (e.g., small teams), implement compensating controls (supervisory review, logging, audit)
- Review and audit, Regularly verify that segregation is effective and not being circumvented
What the Standard Does NOT Require
- The standard does not require SoD for every single task (only for critical or conflicting duties)
- It does not mandate that every organization must have large teams (compensating controls are acceptable for small organizations)
- It does not specify particular technical controls (workflows, access controls, manual checks are all acceptable)
- It does not prohibit a single person from ever having multiple roles (it prohibits the combination of conflicting roles)
Why Segregation of Duties Matters
The Fraud Prevention Principle
Segregation of Duties (SoD) is one of the oldest and most effective internal controls. It is based on a simple principle: no single person should have complete control over a critical process.
When one person can both create and approve a transaction, the risk of fraud, error, and abuse increases dramatically:
- Fraud: A single person can create a fake vendor, approve payment, and transfer funds to themselves
- Errors: A single person can make a mistake that goes undetected because no one else reviews their work
- Unauthorized access: A single administrator can grant themselves access to sensitive data and cover their tracks
- Sabotage: A disgruntled employee can destroy data or systems without oversight
- Data manipulation: A single person can alter financial records to hide theft or misstate performance
The Business Impact of SoD Failures
| Impact Type | Description | Quantifiable overhead |
|---|---|---|
| Financial fraud | Employee theft, embezzlement, fake transactions | Average occupational fraud: – per incident |
| Data breaches | Admin abuse, unauthorized access, data exfiltration | Average breach overhead: (IBM 2024) |
| Audit failures | Internal and external audits find SoD gaps | Remediation overhead, lost certifications, reputational damage |
| Operational errors | Undetected mistakes cause business disruption | Revenue loss, customer impact, recovery overhead |
| Reputational damage | Public disclosure of SoD-related fraud | Customer trust erosion, stock licensing impact, investor confidence |
| Insurance claims | Cyber insurance may be denied if SoD gaps contributed | Loss of insurance coverage, increased premiums |
Real-world incidents:
- Satyam Scandal (2009): One of India's largest corporate frauds. The founder and chairman had unchecked authority to manipulate financial records, create fake invoices, and forge bank statements. The lack of effective segregation of duties between financial reporting, audit, and cash management was a critical enabler. Estimated fraud: .
- PNB Fraud (2018): A single bank employee used unauthorized SWIFT messages to transfer funds without proper authorization or verification. The lack of segregation between SWIFT message initiation and verification enabled the fraud.
- Global Manufacturing Company (2020): A single IT administrator with both system access and backup responsibilities deleted critical production databases and demanded ransom. No one else had visibility into their actions. Recovery overhead: .
- Indian E-commerce Platform (2022): A single developer with both code deployment and payment gateway access deployed a backdoor that siphoned off customer payments. Lack of segregation between development and production deployment enabled the fraud. Loss: .
The Indian Context
Indian organizations face unique SoD challenges:
- SMEs and family businesses: Small teams make traditional SoD difficult; owner-operator models often centralize all authority
- overhead sensitivity: Organizations may avoid hiring additional staff for SoD due to overhead constraints
- Rapid growth: Startups scale quickly without formalizing SoD, creating control gaps
- Regulatory intensity: RBI, SEBI, and IRDAI explicitly require SoD for financial and regulated systems
- IT outsourcing: When IT is outsourced, the client and vendor must clearly define SoD boundaries
- Legacy systems: Older systems may lack workflow controls that enforce SoD automatically
- Digital India: Government e-services require SoD but government staffing models may not support it
- DPDP Act 2023: Personal data processing requires clear accountability; SoD gaps in data handling create compliance risk
- Banking sector: RBI's Master Direction on Cyber Security Framework explicitly mandates SoD for critical banking operations
Scope and Applicability
In Scope
SoD applies to all critical processes where a single person could cause significant harm:
- Financial processes: Payments, invoicing, payroll, expense approvals, financial reporting, vendor management, procurement
- IT administration: User access management, system configuration changes, privilege escalation, backup and recovery, security tool administration
- Data management: Data creation, modification, deletion, backup, restoration, access granting, classification
- Change management: Change request, approval, implementation, testing, deployment
- Security operations: Security monitoring, incident response, forensics, audit log review, vulnerability management
- Development and deployment: Code development, code review, deployment approval, production access
- Procurement and vendor management: Vendor selection, contract approval, payment authorization, vendor access management
- HR processes: Hiring, termination, access provisioning, access revocation, payroll changes
- Physical security: Key management, access card provisioning, alarm management, CCTV access
- Business operations: Order entry, order fulfillment, inventory management, licensing changes, discount approvals
Out of Scope (with caveats)
- Non-critical processes: Routine tasks where a single person's control does not create significant risk (e.g., scheduling a meeting, ordering office supplies below a threshold)
- Single-person organizations: Sole proprietorships where the owner is the only employee (compensating controls apply)
- Emergency situations: Temporary SoD bypasses for emergencies with proper authorization and logging (must be documented and reviewed)
- Automated processes: SoD applies to human oversight of automated processes, not the automation itself (though the automation design should have SoD)
Caveat: Even "non-critical" processes can become critical if they aggregate into significant risk. Regular review is essential.
Applicability by Organization Size
| Organization Size | SoD Approach | Typical Challenges |
|---|---|---|
| Micro (< 10 employees) | Compensating controls (owner review, external audit, bank controls); minimal formal SoD | Owner does everything; limited staffing; external review is primary control |
| Small (10-50 employees) | Basic SoD for financial and critical IT processes; compensating controls for smaller functions | Small team size limits traditional SoD; need creative compensating controls |
| Medium (50-250 employees) | Formal SoD for all critical processes; workflow systems; quarterly SoD reviews | Scaling SoD as organization grows; legacy system limitations; cross-department coordination |
| Large (250-1000 employees) | Complete SoD program; automated SoD enforcement; dedicated SoD audit function | Complexity across multiple departments; system integration; outsourced function SoD |
| Enterprise (1000+ employees) | Enterprise SoD framework; GRC tools for SoD management; continuous SoD monitoring; SoD analytics | Multi-country SoD differences; legacy systems; M&A integration; complex vendor relationships |
Key Definitions and Terminology
| Term | Definition |
|---|---|
| Segregation of Duties (SoD) | The principle of dividing critical tasks among multiple people to prevent any single person from having complete control over a process |
| Conflicting Duties | Two or more duties that, when combined in a single person, create risk of fraud, error, or abuse |
| Compensating Control | A control that reduces risk when traditional SoD cannot be implemented |
| SoD Matrix | A table mapping processes, duties, and roles to identify conflicts and ensure separation |
| SoD Violation | A situation where a single person has conflicting duties that should be separated |
| SoD Exception | An approved temporary or permanent bypass of SoD with documented risk acceptance and compensating controls |
| SoD Audit | A review of whether SoD is properly implemented and effective |
| Four-Eyes Principle | A principle requiring two people to approve or authorize a critical action |
| Maker-Checker | A control where one person creates (makes) a transaction and another person reviews and approves (checks) it |
| Requester | The person who initiates a transaction or action |
| Approver | The person who reviews and authorizes a transaction or action |
| Executor | The person who implements or carries out an action |
| Reviewer | The person who verifies that an action was performed correctly |
| Access Control SoD | Segregation of access rights in systems to prevent a single user from having conflicting permissions |
| Workflow SoD | Enforcing SoD through automated business process workflows |
| Static SoD | SoD rules that are defined and enforced through system configurations (e.g., a user cannot have both Role A and Role B) |
| Dynamic SoD | SoD rules that are checked at the time of transaction (e.g., a user cannot approve their own request) |
| SoD Remediation | The process of fixing an SoD violation |
| SoD Risk Analysis | The assessment of which processes need SoD and what the risk is if SoD is not implemented |
| Privilege Separation | The technical separation of administrative privileges to enforce SoD |
| Dual Control | A control requiring two authorized people to perform a critical action together |
| Split Knowledge | A control where two or more people must combine their knowledge to perform a critical action (e.g., two halves of a password) |
| SoD Governance | The oversight and management of the SoD program across the organization |
| SoD Policy | The formal policy defining SoD requirements and enforcement |
| SoD Break-Glass | An emergency procedure for bypassing SoD with proper authorization and logging |
| SoD Monitoring | Continuous monitoring of user access and transactions for SoD violations |
| SoD Reporting | Regular reports on SoD status, violations, exceptions, and remediation |
| Cross-Functional SoD | SoD that spans multiple departments or functions (e.g., IT and Finance) |
Relationship to Other Controls
Directly Related Controls
| Control | Relationship |
|---|---|
| A.5.1, Policies for information security | SoD policy is a subset of the overarching security policy |
| A.5.2, Information security roles and responsibilities | SoD defines which roles can perform which duties |
| A.5.4, Management responsibilities | Management must enforce SoD and provide resources |
| A.5.7, Threat intelligence | Threat intelligence informs which processes need SoD |
| A.5.15, Access control | Access controls enforce SoD at the system level |
| A.5.18, Information security incident management | SoD failures can lead to incidents; incident response may need SoD |
| A.5.24, Information security incident management planning and preparation | ICT services must support SoD |
| A.5.25, Assessment and decision on information security events | SoD risk must be assessed and treated |
| A.5.36, Compliance with policies, rules and standards | SoD compliance must be monitored |
| A.5.37, Documented operating procedures | Procedures must reflect SoD requirements |
| A.6.1, Screening | Personnel in sensitive SoD roles must be screened |
| A.6.2, Terms and conditions of employment | Employment terms must reflect SoD responsibilities |
| A.6.3, Information security awareness, education and training | Staff must understand SoD and why it matters |
| A.6.4, Disciplinary process | SoD violations must have consequences |
| A.8.2, Privileged access rights | Privileged access must be segregated (e.g., admin vs. auditor) |
| A.8.5, Secure authentication | Authentication must enforce SoD at login |
| A.8.9, Configuration management | Change management must have SoD (requester, approver, implementer) |
| A.8.15, Logging | Logs provide evidence of SoD compliance and detect violations |
| A.8.16, Monitoring activities | Monitoring must detect SoD violations |
| A.8.20, Networks security | Network changes must have SoD |
| A.8.25, Secure development life cycle | Development must have SoD (developer, reviewer, deployer) |
| A.8.29, Security testing in development and acceptance | Security testing must be independent from development |
| A.8.30, Outsourced development | Outsourced development must have SoD between client and vendor |
| A.8.31, Separation of environments | Environment management must have SoD (dev, test, prod access) |
| A.8.33, Test data | Test data management must have SoD |
| A.8.34, Protection of information systems during audit testing | Audit testing must have SoD (auditor vs. system owner) |
| A.8.35, Root cause analysis | Root cause analysis may reveal SoD failures |
Framework Mapping
| Framework | Relevant Control / Reference |
|---|---|
| NIST CSF 2.0 | PR.AC-1 (Identities and credentials), PR.AC-4 (Access permissions), PR.IP-3 (Change management), PR.IP-6 (Data security), DE.CM-3 (Monitoring) |
| NIST SP 800-53 Rev 5 | AC-2 (Account management), AC-3 (Access enforcement), AC-5 (Separation of duties), AC-6 (Least privilege), AU-6 (Audit review), CM-3 (Configuration change control), CM-5 (Access restrictions for change), SA-4 (Acquisition process), SA-8 (Security engineering principles) |
| COBIT 2019 | DSS05.04 (Managed security services), DSS05.05 (Managed security services), DSS06.02 (Managed business process controls), BAI01.02 (Managed programs), BAI06.01 (Managed changes), BAI06.03 (Managed changes) |
| CIS Controls v8 | Control 6 (Access control management), Control 7 (Continuous vulnerability management), Control 8 (Audit log management), Control 17 (Implement security awareness and training) |
| ITIL 4 | Change control, Access management, Service desk |
| SOX | Section 404 (Internal controls over financial reporting), SoD is a core requirement |
| PCI DSS 4.0 | Req 7.1 (Access restrictions), Req 7.2 (Access control), Req 12.4 (Security responsibilities) |
| COSO Framework | Control environment, Risk assessment, Control activities (SoD is a key control activity) |
| GDPR | Art 32 (Security of processing), SoD reduces risk of unauthorized processing |
| DPDP Act 2023 | Section 8(5) (Reasonable security safeguards)), SoD supports security measures |
| RBI Cybersecurity Framework | Section on Access Control, Change Management, and Internal Controls |
| SEBI Cyber Resilience | Access control and internal control requirements |
Implementation Roadmap (Week-by-Week)
Phase 1: Assessment and Design (Weeks 1–4)
Week 1: Process Inventory
- Inventory all critical business processes (financial, IT, data, operational)
- Identify processes where a single person could cause significant harm
- Map current process owners and executors
- Identify existing SoD (informal or formal)
- Identify processes with no SoD (single-person control)
Week 2: Risk Assessment
- Assess each critical process for SoD risk (fraud, error, unauthorized access potential)
- Score each process by: financial impact, data sensitivity, regulatory requirement, frequency of activity
- Identify high-risk processes requiring immediate SoD
- Identify medium-risk processes for phased SoD implementation
- Identify low-risk processes where compensating controls are sufficient
Week 3: SoD Design
- For each critical process, design the ideal SoD model (who requests, who approves, who executes, who reviews)
- Identify gaps between current state and ideal state
- Design compensating controls for processes where SoD cannot be fully implemented
- Design workflow rules and system configurations to enforce SoD
- Define exception process for emergency SoD bypasses
- Create the SoD Matrix
Week 4: Policy and Approval
- Draft the Segregation of Duties Policy
- Draft the SoD Matrix and register
- Draft compensating controls documentation
- Define exception approval workflow
- Review with stakeholders (Finance, IT, HR, Operations, Legal)
- Revise based on feedback
- Obtain formal approval from leadership and audit committee
Deliverables: Process inventory, Risk assessment, SoD design, SoD Matrix, Policy draft, Compensating controls register
Phase 2: Pilot Implementation (Weeks 5–8)
Week 5-6: Pilot with Financial Processes
- Select 2-3 financial processes for pilot (e.g., payment approval, vendor onboarding, payroll changes)
- Implement SoD for these processes (workflow, access controls, manual checks)
- Assign roles: requester, approver, executor, reviewer
- Train staff on new SoD processes
- Implement compensating controls for any gaps
- Monitor pilot processes for issues, delays, or workarounds
Week 7-8: Pilot with IT Processes
- Select 2-3 IT processes for pilot (e.g., user access provisioning, system configuration changes, privileged access management)
- Implement SoD for these processes (technical controls, approval workflows, logging)
- Assign roles: requester, approver, implementer, reviewer
- Train IT staff on new SoD processes
- Monitor for technical issues, access conflicts, or workflow failures
- Refine processes based on pilot feedback
Deliverables: Pilot SoD implementation, Training completion, Process refinement, Pilot findings report
Phase 3: Rollout (Weeks 9–14)
Week 9-10: Financial SoD Rollout
- Expand SoD to all financial processes (payments, invoicing, procurement, expense management, financial reporting, payroll, vendor management)
- Implement system workflows (ERP, accounting software, payment systems)
- Configure access controls for financial roles
- Train all finance staff
- Implement automated SoD monitoring for financial systems
Week 11-12: IT and Security SoD Rollout
- Expand SoD to all IT processes (user access management, change management, backup management, security tool administration, privileged access, database administration)
- Configure technical SoD in IAM, AD, cloud platforms, database systems
- Implement SoD in change management tools
- Train all IT staff
- Implement automated SoD monitoring for IT systems
Week 13-14: Operational and Business SoD Rollout
- Expand SoD to operational processes (order management, inventory, licensing, discount approval, HR processes, procurement)
- Implement workflow SoD in business systems (CRM, ERP, HRMS)
- Train business unit staff
- Implement SoD monitoring for business systems
- Address cross-functional SoD (processes spanning multiple departments)
Deliverables: Full SoD rollout, Training completion, System configuration, Monitoring implementation
Phase 4: Optimization (Weeks 15–18)
Week 15-16: SoD Monitoring and Auditing
- Implement continuous SoD monitoring (user access reviews, transaction monitoring, SoD violation detection)
- Conduct first quarterly SoD audit
- Review all SoD exceptions and compensating controls
- Assess SoD effectiveness metrics
- Identify any workarounds or circumventions
Week 17-18: Continuous Improvement
- Update SoD policy based on lessons learned
- Refine SoD Matrix based on process changes
- Enhance compensating controls where needed
- Improve monitoring and detection
- Update training materials
- Plan for annual SoD review and annual audit
Deliverables: SoD monitoring active, First audit complete, Policy updated, Continuous improvement plan
Maturity Model
| Level | Description | Typical Timeline |
|---|---|---|
| 1, Ad-hoc | No formal SoD; processes controlled by single individuals; no monitoring | Pre-implementation |
| 2, Managed | Basic SoD for financial processes; manual checks; informal oversight | Weeks 1–4 |
| 3, Defined | Formal SoD policy; documented SoD matrix; defined roles; system workflows; compensating controls; quarterly review | Weeks 5–14 |
| 4, Quantitatively Managed | Automated SoD enforcement; continuous monitoring; SoD metrics; exception tracking; regular audit; integration with GRC | Weeks 15–18 |
| 5, Optimizing | Predictive SoD analytics; AI-driven SoD violation detection; dynamic SoD; real-time remediation; cross-organizational SoD | Ongoing |
Detailed Implementation Guidance
The SoD Analysis Framework
Step 1: Identify Critical Processes
Critical Process Categories:
- Financial processes: Accounts payable, accounts receivable, payroll, expense reimbursement, treasury, financial reporting, budgeting, procurement, vendor management, payment processing, invoicing, collections, asset management, inventory valuation, tax reporting, audit coordination
- IT processes: User access provisioning, access revocation, privilege escalation, system configuration, database administration, backup management, security tool administration, change management, patch management, incident response, log review, audit log management, cloud resource provisioning, network changes, firewall rule changes, encryption key management, certificate management
- Data processes: Data creation, data modification, data deletion, data backup, data restoration, data access granting, data classification, data migration, data archival, data destruction, data quality management, master data management
- Operational processes: Order entry, order fulfillment, shipping, inventory management, licensing changes, discount approval, credit limit changes, returns processing, quality assurance, production scheduling, supply chain management, contract management, customer onboarding, customer termination, supplier onboarding
- HR processes: Hiring, termination, salary changes, role changes, access provisioning, access revocation, payroll changes, benefits administration, performance evaluation, background check administration, disciplinary action
- Security processes: Security monitoring, alert response, incident investigation, forensic analysis, vulnerability scanning, penetration testing, audit planning, audit execution, finding remediation, risk assessment, policy approval, exception approval, security tool configuration, key management, certificate issuance, certificate revocation
Step 2: Decompose Each Process into Duties
For each critical process, identify the individual duties that should be separated:
Example: Payment Process
- Duty 1: Create vendor master record (requester)
- Duty 2: Approve vendor master record (approver)
- Duty 3: Create payment request (requester)
- Duty 4: Approve payment request (approver)
- Duty 5: Execute payment (executor)
- Duty 6: Reconcile payment (reviewer)
- Duty 7: Review payment reports (auditor)
Example: User Access Provisioning
- Duty 1: Request access (requester, user or manager)
- Duty 2: Approve access request (approver, data owner or system owner)
- Duty 3: Provision access (executor, IT administrator)
- Duty 4: Verify access (reviewer, security team or user)
- Duty 5: Review access logs (auditor, security or compliance)
- Duty 6: Revoke access upon termination (executor, HR + IT)
- Duty 7: Review access rights quarterly (reviewer, security or data owner)
Example: Change Management
- Duty 1: Request change (requester, business or IT)
- Duty 2: Assess change impact (assessor, security, operations, business)
- Duty 3: Approve change (approver, CAB, system owner, business owner)
- Duty 4: Implement change (implementer, IT or developer)
- Duty 5: Test change (tester, QA or independent tester)
- Duty 6: Approve deployment (deploy approver, system owner or CAB)
- Duty 7: Deploy to production (deployer, IT or DevOps)
- Duty 8: Verify post-deployment (verifier, operations or business)
- Duty 9: Review change logs (auditor, security or compliance)
Step 3: Assign Roles to Duties
SoD Role Assignment Principles:
- No single person should have two conflicting duties (e.g., cannot both request and approve the same transaction)
- No single person should have both execution and review duties for the same process
- No single person should have both creation and validation duties for the same data
- No single person should have both operational and audit duties for the same system
- Management should not approve their own transactions (e.g., a manager should not approve their own expense report)
- IT administrators should not audit their own systems (e.g., a system admin should not review their own access logs)
- Developers should not deploy their own code to production without independent review
- Security team members should not review their own security incidents (another team member should review)
Step 4: Identify SoD Violations
SoD Violation Types:
| Violation Type | Example | Risk |
|---|---|---|
| Request + Approve | A manager can both create and approve their own expense report | Fraud, unauthorized spending |
| Create + Validate | A data entry clerk can both enter data and approve data quality | Data errors, data manipulation |
| Execute + Review | A system administrator can make changes and review change logs | Unauthorized changes, cover-up |
| Develop + Deploy | A developer can write code and deploy it to production without review | Backdoors, vulnerable code |
| Admin + Audit | A system administrator can manage systems and audit their own activity | Abuse undetected, log tampering |
| Security + Operations | A security analyst can both monitor and manage the systems they monitor | Conflict of interest |
| Financial + Reconciliation | A person can both process payments and reconcile the bank statement | Fraud, embezzlement |
| Hire + Terminate + Access | HR can hire, terminate, and manage access for the same person | Unauthorized access, ghost employees |
| Vendor + Payment | A procurement officer can create vendors and approve payments to them | Fake vendor fraud |
| Backup + Restore + Delete | A backup administrator can backup, restore, and delete data | Data destruction, ransom |
| Key Creation + Key Distribution | One person can create encryption keys and distribute them | Key compromise |
| Security Tool Config + Security Monitoring | A security engineer can configure monitoring tools and monitor their own activity | Monitoring bypass |
Step 5: Implement Controls
Technical Controls:
- Role-based access control (RBAC): Define mutually exclusive roles that cannot be assigned to the same user
- Workflow systems: Enforce approval workflows that require different users for each step
- System configuration: Configure systems to prevent a user from both requesting and approving
- Segregated environments: Separate development, testing, and production environments with different access
- Logging and monitoring: Log all transactions and activities for review and audit
- Automated alerts: Alert when a single user attempts to perform conflicting duties
- Dormant account detection: Detect and disable accounts that have not been used, reducing SoD risk from unused access
- Transaction limits: Enforce limits that require additional approval for high-value transactions
- Maker-checker workflows: Require two different users for creation and approval
- Dual authorization: Require two users to approve critical actions (e.g., wire transfers, privilege escalation)
- Split knowledge: Require two people to combine knowledge for critical actions (e.g., encryption key recovery)
Procedural Controls:
- Manual review: A second person reviews and approves paper or electronic documents
- Four-eyes review: Two people must review and sign off on critical actions
- Independent audit: An internal or external auditor reviews transactions and access for SoD compliance
- Management review: Supervisors review and approve transactions performed by their team
- Cross-functional review: A person from a different department reviews transactions
- Periodic access review: Regular review of user access rights to detect SoD violations
- Reconciliation: Independent reconciliation of records (e.g., bank reconciliation by someone not involved in payments)
- Job rotation: Rotate staff through different roles to prevent long-term collusion and detect irregularities
- Mandatory vacation: Require staff to take vacation so that others can review their work
- Surprise audits: Unannounced audits of specific processes to detect SoD violations
Compensating Controls (when SoD is not feasible):
- Supervisory review: A manager reviews all transactions performed by a single person (e.g., in a small team)
- Detailed logging: Extensive logging of all activities with automated anomaly detection
- External audit: Periodic external audit of the process and controls
- Reconciliation: Independent reconciliation of all transactions by a third party or system
- Threshold limits: Transaction limits that trigger automatic review or approval
- Management certification: Management certifies the integrity of the process periodically
- Automated monitoring: Real-time monitoring of all activities for anomalies
- Exception reporting: Automated reports of unusual transactions for management review
- Digital signatures: Requirement for digital signatures that create an audit trail
- Video surveillance: Physical monitoring of personnel performing sensitive tasks
SoD Matrix Template
Organizational SoD Matrix:
| Process | Request | Approve | Execute | Review | Audit | System Enforced? | Compensating Control |
|---|---|---|---|---|---|---|---|
| Vendor Creation | Procurement Officer | Finance Manager | System Admin | Finance Analyst | Internal Audit | Yes | - |
| Payment Approval | Department Head | CFO | Finance Executive | Finance Analyst | Internal Audit | Yes | - |
| Payroll Changes | HR Manager | Finance Manager | HR Executive | Finance Analyst | Internal Audit | Yes | - |
| User Access Provisioning | Manager | Data Owner | IT Admin | Security Analyst | Compliance | Yes | - |
| System Configuration Change | System Admin | CAB Chair | IT Engineer | QA Tester | Security | Yes | - |
| Database Backup | DBA | IT Manager | DBA | IT Manager | Security | No | Supervisory review, logging, external audit |
| Code Deployment | Developer | Tech Lead | DevOps Engineer | QA Tester | Security | Yes | - |
| Financial Report | Accountant | Finance Manager | Accountant | CFO | External Auditor | No | Four-eyes review, reconciliation, external audit |
| Encryption Key Management | Security Engineer | CISO | Security Engineer | Security Analyst | Audit | No | Split knowledge, HSM, dual control, logging |
| Incident Response | SOC Analyst | Incident Manager | Incident Responder | Security Manager | Post-Incident Review | No | Independent review, detailed logging, post-incident audit |
| Expense Reimbursement | Employee | Manager | Finance Executive | Finance Analyst | Internal Audit | Yes | - |
| Credit Limit Change | Sales Manager | Finance Manager | System User | Credit Analyst | Internal Audit | Yes | - |
| Inventory Adjustment | Warehouse Manager | Operations Manager | Warehouse Staff | Finance Analyst | Internal Audit | Yes | - |
| Contract Approval | Legal | Business Head | Legal | Finance Manager | Compliance | Yes | - |
| Security Tool Configuration | Security Engineer | Security Manager | Security Engineer | Security Analyst | CISO | No | Independent review, change log, dual approval |
| Privileged Access Escalation | User | Manager | Security Team | Security Analyst | Audit | Yes | - |
Technical SoD Implementation
IAM and RBAC SoD
Active Directory / Azure AD:
- Create mutually exclusive role groups (e.g., "Payment_Requesters" and "Payment_Approvers")
- Configure group nesting to prevent a user from being in both groups
- Use dynamic groups with exclusion rules
- Implement access reviews that check for SoD violations
- Use Azure AD Access Reviews for periodic SoD validation
- Use Azure AD PIM (Privileged Identity Management) for just-in-time access that limits SoD risk
ERP Systems (SAP, Oracle, NetSuite, Microsoft Dynamics):
- Configure SoD rules in the ERP's access control module
- Use SAP GRC (Governance, Risk, and Compliance) for SoD analysis
- Use Oracle's SoD functionality in Oracle Identity Management
- Configure business roles with SoD constraints
- Use transaction codes and authorization objects to enforce SoD
- Implement workflow rules for approval processes
- Use the ERP's built-in SoD reporting and monitoring
Database Systems:
- Separate database roles: DBA, Schema Owner, Application User, Read-Only User, Backup Operator
- Use database-specific SoD: a user with CREATE USER should not have GRANT ALL PRIVILEGES
- Use row-level security to restrict access based on user roles
- Implement audit policies that log all DBA activities
- Use database vaults (Oracle Database Vault) to enforce SoD at the database level
- Separate backup and restore permissions
Cloud Platforms (AWS, Azure, GCP):
- Use IAM policies to enforce SoD (e.g., separate policies for creation and deletion)
- Use AWS Organizations SCPs (Service Control Policies) to prevent certain role combinations
- Use Azure RBAC with custom roles that exclude conflicting permissions
- Use GCP IAM with custom roles and resource hierarchies
- Implement AWS Config Rules or Azure Policy to detect SoD violations
- Use cloud-native GRC tools (e.g., AWS Audit Manager, Azure Policy, GCP Security Command Center)
- Use cloud-native SoD tools (e.g., AWS IAM Access Analyzer, Azure AD Access Reviews)
DevOps and CI/CD:
- Separate developer and deployer roles in CI/CD pipelines
- Use branch protection rules to prevent developers from merging their own code without review
- Require code review approvals from independent reviewers
- Use separate deployment credentials that are not available to developers
- Implement deployment approval gates that require a different person to approve
- Use infrastructure as code (IaC) with separate roles for code creation and deployment
- Use CI/CD pipeline access controls that enforce SoD
SoD Exception Management
When SoD Exceptions Are Allowed:
- Small team size: In organizations with fewer than 5 employees, full SoD may not be feasible
- Emergency situations: Critical security incidents requiring immediate action
- Specialized expertise: Tasks requiring unique skills that only one person has (temporary, with knowledge transfer plan)
- Legacy systems: Systems that cannot technically support SoD (with migration plan)
- overhead constraints: Temporary exceptions with compensating controls and remediation timeline
- M&A integration: During mergers, SoD may be temporarily relaxed with enhanced monitoring
- Key person dependency: When a critical process depends on a single expert (with succession plan)
Exception Approval Process:
- Request: Process owner submits SoD exception request with justification
- Risk Assessment: Security team assesses the risk of the exception
- Compensating Controls: Define specific compensating controls to mitigate risk
- Approval: Exception approved by CISO (for low/medium risk) or CEO/audit committee (for high risk)
- Documentation: Exception documented in the SoD Exception Register
- Time Limit: Exception granted for a specific time period (maximum 12 months, renewable)
- Monitoring: Enhanced monitoring during the exception period
- Review: Exception reviewed at expiration; either renewed with updated justification or SoD implemented
- Audit: All exceptions reviewed during quarterly and annual audits
SoD Exception Register:
| Exception ID | Process | Conflicting Duties | Person | Justification | Compensating Controls | Approved By | Expiry Date | Status |
|---|---|---|---|---|---|---|---|---|
| EX-001 | Database Backup | Backup + Restore | DBA-A | Only qualified DBA on team | Supervisory review, detailed logging, monthly external audit | CISO | 2026-12-31 | Active |
| EX-002 | Vendor Creation | Create + Approve | Procurement Lead | 2-person team | CEO review, threshold limit, monthly audit | CEO | 2026-09-30 | Active |
| EX-003 | Security Tool Config | Config + Monitor | Security Engineer | Legacy system limitation | Independent quarterly review, change log, CISO approval | CISO | 2026-06-30 | Under Review |
SoD Monitoring and Detection
Continuous Monitoring:
- User access review: Quarterly review of all user access rights for SoD violations
- Transaction monitoring: Automated monitoring of transactions for SoD violations (e.g., user approves their own transaction)
- Role assignment monitoring: Alert when a user is assigned conflicting roles
- Privilege escalation monitoring: Alert when a user gains privileges that create SoD conflicts
- Exception monitoring: Track all SoD exceptions and their expiration dates
- Workflow monitoring: Monitor workflow processes for bypasses or workarounds
- Log analysis: Regular analysis of system logs for SoD violations
- Anomaly detection: Use AI/ML to detect unusual patterns that may indicate SoD circumvention
SoD Audit Procedures:
- Quarterly SoD audit: Review all critical processes for SoD compliance
- User access review: Review all user accounts for conflicting roles and permissions
- Transaction sampling: Sample transactions to verify that conflicting duties were not performed by the same person
- Exception review: Review all active SoD exceptions and compensating controls
- System configuration review: Review system configurations to verify SoD enforcement
- Workflow review: Review workflow configurations to verify SoD rules
- Compensating control effectiveness: Test whether compensating controls are effective
- Management inquiry: Interview process owners and staff to verify SoD understanding and compliance
Tools, Technologies, and Solutions
SoD and GRC Platforms
| Tool | Best For | licensing Range |
|---|---|---|
| SAP GRC (Access Control) | Enterprise SAP SoD analysis, risk analysis, access control | Enterprise licensing |
| Oracle Identity Management | Oracle environment SoD, role management, access governance | Enterprise licensing |
| SailPoint IdentityNow | Enterprise IAM with SoD, access certification, governance | Enterprise licensing |
| Saviynt | Cloud-native IAM and SoD for enterprise | Enterprise licensing |
| IBM Security Verify | Enterprise IAM, access governance, SoD | Enterprise licensing |
| Microsoft Identity Manager (MIM) | Microsoft environment IAM and SoD | Enterprise licensing |
| Azure AD / Entra ID | Cloud IAM with access reviews, PIM, SoD rules | Included in Azure AD P2 |
| AWS IAM Access Analyzer | AWS-native SoD analysis, external access analysis | Free |
| GCP IAM Recommender | GCP-native IAM optimization and SoD suggestions | Free |
| Pathlock (formerly ERPScan) | Cross-application SoD for SAP, Oracle, Workday, Salesforce | Commercial |
| Fastpath | SoD for Microsoft Dynamics, NetSuite, Salesforce | Commercial |
| SafePaaS | SoD for Oracle, SAP, NetSuite, Salesforce | Commercial |
| Delinea (Thycotic) | PAM with SoD for privileged access | Enterprise licensing |
| CyberArk | Enterprise PAM with SoD and session monitoring | Enterprise licensing |
| LogicGate | GRC platform with SoD workflow management | Commercial |
| ServiceNow GRC | Enterprise GRC with SoD risk management | Enterprise licensing |
| MetricStream | Enterprise GRC with SoD analytics | Enterprise licensing |
| RSA Archer | Enterprise GRC with SoD module | Enterprise licensing |
| Excel / Access | Small organization SoD tracking | Free / Included in Microsoft 365 |
Workflow and BPM Tools for SoD
| Tool | Best For | licensing |
|---|---|---|
| ServiceNow | Enterprise workflow, approval management, change management | Enterprise licensing |
| Camunda | Open source BPM and workflow automation | Free / Commercial |
| Appian | Low-code BPM with SoD workflow capabilities | Enterprise licensing |
| Pega | Enterprise BPM and workflow automation | Enterprise licensing |
Indian SoD and GRC Service Providers
| Vendor | Offering | Website |
|---|---|---|
| Singahi | SoD assessment, design, implementation, GRC advisory, compensating controls design, SoD audit | / |
| WingMan | DevSecOps, CI/CD SoD, development workflow security | https://wingman.dev |
| Lucideus | Enterprise GRC, risk quantification, SoD analytics | https://www.lucideus.com |
| CloudSEK | Digital risk protection, vendor risk monitoring | https://cloudsek.com |
| SISA | PCI DSS compliance, SoD for payment systems | https://www.sisa.in |
| EY India | Internal audit, SoD advisory, GRC implementation | https://www.ey.com/en_in |
| Deloitte India | Risk advisory, SoD assessment, GRC | https://www.deloitte.com/in |
| PwC India | Internal controls, SoD, risk assurance | https://www.pwc.in |
| KPMG India | Internal audit, GRC, SoD advisory | https://home.kpmg/in |
| TCS | Enterprise GRC implementation, SAP GRC, Oracle GRC | https://www.tcs.com |
| Infosys | Enterprise GRC, SoD automation, IAM | https://www.infosys.com |
| Wipro | GRC services, SoD implementation, audit | https://www.wipro.com |
| HCLTech | IAM and GRC implementation, SoD automation | https://www.hcltech.com |
| Tech Mahindra | GRC and compliance services | https://www.techmahindra.com |
Policy and Procedure Templates
Segregation of Duties Policy (Template)
Template
Segregation of Duties Policy
Document ID: POL-SOD-001 Version: 1.0 Effective Date: [DATE] Owner: CISO / Security Manager Approved By: [Name], [Title] Review Cycle: Annual
1. Purpose
This policy establishes the requirements for segregating conflicting duties and areas of responsibility to prevent fraud, errors, and unauthorized modification or misuse of the organization's assets.
2. Scope
This policy applies to all employees, contractors, temporary staff, and any personnel who perform critical business, IT, financial, data, or operational processes where a single person could cause significant harm.
3. Policy Statements
3.1 SoD Requirements
- Conflicting duties must be segregated so that no single person has complete control over a critical process.
- Critical processes include: financial transactions, user access management, system configuration changes, data management, change management, security operations, development and deployment, procurement, HR processes, and any other process where a single person could cause significant harm.
- SoD must be enforced through both technical controls (system configurations, workflows, access controls) and procedural controls (manual reviews, independent audits, management oversight).
3.2 SoD Roles
- For each critical process, the following roles must be defined and
assigned to different individuals:
- Requester: Initiates the transaction or action
- Approver: Reviews and authorizes the transaction or action
- Executor: Implements or carries out the action
- Reviewer: Verifies that the action was performed correctly
- Auditor: Independently reviews the process for compliance
- No single person may hold two or more conflicting roles for the same process.
3.3 SoD Exceptions
- Exceptions to SoD may be granted in limited circumstances with documented justification, compensating controls, and formal approval.
- Exception circumstances include: small team size, emergency situations, specialized expertise, legacy system limitations, and temporary overhead constraints.
- All exceptions must be documented in the SoD Exception Register.
- Exceptions must be approved by the CISO (for low/medium risk) or CEO/Audit Committee (for high risk).
- Exceptions must be time-limited (maximum 12 months) and reviewed for renewal.
- Exceptions must have specific compensating controls defined and implemented.
3.4 Compensating Controls
- Where SoD cannot be implemented, compensating controls must be implemented to reduce risk to an acceptable level.
- Compensating controls may include: supervisory review, detailed logging, external audit, independent reconciliation, threshold limits, management certification, automated monitoring, exception reporting, digital signatures, and video surveillance.
- Compensating controls must be documented, approved, and reviewed quarterly.
3.5 SoD Monitoring and Audit
- SoD must be monitored continuously for violations.
- User access must be reviewed quarterly for SoD compliance.
- Transactions must be sampled and reviewed for SoD compliance.
- All SoD exceptions must be reviewed quarterly.
- A formal SoD audit must be conducted annually.
- SoD violations must be investigated and remediated immediately.
3.6 SoD in Systems
- All business systems must support SoD through role-based access control, workflow approvals, and audit logging.
- System administrators must not have both operational and audit access to the same system.
- Development, testing, and production environments must have separate access controls.
- Security tool administrators must not monitor their own activity.
4. Roles and Responsibilities
- CISO: Owns the policy, approves SoD exceptions, approves compensating controls, receives SoD audit reports
- Security Manager: Maintains SoD Matrix, monitors SoD violations, conducts SoD audits, manages SoD Exception Register
- Process Owners: Define process-specific SoD requirements, assign roles, enforce SoD within their processes
- IT Administrator: Implements technical SoD controls, configures workflows, manages access controls
- HR: Ensures SoD is reflected in job descriptions, supports role assignment, manages personnel changes that affect SoD
- Internal Audit: Conducts independent SoD audits, reviews SoD effectiveness, reports findings to Audit Committee
- All Employees: Comply with SoD requirements, report SoD violations, do not attempt to circumvent SoD controls
5. Exceptions
Exceptions require written CISO or CEO approval with documented risk acceptance and compensating controls.
6. Enforcement
SoD violations may result in access revocation, disciplinary action, or termination. Circumvention of SoD controls is treated as a serious security violation.
7. Related Documents
- Information Security Policy (POL-INFO-001)
- Access Control Policy (POL-ACCESS-001)
- Change Management Policy (POL-CHANGE-001)
- Incident Response Policy (POL-INCIDENT-001)
- Financial Controls Policy (POL-FIN-001)
- SoD Matrix (MAT-SOD-001)
- SoD Exception Register (REG-SOD-EX-001)
- Compensating Controls Register (REG-COMP-001)
8. Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | [DATE] | [Name] | Initial version |
SoD Exception Request Procedure (Template)
Template
SoD Exception Request Procedure
Document ID: PROC-SOD-EX-001 Version: 1.0 Effective Date: [DATE] Owner: Security Manager
1. Purpose
To define the procedure for requesting, approving, and managing exceptions to the Segregation of Duties policy.
2. Scope
All requests for temporary or permanent exceptions to SoD requirements.
3. Procedure Steps
Step 1: Exception Request Submission
- Process owner submits SoD Exception Request Form including:
- Process name and conflicting duties
- Current person(s) involved
- Justification for exception (why SoD cannot be implemented)
- Proposed compensating controls
- Requested duration (maximum 12 months)
- Risk assessment of the exception
Step 2: Risk Assessment
- Security Manager assesses the risk of the proposed exception:
- Fraud risk
- Error risk
- Unauthorized access risk
- Regulatory compliance risk
- Business impact risk
- Risk score calculated and documented.
Step 3: Compensating Control Design
- Security Manager and process owner design compensating controls:
- Specific controls to mitigate each risk
- Control owner and frequency
- Monitoring and reporting requirements
- Compensating controls must reduce residual risk to acceptable level.
Step 4: Approval
- Low risk: Security Manager approves.
- Medium risk: CISO approves.
- High risk: CEO or Audit Committee approves.
- Approval includes: exception details, compensating controls, duration, review date, and conditions.
Step 5: Documentation
- Exception documented in SoD Exception Register.
- Exception ID assigned.
- All documentation archived.
Step 6: Implementation
- Compensating controls implemented before exception takes effect.
- Enhanced monitoring activated.
- Relevant personnel notified.
Step 7: Monitoring and Review
- Exception monitored continuously during active period.
- Exception reviewed at midpoint (for exceptions > 6 months).
- Exception reviewed at expiration date.
- Decision: renew, modify, or terminate.
Step 8: Closure
- When exception expires or is terminated, SoD must be implemented or another exception requested.
- Closure documented in SoD Exception Register.
- Compensating controls deactivated or transitioned to standard controls.
4. Roles
- Requester: Process owner or person affected by SoD requirement
- Assessor: Security Manager
- Approver: Depends on risk level (Security Manager, CISO, CEO, Audit Committee)
- Monitor: Security Manager or designated auditor
- Implementer: Process owner and IT (for technical controls)
5. Records
- SoD Exception Request Form
- Risk Assessment
- Compensating Control Design Document
- Approval Documentation
- SoD Exception Register Entry
- Monitoring Records
- Review Records
- Closure Documentation
Risk Assessment and Treatment
Risk Assessment for SoD
| Risk ID | Risk Description | Likelihood | Impact | Risk Level | Mitigation |
|---|---|---|---|---|---|
| R-001 | Single person can create and approve financial transactions | Medium | Critical | Critical | SoD workflow, system controls, dual authorization, independent reconciliation |
| R-002 | System administrator can both make changes and delete audit logs | Medium | Critical | Critical | Separate admin and audit roles, log forwarding to immutable storage, privileged access management |
| R-003 | Developer can deploy code to production without independent review | Medium | High | High | CI/CD approval gates, branch protection, code review requirements, separate deploy credentials |
| R-004 | HR can hire, terminate, and manage access for the same person | Medium | High | High | SoD between HR and IT for access management, automated access revocation, management review |
| R-005 | Procurement can create vendors and approve payments to them | Medium | Critical | Critical | Separate vendor creation and payment approval, vendor master data workflow, independent vendor review |
| R-006 | Security analyst can both monitor and administer security tools | Low | High | High | Separate security operations and security administration roles, independent audit of security activities |
| R-007 | Backup administrator can backup, restore, and delete data | Low | Critical | High | Separate backup and restore permissions, immutable backups, independent backup verification, logging |
| R-008 | Small team cannot implement traditional SoD | High | Medium | Medium | Compensating controls: supervisory review, external audit, detailed logging, threshold limits |
| R-009 | SoD exceptions expire without review or renewal | Medium | High | High | Exception register with expiration alerts, quarterly exception review, automated reminders |
| R-010 | SoD creates operational inefficiency leading to workarounds | Medium | Medium | Medium | Efficient workflow design, automation, training, exception process for emergencies |
| R-011 | Outsourced functions lack SoD between client and vendor | Medium | High | High | Contractual SoD requirements, vendor audit rights, independent oversight, SLA monitoring |
| R-012 | Legacy systems cannot enforce SoD technically | Medium | High | High | Manual SoD procedures, compensating controls, system upgrade plan, interim monitoring |
| R-013 | SoD circumvention through shared credentials | Low | Critical | High | MFA, credential individualization, monitoring for shared credentials, disciplinary policy |
| R-014 | SoD not reviewed after organizational reorganization | Medium | High | High | Change-triggered SoD review, quarterly access review, automated SoD violation detection |
| R-015 | Emergency SoD bypasses are not logged or reviewed | Low | High | High | Break-glass procedure, mandatory logging, post-emergency review, management notification |
Risk Treatment Options
| Risk | Treatment | Residual Risk |
|---|---|---|
| R-001 | Financial workflow SoD, dual authorization, independent reconciliation | Low |
| R-002 | Separate admin/audit roles, immutable logs, PAM | Low |
| R-003 | CI/CD approval gates, branch protection, code review, separate deploy | Low |
| R-004 | HR-IT SoD, automated access management, management review | Low |
| R-005 | Vendor workflow SoD, vendor master data controls, independent review | Low |
| R-006 | Separate security ops and admin roles, independent security audit | Low |
| R-007 | Separate backup/restore permissions, immutable backups, verification | Low |
| R-008 | Compensating controls: supervisory review, external audit, logging, limits | Low |
| R-009 | Exception register, expiration alerts, quarterly review, automation | Low |
| R-010 | Workflow optimization, automation, training, emergency exception process | Low |
| R-011 | Contractual SoD, vendor audit, independent oversight, SLA monitoring | Low |
| R-012 | Manual SoD, compensating controls, upgrade plan, monitoring | Low |
| R-013 | MFA, individual credentials, monitoring, disciplinary policy | Low |
| R-014 | Change-triggered review, quarterly access review, automated detection | Low |
| R-015 | Break-glass procedure, logging, post-review, management notification | Low |
Audit and Compliance Checklist
Pre-Audit Self-Assessment
| # | Question | Evidence | Status |
|---|---|---|---|
| 1 | Is there a documented Segregation of Duties policy? | Policy document | ☐ |
| 2 | Is there a documented SoD Matrix? | SoD Matrix | ☐ |
| 3 | Are critical processes identified and documented? | Process inventory | ☐ |
| 4 | Are conflicting duties identified for each critical process? | Conflict analysis | ☐ |
| 5 | Are roles assigned so that no single person has conflicting duties? | Role assignment records | ☐ |
| 6 | Are technical controls implemented to enforce SoD? | System configuration, workflow records | ☐ |
| 7 | Are procedural controls implemented to enforce SoD? | Procedure documents, manual review records | ☐ |
| 8 | Are compensating controls documented and implemented where SoD cannot be enforced? | Compensating controls register | ☐ |
| 9 | Is there an SoD Exception Register? | Exception register | ☐ |
| 10 | Are all exceptions time-limited and approved? | Exception approvals | ☐ |
| 11 | Are exceptions reviewed at expiration? | Exception review records | ☐ |
| 12 | Is user access reviewed quarterly for SoD violations? | Access review records | ☐ |
| 13 | Are transactions sampled and reviewed for SoD compliance? | Transaction review records | ☐ |
| 14 | Is SoD monitored continuously for violations? | Monitoring records, alerts | ☐ |
| 15 | Are SoD violations investigated and remediated? | Violation records, remediation records | ☐ |
| 16 | Is there an annual SoD audit? | Audit records | ☐ |
| 17 | Are SoD requirements included in system design and procurement? | System design documents, procurement records | ☐ |
| 18 | Are SoD requirements communicated to all relevant personnel? | Training records, communication records | ☐ |
| 19 | Are SoD roles included in job descriptions? | Job descriptions | ☐ |
| 20 | Are SoD requirements enforced for third-party and outsourced functions? | Vendor contracts, SLA records | ☐ |
| 21 | Is there a break-glass procedure for emergency SoD bypass? | Break-glass procedure | ☐ |
| 22 | Are emergency SoD bypasses logged and reviewed? | Break-glass logs, review records | ☐ |
| 23 | Are system administrators segregated from audit and monitoring roles? | System configuration, role assignment | ☐ |
| 24 | Are developers segregated from production deployment roles? | CI/CD configuration, deployment records | ☐ |
| 25 | Are financial duties segregated (request, approve, execute, review)? | Financial workflow records | ☐ |
| 26 | Are HR duties segregated from IT access management? | HR-IT process records | ☐ |
| 27 | Are procurement duties segregated from payment approval? | Procurement workflow records | ☐ |
| 28 | Are change management duties segregated (request, approve, implement, test)? | Change management records | ☐ |
| 29 | Are backup and restore duties segregated? | Backup configuration, role records | ☐ |
| 30 | Are security operations and security administration duties segregated? | Security role assignment records | ☐ |
Auditor Interview Questions
Be prepared to answer:
- "Which processes have segregation of duties applied?"
- "Can you show me your SoD Matrix?"
- "How do you prevent a single person from approving and executing their own transactions?"
- "What compensating controls exist where SoD cannot be implemented?"
- "Can you show me your SoD Exception Register?"
- "How do you audit and review SoD effectiveness?"
- "Are system administrators segregated from audit roles?"
- "How do you enforce SoD in your financial systems?"
- "Are developers able to deploy code to production without independent review?"
- "How do you handle SoD in a small team or startup?"
Common Audit Findings and How to Avoid Them
| Finding | Cause | Prevention |
|---|---|---|
| "No SoD policy or documented SoD Matrix" | No formal SoD program | Create SoD policy and matrix; document all critical processes |
| "Single person can both request and approve transactions" | Missing workflow control | Implement system workflow that prevents same-user request and approve |
| "System administrator has audit access to their own systems" | Admin and audit roles combined | Separate admin and audit roles; log forwarding to independent system |
| "Developer can deploy to production without code review" | No CI/CD approval gates | Implement branch protection, code review requirements, separate deploy credentials |
| "No compensating controls documented for SoD gaps" | Missing compensating controls | Document and implement compensating controls for all SoD gaps |
| "SoD exceptions not reviewed or expired" | Poor exception management | Exception register with expiration dates; quarterly review; automated alerts |
| "No quarterly user access review for SoD" | No access review process | Implement quarterly access review with SoD violation check |
| "SoD not enforced for third-party vendors" | Weak vendor management | Include SoD requirements in vendor contracts; audit vendor SoD |
| "Emergency SoD bypasses not logged" | No break-glass procedure | Implement break-glass procedure with mandatory logging and post-review |
| "SoD creates workarounds because it's too restrictive" | Poorly designed SoD | Design efficient workflows; provide exception process; automate where possible |
| "Legacy system cannot enforce SoD" | No compensating controls | Implement manual SoD procedures; plan system upgrade; interim monitoring |
| "Shared credentials bypass SoD" | No credential individualization | MFA, individual credentials, monitoring for shared accounts, policy enforcement |
| "SoD not reviewed after reorganization" | No change-triggered review | Implement organizational change review trigger for SoD |
| "Small team has no SoD and no compensating controls" | No compensating controls for small teams | Implement supervisory review, external audit, detailed logging, threshold limits |
| "HR and IT access management not segregated" | HR and IT roles combined | Separate HR and IT access management; automated provisioning workflow |
Metrics and KPIs
Process Metrics
| Metric | Formula | Target | Frequency |
|---|---|---|---|
| SoD Policy Coverage | (# of critical processes with SoD / # of total critical processes) × 100 | 100% | Quarterly |
| SoD Matrix Completeness | (# of processes in SoD Matrix / # of critical processes) × 100 | 100% | Quarterly |
| System-Enforced SoD Rate | (# of processes with system-enforced SoD / # of processes with SoD) × 100 | > 80% | Quarterly |
| SoD Exception Rate | (# of processes with SoD exceptions / # of critical processes) × 100 | < 10% | Quarterly |
| Exception Review Rate | (# of exceptions reviewed on time / # of total exceptions) × 100 | 100% | Quarterly |
| User Access SoD Review | (# of users reviewed for SoD / # of total users) × 100 | 100% | Quarterly |
| SoD Violation Detection Rate | (# of violations detected / # of total potential violations) × 100 | > 95% | Quarterly |
| SoD Violation Remediation Time | Average time to remediate a detected SoD violation | < 48 hours | Per violation |
| Compensating Control Coverage | (# of SoD gaps with compensating controls / # of total SoD gaps) × 100 | 100% | Quarterly |
| Compensating Control Effectiveness | Compensating control audit pass rate | > 95% | Quarterly |
| Break-Glass Usage Rate | (# of break-glass events / # of total emergency events) × 100 | < 5% | Quarterly |
| Break-Glass Review Rate | (# of break-glass events reviewed / # of total break-glass events) × 100 | 100% | Per event |
| SoD Audit Completion | SoD audit completed on schedule | 100% | Annual |
| SoD Audit Finding Closure | (# of audit findings closed / # of total findings) × 100 | 100% | Per audit |
| Training Completion | (# of employees trained on SoD / # of total employees) × 100 | 100% | Annual |
Outcome Metrics
| Metric | Formula | Target | Frequency |
|---|---|---|---|
| Fraud Incidents Related to SoD | Number of fraud incidents where SoD failure was a factor | 0 | Annual |
| Financial Errors from SoD Gaps | Number of financial errors attributed to lack of SoD | 0 | Annual |
| Unauthorized Access Incidents | Number of unauthorized access incidents where SoD failure was a factor | 0 | Annual |
| SoD-Related Audit Findings | Number of audit findings related to SoD | 0 | Per audit |
| Regulatory Compliance Score | SoD compliance score from regulatory assessments | 100% | Per assessment |
| SoD Exception Risk Score | Average risk score of active SoD exceptions | Decreasing | Quarterly |
| Operational Efficiency Impact | Business impact from SoD processes (delays, workarounds) | Minimal | Quarterly |
| Employee Satisfaction with SoD | Survey score on SoD process efficiency | > 3.5/5.0 | Annual |
| System Security Incident Rate | Security incidents where SoD failure was a factor | 0 | Annual |
| impact of SoD-Related Incidents | Financial impact of incidents caused by SoD failures | 0 | Annual |
| Compensating Control Failure Rate | Incidents where compensating controls failed | 0 | Annual |
| SoD Workaround Rate | Number of documented SoD workarounds or circumventions | 0 | Quarterly |
| SoD Policy Violation Rate | Number of intentional SoD policy violations | 0 | Annual |
| Third-Party SoD Compliance | Vendor SoD compliance rate | 100% | Annual |
| Legacy System SoD Risk | Risk score of legacy systems without SoD | Decreasing | Annual |
Dashboard Sample
┌─────────────────────────────────────────────────────────────────────┐
│ SEGREGATION OF DUTIES DASHBOARD │
│ [Organization] — [Month Year] │
├─────────────────────────────────────────────────────────────────────┤
│ SOD COVERAGE: 100% ██████████████████████ Target: 100% │
│ SYSTEM ENFORCED: 85% █████████████████░░░░░░ Target: >80% │
│ EXCEPTION RATE: 8% ██████░░░░░░░░░░░░░░░ Target: <10% │
│ EXCEPTION REVIEW: 100% ██████████████████████ Target: 100% │
│ USER ACCESS REVIEW: 100% ██████████████████████ Target: 100% │
│ VIOLATION DETECT: 98% ████████████████████░░ Target: >95% │
│ VIOLATION REMEDIATION: 36h ████████████████████░░ Target: <48h │
│ COMP CONTROL COV: 100% ██████████████████████ Target: 100% │
│ COMP CONTROL EFF: 97% ████████████████████░░ Target: >95% │
│ BREAK-GLASS: 2% █░░░░░░░░░░░░░░░░░░░░ Target: <5% │
│ BREAK-GLASS REVIEW: 100% ██████████████████████ Target: 100% │
│ AUDIT FINDINGS: 0 ░░░░░░░░░░░░░░░░░░░░░ Target: 0 │
│ FRAUD INCIDENTS: 0 ░░░░░░░░░░░░░░░░░░░░░ Target: 0 │
│ SOD WORKAROUNDS: 0 ░░░░░░░░░░░░░░░░░░░░░ Target: 0 │
│ TRAINING COMP: 100% ██████████████████████ Target: 100% │
└─────────────────────────────────────────────────────────────────────┘
Common Pitfalls and How to Avoid Them
Pitfall 1: "We're Too Small for SoD"
Symptom: Small organization (under 10 employees) believes SoD is impossible and does nothing.
Reality: Small organizations are actually at higher risk for fraud because trust is higher and oversight is lower. A single dishonest employee in a small company can cause catastrophic damage. Compensating controls (owner review, external audit, bank controls) are the solution, not an excuse to do nothing.
Solution:
- Implement compensating controls: supervisory review, external audit, detailed logging, bank reconciliation, threshold limits
- Use external services (bookkeeper, auditor, managed security provider) for independent review
- Implement bank controls (dual signatories, transaction alerts, spending limits)
- Use cloud accounting software with approval workflows even for small teams
- Document all compensating controls and review them regularly
Pitfall 2: "SoD Is Inconvenient and Slows Us Down"
Symptom: Organization implements SoD but staff circumvent it because it creates delays or extra work.
Reality: If SoD is seen as a burden, it will be bypassed. The design of SoD must balance security with operational efficiency. Automation, streamlined workflows, and clear emergency procedures can make SoD efficient.
Solution:
- Automate approval workflows to reduce manual delays
- Set clear approval SLAs (e.g., approve within 24 hours)
- Use mobile approval apps for quick approvals on the go
- Implement delegated approval for absences (with proper authorization)
- Design efficient workflows with parallel processing where possible
- Provide emergency break-glass procedures for urgent situations
- Train staff on why SoD matters (security culture reduces resistance)
Pitfall 3: "We Have SoD on Paper, But Not in Practice"
Symptom: SoD policy exists, but in practice people share credentials, managers approve their own requests, or workflows are bypassed.
Reality: SoD that exists only on paper is worse than no SoD because it creates a false sense of security. Active enforcement, monitoring, and consequences are essential.
Solution:
- Implement system-enforced SoD (workflows that prevent same-user request and approve)
- Use MFA to prevent credential sharing
- Monitor for workflow bypasses and same-user request-approve events
- Conduct surprise audits of transactions
- Enforce consequences for SoD violations
- Regularly review and test SoD controls
Pitfall 4: "The Admin Needs Full Access to Do Their Job"
Symptom: IT administrators are given full admin access to everything "because they need it for troubleshooting."
Reality: No single administrator needs full access to everything all the time. Just-in-time access, privilege escalation workflows, and role-based access can provide admin access when needed while maintaining SoD.
Solution:
- Use Just-in-Time (JIT) access, admin privileges granted for a specific time window for a specific task
- Use Privileged Access Management (PAM) for controlled admin access
- Separate admin roles by system (e.g., network admin vs. database admin vs. application admin)
- Separate admin and audit roles
- Implement admin activity logging to an independent system
- Require approval for privilege escalation
- Regularly review admin access and revoke unnecessary privileges
Pitfall 5: "SoD Exceptions Are Never Reviewed"
Symptom: SoD exceptions are granted and then forgotten, creating permanent gaps in controls.
Reality: Exceptions are temporary by design. Permanent exceptions undermine the entire SoD program. Regular review and renewal (or remediation) are essential.
Solution:
- All exceptions must have expiration dates (maximum 12 months)
- Implement automated alerts for exception expiration (30 days, 15 days, 7 days before expiration)
- Quarterly review of all exceptions by the Security Committee
- Require renewed justification for extension
- Track exception metrics (number of exceptions, average duration, risk trend)
- Escalate long-term exceptions to the CEO or Audit Committee
Pitfall 6: "We Only SoD Financial Processes"
Symptom: SoD is applied only to financial processes, ignoring IT, security, data, and operational processes.
Reality: Financial fraud is one risk, but SoD is equally critical for IT (admin abuse), security (monitoring bypass), data (unauthorized modification), and operations (inventory theft, order manipulation). A complete SoD program covers all critical processes.
Solution:
- Expand SoD to IT processes (user access, change management, backup, security tools)
- Expand SoD to security operations (monitoring vs. administration, incident response vs. investigation)
- Expand SoD to data management (creation vs. validation, backup vs. deletion)
- Expand SoD to operational processes (order entry vs. fulfillment, inventory vs. reconciliation)
- Expand SoD to HR processes (hiring vs. access provisioning, termination vs. access revocation)
- Use the process inventory from Section 8.1 to ensure complete coverage
Pitfall 7: "SoD Is Implemented, But Not Monitored"
Symptom: SoD controls are implemented initially but never monitored for effectiveness, violations, or circumvention.
Reality: SoD controls can degrade over time: new systems are added without SoD, role assignments change creating conflicts, exceptions accumulate, workarounds emerge. Continuous monitoring is essential.
Solution:
- Implement automated SoD monitoring (user access reviews, transaction monitoring, role conflict detection)
- Conduct quarterly SoD audits
- Monitor for workflow bypasses and exceptions
- Use analytics to detect anomalies (e.g., a user who never had approval authority suddenly approving transactions)
- Regularly review system configurations for SoD enforcement
- Include SoD in the internal audit plan annually
Pitfall 8: "SoD Breaks During Emergencies, And We Never Fix It"
Symptom: Emergency break-glass procedures bypass SoD during incidents, but the bypass is never reviewed or the SoD is never restored.
Reality: Emergency procedures are designed for emergencies, not for permanent operation. After the emergency, SoD must be restored, and the break-glass use must be reviewed to ensure it was legitimate.
Solution:
- Emergency break-glass access must be time-limited (e.g., 4 hours)
- All break-glass usage must be logged and automatically alerted to management
- Post-emergency review must be conducted within 24 hours
- Break-glass access must be automatically revoked after the time limit
- If break-glass is used frequently, it indicates a process or system problem that needs fixing
- Annual review of all break-glass usage
Illustrative Scenarios
Illustrative scenario, a composite example for guidance, not a specific Singahi engagement or a verified outcome.
Illustrative Scenario 1: Indian SME, Implementing SoD with Compensating Controls
Organization: A 25-employee manufacturing SME in Pune with annual revenue. Context: Family-run business with no formal SoD. The owner managed all financial approvals. A single accountant handled bookkeeping, invoicing, payments, and bank reconciliation. A single IT person managed all systems, user access, backups, and security. No external audit. No internal controls. Challenge: Implement SoD in a small organization where traditional SoD (multiple people for each duty) is not feasible due to overhead and team size. Need to prevent fraud and errors without adding significant headcount. Approach:
- Week 1-2: Singahi conducted a SoD risk assessment. Identified critical processes: payments, invoicing, payroll, user access, backups, inventory, procurement. Risk level: High for financial processes, Medium for IT processes.
- Week 3-4: Designed a compensating control model instead of traditional SoD:
- Financial Compensating Controls:
- Bank-level dual authorization for wire transfers above (bank enforces, not internal)
- Monthly external accountant review of all transactions (outsourced bookkeeper)
- Owner review and signature on all vendor payments above - Bank reconciliation performed by the external accountant (not the internal accountant)
- Surprise cash and inventory counts quarterly
- Digital payment trail (no cash payments above )
- Expense reimbursement requires receipt + manager approval + owner review
- IT Compensating Controls:
- Monthly external IT security review of user access, backups, and changes
- Backup logs sent to owner's email automatically (owner reviews monthly)
- Cloud system audit logs reviewed by external consultant quarterly
- MFA on all admin accounts
- Admin password in sealed envelope with owner (break-glass only)
- Quarterly external vulnerability scan
- Operational Compensating Controls:
- Inventory counts by external auditor quarterly
- Order-fulfillment-reconciliation by owner weekly
- Procurement above requires owner approval
- Financial Compensating Controls:
- Week 5-6: Implemented the compensating controls:
- Engaged external accountant for monthly review (/month)
- Engaged external IT consultant for quarterly security review (/quarter)
- Configured bank dual authorization for large transfers
- Set up automated log forwarding to owner email
- Implemented MFA on all systems
- Created documented procedures for all compensating controls
- Week 7-8: Trained all staff on the new controls and why they matter. Trained the owner on how to review the reports and what to look for. Created a simple SoD register documenting all processes, duties, and compensating controls.
- Week 9-10: Conducted first review:
- External accountant reviewed first month of transactions, found 2 discrepancies (corrected)
- External IT consultant reviewed first quarter, found 3 dormant admin accounts (revoked)
- Owner review found 1 unauthorized expense (addressed through policy reinforcement)
- Ongoing: Quarterly reviews continue. SoD register updated annually. Owner confidence increased. Bank and investors viewed the controls positively. Results:
- SoD coverage: 100% of critical processes (via compensating controls)
- External review overhead: /year (accountant) + /year (IT consultant) = /year
- Discrepancies detected: 5 in first year (all corrected before material impact)
- Fraud incidents: 0
- Owner confidence: "I now sleep better knowing someone else is watching the books and systems"
- Investor due diligence: SoD controls were a positive factor in the next funding round
- Regulatory readiness: Controls met requirements for SME lending and vendor onboarding Key Lesson: Small organizations cannot afford traditional SoD, but they can afford compensating controls. The impact of external review (/year) is negligible compared to the potential impact of fraud or errors. The key is documenting the controls and executing them consistently.
Illustrative Scenario 2: Indian Bank, Complete SoD Transformation
Organization: A mid-size private bank in India with 500 branches, 3,000 employees, and assets under management. Context: Legacy banking systems with limited SoD capabilities. SoD was primarily manual and paper-based. Multiple instances of the same person handling both loan origination and loan approval. IT administrators had both system access and audit log access. Security team had both monitoring and administration duties. RBI had noted SoD deficiencies in the last inspection. Challenge: Transform SoD across a large, complex organization with legacy systems, diverse processes, and regulatory pressure. Need to automate SoD where possible while managing manual SoD where automation is not feasible. Approach:
- Phase 1: Assessment (Month 1-2): Singahi conducted a complete SoD assessment across all banking processes: retail banking, corporate banking, treasury, operations, IT, security, HR, procurement. Found: 200+ critical processes, 80+ SoD violations, 45 active SoD exceptions (many expired), no automated SoD, manual SoD heavily reliant on paper forms, legacy core banking system (CBS) had limited SoD workflow capabilities, RBI had 12 findings related to SoD.
- Phase 2: Design (Month 3-4): Designed a complete SoD program:
- SoD Matrix: Created a master SoD Matrix covering 200+ processes with defined requester, approver, executor, reviewer, and auditor roles
- System Enforced SoD: Identified processes where system workflow could enforce SoD (payments, user access, configuration changes, loan processing, trade processing)
- Manual SoD: Identified processes where manual SoD was required (branch-level operations, customer onboarding, some legacy system tasks)
- Compensating Controls: Designed compensating controls for 15 processes where neither system nor manual SoD was feasible (legacy system limitations, small branch teams)
- Exception Management: Designed a formal exception process with approval, time limits, compensating controls, and quarterly review
- Monitoring: Designed automated monitoring for system-enforced SoD and manual audit procedures for manual SoD
- Phase 3: System Implementation (Month 5-8): Implemented system-enforced SoD:
- Core Banking System (CBS): Configured role-based access with SoD rules (e.g., loan officer cannot approve their own loans; teller cannot approve their own cash adjustments)
- Payment Systems: Implemented dual authorization for wire transfers and NEFT/RTGS above thresholds
- User Access Management: Implemented IAM system (SailPoint) with SoD rules (e.g., user access requester cannot be the same as approver; admin cannot approve their own access)
- Change Management: Implemented ServiceNow with approval workflows requiring CAB approval for changes, separate implementer and tester roles
- Financial Systems: Implemented ERP SoD rules (e.g., accounts payable clerk cannot approve payments; vendor creator cannot approve payments to that vendor)
- Security Tools: Separated security administration and security monitoring roles in SIEM, firewall, and DLP tools
- Development and Deployment: Implemented CI/CD with branch protection, code review requirements, and separate deployment approval
- Phase 4: Manual SoD Implementation (Month 7-9): Implemented manual SoD for processes not covered by systems:
- Branch Operations: Defined manual SoD procedures (e.g., cash verification by branch manager, not the teller; vault access requires two people)
- Customer Onboarding: Defined manual SoD (e.g., KYC collected by relationship manager, verified by operations officer, approved by branch manager)
- Legacy System Tasks: Defined manual SoD checklists and sign-off procedures
- HR Processes: Defined manual SoD for hiring, termination, and access management (HR initiates, IT implements, manager verifies, security audits)
- Phase 5: Monitoring and Audit (Month 10-11): Implemented SoD monitoring:
- Automated SoD violation detection in IAM system (SailPoint)
- Quarterly user access reviews with SoD violation reports
- Automated transaction monitoring for same-user request-approve events
- Monthly SoD dashboard for the CISO and Audit Committee
- First internal SoD audit conducted
- RBI inspection readiness review
- Phase 6: Optimization (Month 12+): Continuous improvement:
- Quarterly SoD audits
- Annual SoD policy review
- SoD metrics tracked and reported monthly
- Exception register maintained and reviewed quarterly
- Legacy system upgrade roadmap to enhance system-enforced SoD
- Branch-level SoD audits conducted quarterly
- SoD training for all staff conducted annually Results:
- SoD coverage: 100% of 200+ critical processes
- System-enforced SoD: 75% of processes (up from 0%)
- Manual SoD: 15% of processes
- Compensating controls: 10% of processes
- SoD exceptions: Reduced from 45 to 8 (all with documented compensating controls and quarterly review)
- RBI findings: 0 SoD-related findings in the next inspection
- Fraud incidents: 0 internal fraud incidents in 18 months post-implementation
- Audit findings: SoD findings reduced from 12 to 0
- SoD violation detection: 23 violations detected and remediated in first quarter (all were legacy system access issues, corrected)
- Branch compliance: 95% of branches fully compliant with SoD procedures (5% had minor manual procedure gaps, addressed)
- Employee satisfaction: Initial resistance due to workflow changes, but satisfaction improved after automation reduced manual steps
- overhead: (one-time consulting and system configuration) + /year (ongoing monitoring, audit, and maintenance)
- ROI: Prevention of one major fraud incident (potential -50 crore) pays for the entire program many times over Key Lesson: Large organizations with legacy systems can achieve complete SoD by combining system-enforced SoD (where possible), manual SoD (where necessary), and compensating controls (where SoD is not feasible). The key is a systematic approach: inventory, risk assessment, design, implementation, monitoring, and continuous improvement. Regulatory pressure (RBI) can be a catalyst for SoD transformation, but the business value (fraud prevention, error reduction, operational integrity) is the real driver.
Multi-Framework Mapping
NIST SP 800-53 Rev 5 Mapping
| NIST Control | Description | A.5.3 Mapping |
|---|---|---|
| AC-2 | Account management | Account management with SoD |
| AC-3 | Access enforcement | Access enforcement with SoD rules |
| AC-5 | Separation of duties | Direct mapping to A.5.3 |
| AC-6 | Least privilege | Least privilege supports SoD |
| AU-6 | Audit review | Audit review for SoD compliance |
| CM-3 | Configuration change control | Change management with SoD |
| CM-5 | Access restrictions for change | SoD in change management |
| SA-4 | Acquisition process | Procurement SoD |
| SA-8 | Security engineering principles | Security engineering with SoD |
| PS-2 | Position risk designation | Risk-based role assignment |
| PS-6 | Access agreements | SoD in access agreements |
| PS-7 | Personnel screening | Screening for SoD roles |
| IR-4 | Incident handling | Incident response with SoD |
| RA-1 | Risk assessment policy | Risk assessment with SoD |
| CA-1 | Security assessment policy | Security assessment with SoD |
| PM-1 | Information security program plan | SoD in program plan |
| PM-2 | Information security program leadership | SoD governance |
COBIT 2019 Mapping
| COBIT Practice | Description | A.5.3 Mapping |
|---|---|---|
| DSS05.04 | Managed security services | Security services with SoD |
| DSS05.05 | Managed security services | Security services with SoD |
| DSS06.02 | Managed business process controls | Business process SoD |
| BAI01.02 | Managed programs | Program management with SoD |
| BAI06.01 | Managed changes | Change management with SoD |
| BAI06.03 | Managed changes | Change management with SoD |
| APO07.01 | Managed people | People management with SoD |
| APO07.02 | Managed people | People management with SoD |
| APO07.03 | Managed people | People management with SoD |
| APO07.04 | Managed people | People management with SoD |
| APO07.05 | Managed people | People management with SoD |
| APO14.01 | Managed data | Data management with SoD |
| APO14.02 | Managed data | Data management with SoD |
| APO14.03 | Managed data | Data management with SoD |
| APO14.04 | Managed data | Data management with SoD |
| MEA01.01 | Managed performance and conformance monitoring | Monitoring with SoD |
| MEA01.02 | Managed performance and conformance monitoring | Monitoring with SoD |
| MEA01.03 | Managed performance and conformance monitoring | Monitoring with SoD |
| MEA02.01 | Managed system of internal control | Internal control with SoD |
| MEA02.02 | Managed system of internal control | Internal control with SoD |
| MEA02.03 | Managed system of internal control | Internal control with SoD |
| MEA02.04 | Managed system of internal control | Internal control with SoD |
| MEA02.05 | Managed system of internal control | Internal control with SoD |
| MEA02.06 | Managed system of internal control | Internal control with SoD |
| MEA02.07 | Managed system of internal control | Internal control with SoD |
| MEA02.08 | Managed system of internal control | Internal control with SoD |
| MEA02.09 | Managed system of internal control | Internal control with SoD |
| MEA02.10 | Managed system of internal control | Internal control with SoD |
| MEA02.11 | Managed system of internal control | Internal control with SoD |
| MEA02.12 | Managed system of internal control | Internal control with SoD |
| MEA02.13 | Managed system of internal control | Internal control with SoD |
| MEA02.14 | Managed system of internal control | Internal control with SoD |
| MEA02.15 | Managed system of internal control | Internal control with SoD |
| MEA02.16 | Managed system of internal control | Internal control with SoD |
| MEA02.17 | Managed system of internal control | Internal control with SoD |
| MEA02.18 | Managed system of internal control | Internal control with SoD |
| MEA02.19 | Managed system of internal control | Internal control with SoD |
| MEA02.20 | Managed system of internal control | Internal control with SoD |
| MEA02.21 | Managed system of internal control | Internal control with SoD |
| MEA02.22 | Managed system of internal control | Internal control with SoD |
| MEA02.23 | Managed system of internal control | Internal control with SoD |
| MEA02.24 | Managed system of internal control | Internal control with SoD |
| MEA02.25 | Managed system of internal control | Internal control with SoD |
| MEA02.26 | Managed system of internal control | Internal control with SoD |
| MEA02.27 | Managed system of internal control | Internal control with SoD |
| MEA02.28 | Managed system of internal control | Internal control with SoD |
| MEA02.29 | Managed system of internal control | Internal control with SoD |
| MEA02.30 | Managed system of internal control | Internal control with SoD |
| MEA02.31 | Managed system of internal control | Internal control with SoD |
| MEA02.32 | Managed system of internal control | Internal control with SoD |
| MEA02.33 | Managed system of internal control | Internal control with SoD |
| MEA02.34 | Managed system of internal control | Internal control with SoD |
| MEA02.35 | Managed system of internal control | Internal control with SoD |
| MEA02.36 | Managed system of internal control | Internal control with SoD |
| MEA02.37 | Managed system of internal control | Internal control with SoD |
| MEA02.38 | Managed system of internal control | Internal control with SoD |
| MEA02.39 | Managed system of internal control | Internal control with SoD |
| MEA02.40 | Managed system of internal control | Internal control with SoD |
| MEA02.41 | Managed system of internal control | Internal control with SoD |
| MEA02.42 | Managed system of internal control | Internal control with SoD |
| MEA02.43 | Managed system of internal control | Internal control with SoD |
| MEA02.44 | Managed system of internal control | Internal control with SoD |
| MEA02.45 | Managed system of internal control | Internal control with SoD |
| MEA02.46 | Managed system of internal control | Internal control with SoD |
| MEA02.47 | Managed system of internal control | Internal control with SoD |
| MEA02.48 | Managed system of internal control | Internal control with SoD |
| MEA02.49 | Managed system of internal control | Internal control with SoD |
| MEA02.50 | Managed system of internal control | Internal control with SoD |
COSO Framework Mapping
| COSO Component | A.5.3 Mapping |
|---|---|
| Control Environment | SoD is a key component of the control environment (integrity, ethical values, accountability) |
| Risk Assessment | SoD risk assessment identifies processes requiring separation |
| Control Activities | SoD is a primary control activity (segregation of duties, authorization, verification) |
| Information and Communication | SoD communication ensures all personnel understand their roles |
| Monitoring Activities | SoD monitoring ensures controls remain effective over time |
SOX Section 404 Mapping
| SOX Requirement | A.5.3 Mapping |
|---|---|
| Internal control over financial reporting | SoD is a core control for financial reporting accuracy |
| Entity-level controls | SoD governance is an entity-level control |
| Process-level controls | SoD is implemented at the process level for financial processes |
| General IT controls | SoD in IT systems supports financial reporting controls |
| Management certification | Management certifies the effectiveness of SoD controls |
| External audit | External auditors test SoD as part of SOX audit |
PCI DSS 4.0 Mapping
| PCI DSS Requirement | A.5.3 Mapping |
|---|---|
| Req 7.1 | Access restrictions require SoD for cardholder data access |
| Req 7.2 | Access control requires SoD for system access |
| Req 12.4 | Security responsibilities require SoD assignment |
| Req 12.5 | Security awareness includes SoD training |
| Req 10.2 | Audit trails support SoD monitoring |
| Req 11.3 | Penetration testing validates SoD effectiveness |
| Req 12.10 | Incident response requires SoD in incident handling |
DPDP Act 2023 Mapping
| DPDP Act Section | A.5.3 Mapping |
|---|---|
| Section 8(5) | Reasonable security safeguards include SoD for personal data protection |
| Section 8(4) | Appropriate technical and organisational measures includes SoD in system design |
| Section 8 | Data minimization supported by SoD in data access |
| Section 9 | Purpose limitation supported by SoD in data processing |
| Section 8(6) | Personal data breach intimation requires SoD in incident detection and response |
| Section 13 | Right of grievance redressal requires SoD in complaint handling |
Regulatory and Industry Context
India
| Regulation | SoD Relevance | Key Mandates |
|---|---|---|
| DPDP Act 2023 | High | Section 8(1) (Data Fiduciary responsibility) requires accountability; Section 8(4) (Appropriate technical and organisational measures) requires SoD |
| IT Act 2000 | High | Section 43A: Reasonable security practices include internal controls and SoD |
| RBI Cybersecurity Framework | Critical for banks | Section on Access Control, Change Management, and Internal Controls explicitly mandates SoD for critical banking operations |
| SEBI Cyber Resilience | Critical for markets | Access control and internal control requirements mandate SoD for trading infrastructure |
| IRDAI Guidelines | Critical for insurance | Information security guidelines mandate SoD for customer data and financial processes |
| Cert-In Guidelines | High | Security best practices include SoD for system administration and change management |
| Companies Act 2013 | High | Section 134(5): Internal financial controls require SoD; Section 143: Auditor's report on internal controls |
| ICAI Standards | High | Accounting standards require SoD for financial reporting accuracy |
| Digital India | High | Government e-services require SoD but face staffing challenges |
| Startup India | Moderate | Investor due diligence increasingly includes SoD assessment |
International
| Regulation | SoD Relevance | Key Mandates |
|---|---|---|
| SOX (USA) | Critical | Section 404: Internal control over financial reporting requires SoD as a core control |
| PCI DSS 4.0 | Critical | Req 7: Access control requires SoD for cardholder data |
| GDPR | High | Art 32: Security of processing requires internal controls including SoD |
| HIPAA | Critical | Security Rule: Administrative safeguards require SoD for PHI access |
| COSO Framework | High | Control Activities component explicitly includes SoD |
| COBIT 2019 | High | DSS and BAI practices include SoD requirements |
| ISO 27001:2013 | High | A.6.1.2 (old version) and A.5.3 (2022 version) explicitly require SoD |
| NIST CSF 2.0 | High | PR.AC and PR.IP controls support SoD implementation |
| NIST SP 800-53 Rev 5 | High | AC-5 explicitly requires separation of duties |
| Basel III/IV | Critical for banks | Operational risk management requires SoD for financial and operational processes |
| FISMA | High | Federal information security requires SoD for federal systems |
| GLBA | High | Financial services safeguards require SoD for customer data |
| FCPA | High | Anti-bribery controls require SoD for payments and procurement |
| UK Bribery Act | High | Adequate procedures include SoD for financial controls |
| Australian Privacy Act | High | APP 11: Security requires internal controls including SoD |
Roles and Responsibilities (RACI) for A.5.3 Implementation
RACI Matrix for A.5.3 Implementation
| Activity | CISO | Security Manager | Process Owners | IT Manager | HR | Finance Head | Internal Audit | Legal | Compliance Officer | CEO |
|---|---|---|---|---|---|---|---|---|---|---|
| Define SoD policy | R/A | C | C | C | C | C | C | C | C | A |
| Identify critical processes | C | R | R/A | C | C | C | C | I | C | I |
| Assess SoD risk | A | R | C | C | C | C | C | I | C | I |
| Design SoD Matrix | A | R | C | C | C | C | C | I | C | I |
| Implement system SoD | C | R | I | R/A | I | I | I | I | I | I |
| Implement manual SoD | C | R | R/A | C | C | C | I | I | C | I |
| Design compensating controls | A | R | C | C | C | C | C | I | C | I |
| Approve SoD exceptions | R/A | C | C | I | I | I | C | I | C | A |
| Monitor SoD violations | A | R | I | C | I | I | C | I | C | I |
| Conduct SoD audit | C | C | I | I | I | I | R/A | I | C | I |
| Remediate SoD violations | A | R | C | R | I | I | C | I | C | I |
| Review SoD effectiveness | A | R | C | C | C | C | C | I | C | I |
| Update SoD policy | R/A | C | C | C | C | C | C | C | C | A |
| Train staff on SoD | A | R | C | C | R | C | C | I | C | I |
| Report SoD to Board | R | C | I | I | I | I | C | I | C | A |
| Manage SoD exceptions | A | R | C | I | I | I | C | I | C | I |
| Enforce SoD in procurement | C | C | I | I | I | R/A | C | C | C | I |
| Enforce SoD in HR | C | C | I | I | R/A | I | C | I | C | I |
| Enforce SoD in finance | C | C | I | I | I | R/A | C | I | C | I |
| SoD system design | C | C | I | R/A | I | I | C | I | C | I |
Role Descriptions for A.5.3 Implementation
| Role | Key Responsibilities for A.5.3 | Required Skills |
|---|---|---|
| CISO | Own SoD policy; approve exceptions; approve compensating controls; report SoD to Board; enforce SoD governance; receive audit reports | Security leadership, risk management, governance, internal controls |
| Security Manager | Maintain SoD Matrix; monitor violations; conduct SoD audits; manage exception register; design compensating controls; train staff; track metrics | SoD analysis, audit, risk assessment, system configuration, training |
| Process Owners | Identify critical processes in their domain; define process-specific SoD requirements; assign roles; enforce SoD within their processes; report violations | Process knowledge, risk awareness, role management, communication |
| IT Manager | Implement technical SoD controls in systems; configure workflows; manage IAM roles; implement system monitoring; support SoD automation | IT management, IAM, system configuration, workflow design, security |
| HR | Include SoD in job descriptions; support role assignment; manage personnel changes affecting SoD; train staff on SoD; enforce SoD in HR processes | HR management, organizational development, training, communication |
| Finance Head | Enforce SoD in financial processes; approve financial exceptions; review financial SoD reports; support financial SoD audit | Financial management, internal controls, audit, risk management |
| Internal Audit | Conduct independent SoD audits; review SoD effectiveness; test compensating controls; report findings to Audit Committee; recommend improvements | Internal audit, risk assessment, control testing, reporting |
| Legal | Review SoD policy for legal compliance; review contracts for SoD clauses; advise on regulatory SoD requirements; support enforcement | Legal expertise, regulatory knowledge, contract review, compliance |
| Compliance Officer | Ensure regulatory SoD compliance; track compliance status; support regulatory audits; report compliance to CISO; manage regulatory relationships | Compliance expertise, regulatory knowledge, audit, reporting |
| CEO | Approve SoD policy and strategy; allocate resources for SoD; hold management accountable; receive Board-level SoD reports; approve high-risk exceptions | Leadership, governance, strategic decision-making, accountability |
Documentation and Evidence Requirements
Mandatory Documentation
| Document | Purpose | Retention | Owner |
|---|---|---|---|
| Segregation of Duties Policy | Governance framework | 7 years | CISO |
| SoD Matrix | Process-to-role mapping | 7 years | Security Manager |
| Critical Process Inventory | List of processes requiring SoD | 7 years | Security Manager |
| SoD Risk Assessment | Risk analysis for SoD | 7 years | Security Manager |
| Compensating Controls Register | Documented compensating controls | 7 years | Security Manager |
| SoD Exception Register | All approved exceptions | 7 years | Security Manager |
| SoD Exception Request Forms | Individual exception requests | 7 years | Security Manager |
| SoD Exception Approval Records | Approval documentation | 7 years | Security Manager |
| User Access Review Records | Quarterly access reviews | 7 years | Security Manager |
| Transaction Review Records | Sampled transaction reviews | 7 years | Security Manager |
| SoD Violation Records | Detected and remediated violations | 7 years | Security Manager |
| SoD Audit Reports | Annual and quarterly audit reports | 7 years | Internal Audit |
| System Configuration Records | SoD system configuration evidence | 7 years | IT Manager |
| Workflow Configuration Records | Workflow SoD rules | 7 years | IT Manager |
| SoD Training Records | Staff training completion | 7 years | HR |
| SoD Communication Records | Employee communication | 7 years | Security Manager |
| Job Description Security Addenda | SoD roles in job descriptions | 7 years | HR |
| SoD Metrics Reports | KPI tracking and dashboards | 7 years | Security Manager |
| Break-Glass Procedure | Emergency bypass procedure | 7 years | Security Manager |
| Break-Glass Usage Records | Emergency usage logs | 7 years | Security Manager |
| Break-Glass Review Records | Post-emergency reviews | 7 years | Security Manager |
| SoD Policy Review Records | Annual policy review | 7 years | CISO |
| Third-Party SoD Documentation | Vendor SoD requirements | 7 years | Security Manager |
| SoD Incident Investigation Records | Violation investigations | 7 years | Security Manager |
| SoD Remediation Records | Violation remediation evidence | 7 years | Security Manager |
| SoD Monitoring Records | Continuous monitoring evidence | 7 years | Security Manager |
| SoD Change Management Records | Changes to SoD controls | 7 years | Security Manager |
| SoD Board Reports | Board-level SoD reporting | 7 years | CISO |
| SoD Committee Meeting Minutes | Security Committee SoD discussions | 7 years | Security Manager |
| SoD Vendor Assessment Records | Vendor SoD compliance | 7 years | Security Manager |
Evidence for Audit
| Audit Question | Evidence Required |
|---|---|
| "Which processes have SoD applied?" | SoD Matrix, Critical Process Inventory |
| "Can you show me your SoD Matrix?" | SoD Matrix with roles, processes, and conflicts |
| "How do you prevent same-person request and approve?" | System workflow configuration, manual procedure records |
| "What compensating controls exist?" | Compensating Controls Register |
| "Can you show me your SoD Exception Register?" | Exception Register with approvals, dates, and compensating controls |
| "How do you audit SoD?" | SoD Audit Reports, access review records, transaction review records |
| "Are admin and audit roles segregated?" | System configuration, role assignment records |
| "How do you enforce SoD in financial systems?" | Financial system configuration, workflow records, approval records |
| "Can developers deploy without review?" | CI/CD configuration, branch protection, code review records |
| "How do you handle small team SoD?" | Compensating controls documentation, external review records |
| "Are emergency SoD bypasses logged?" | Break-Glass logs, review records |
| "Are third-party functions covered by SoD?" | Vendor contracts, SLA security clauses, vendor audit records |
| "How do you monitor for SoD violations?" | Monitoring records, alert records, violation detection reports |
| "Are SoD exceptions reviewed?" | Exception review records, renewal or termination records |
| "How do you know SoD is effective?" | SoD metrics, fraud incident records, error records, audit findings |
Continuous Improvement
Improvement Cycle
Plan → Implement → Measure → Review → Improve
Plan: Set targets for SoD coverage, system enforcement, exception management, violation detection, and audit readiness.
Implement: Deploy SoD policy, matrix, system controls, manual procedures, compensating controls, and monitoring.
Measure: Track KPIs, conduct audits, monitor violations, assess exceptions, and evaluate compensating controls.
Review: Monthly metrics review, quarterly exception review, quarterly access review, annual complete audit, and post-incident review.
Improve: Update policy, refine matrix, enhance system controls, improve monitoring, reduce exceptions, and advance maturity.
Improvement Triggers
| Trigger | Action |
|---|---|
| Organizational change (reorganization, merger, acquisition) | Review all SoD roles and processes; update matrix; reassign roles |
| New system implementation | Design SoD into the new system before go-live; update matrix |
| New process creation | Assess SoD requirements for new process; add to matrix; assign roles |
| Regulatory change | Update SoD requirements to reflect new regulations; retrain staff |
| Fraud or error incident | Root cause analysis; identify SoD gaps; implement controls; update matrix |
| Audit finding | Update SoD controls or documentation to address finding |
| System upgrade | Enhance system-enforced SoD capabilities; update configuration |
| Exception expiration | Implement SoD or renew exception with updated justification |
| New technology (cloud, AI, RPA) | Assess SoD for new technology; update roles and controls |
| Employee feedback | Refine SoD processes to reduce friction while maintaining security |
| Industry benchmark | Compare SoD maturity with peers; set improvement targets |
| Management review | Enhance governance, reporting, or strategic alignment |
| Third-party change | Update vendor SoD requirements; audit new vendors |
| Budget change | Adjust SoD automation or staffing based on budget |
| Skills gap | Add training, certification, or recruitment for SoD roles |
Maturity Advancement Path
| From Level | To Level | Key Actions | Typical Timeline |
|---|---|---|---|
| 1 (Ad-hoc) | 2 (Managed) | Identify critical processes; basic SoD for financial processes; manual checks; informal oversight | 1–2 months |
| 2 (Managed) | 3 (Defined) | Formal SoD policy; documented matrix; defined roles; system workflows; compensating controls; quarterly review | 3–4 months |
| 3 (Defined) | 4 (Quantitatively Managed) | Automated SoD enforcement; continuous monitoring; SoD metrics; exception tracking; regular audit; integration with GRC | 3–4 months |
| 4 (Quantitatively Managed) | 5 (Optimizing) | Predictive SoD analytics; AI-driven violation detection; dynamic SoD; real-time remediation; cross-organizational SoD | 6–12 months |
FAQ
Q1: Can a single person have multiple security roles?
A: Yes, but not conflicting roles. A person can be both a Security Analyst and an Incident Responder (complementary roles). But a person cannot be both a System Administrator and a Security Auditor for the same systems (conflicting roles). The key is conflict, not quantity.
Q2: What if we only have 3 employees? How do we implement SoD?
A: Traditional SoD is not feasible, but compensating controls are. Use: owner review of all transactions, external accountant review, bank dual authorization, automated logging and alerts, quarterly external audit, and threshold limits. Document these controls and review them regularly. The principle is "independent oversight," not "multiple employees."
Q3: Is SoD only for financial processes?
A: No. SoD applies to any critical process where a single person could cause significant harm. This includes IT (user access, change management, backups), security (monitoring vs. administration), data (creation vs. validation), operations (order entry vs. fulfillment), and HR (hiring vs. access provisioning). Financial processes are the most common focus, but complete SoD covers all critical domains.
Q4: What are the most common SoD conflicts in IT?
A: The most common IT SoD conflicts are: (1) System admin + audit log access (admin can cover their tracks), (2) Developer + production deployer (developer can deploy backdoors), (3) Security admin + security monitor (admin can disable monitoring), (4) DBA + backup operator + data access manager (DBA can exfiltrate and delete data), (5) Change requester + change approver + change implementer (same person can make unauthorized changes). Each of these should be separated.
Q5: How do we enforce SoD in a CI/CD pipeline?
A: Use branch protection rules to prevent developers from merging their own code without review. Require code review approvals from independent reviewers. Use separate deployment credentials that are not available to developers. Implement deployment approval gates that require a different person to approve. Use infrastructure as code with separate roles for code creation and deployment. Log all deployments and require independent verification.
Q6: What is a compensating control, and when is it used?
A: A compensating control is an alternative control that reduces risk when traditional SoD cannot be implemented. It is used when: (1) the organization is too small for multiple people, (2) the system cannot technically support SoD, (3) emergency situations require temporary bypass, (4) specialized expertise is available from only one person. Examples: supervisory review, external audit, detailed logging, threshold limits, automated monitoring, and management certification. Compensating controls must be documented, approved, and reviewed regularly.
Q7: How do we handle SoD for third-party vendors and outsourced functions?
A: Include SoD requirements in vendor contracts and SLAs. Define which party (client or vendor) is responsible for each duty. Audit the vendor's SoD during vendor assessments. Require the vendor to report their SoD controls and exceptions. Maintain independent oversight of vendor activities. Do not assume the vendor has SoD, verify it.
Q8: What is the "Four-Eyes Principle," and how does it relate to SoD?
A: The Four-Eyes Principle requires two people to review or approve a critical action. It is a specific form of SoD where two people must be involved (not just different roles). For example, a wire transfer requires two authorized signatories. The principle ensures that no single person can complete a critical action alone. It is commonly used in banking, finance, and critical system changes.
Q9: How do we monitor for SoD violations in real-time?
A: Use IAM tools that detect role conflicts (e.g., SailPoint, Azure AD Access Reviews). Use SIEM rules that alert when a user both requests and approves a transaction. Use transaction monitoring tools that flag same-user request-approve events. Use database audit tools that detect conflicting activities. Implement regular user access reviews (quarterly). Use analytics to detect anomalies in user behavior.
Q10: What should be in a break-glass procedure for emergency SoD bypass?
A: A break-glass procedure should include: (1) Emergency conditions that justify bypass, (2) Authority to approve bypass (e.g., CISO or manager), (3) Time limit for bypass (e.g., 4 hours), (4) Mandatory logging of all bypass activities, (5) Automatic alerts to management when bypass is used, (6) Post-emergency review within 24 hours, (7) Automatic revocation of bypass access after the time limit, (8) Documentation requirements, (9) Consequences for misuse. Break-glass is for emergencies, not for routine convenience.
Q11: How do we handle SoD in a cloud environment (AWS, Azure, GCP)?
A: Cloud environments require cloud-native SoD: (1) Use IAM policies to separate creation and deletion permissions, (2) Use separate accounts or projects for different environments (dev, test, prod), (3) Use AWS SCPs or Azure Policy to prevent certain role combinations, (4) Use cloud-native audit tools (AWS CloudTrail, Azure Monitor, GCP Audit Logs) to monitor for SoD violations, (5) Use cloud-native GRC tools (AWS Audit Manager, Azure Policy, GCP Security Command Center) to assess SoD compliance, (6) Use third-party cloud security tools (e.g., Prisma Cloud, Lacework) for SoD monitoring across cloud resources.
Q12: How do we handle SoD in a DevOps or agile environment?
A: DevOps and agile require "SoD at speed": (1) Automate approval gates in CI/CD pipelines, (2) Use branch protection and mandatory code reviews, (3) Implement automated security testing (SAST, DAST, IaC scanning) as part of the pipeline, (4) Use separate deployment credentials with approval workflows, (5) Use infrastructure as code with version control and peer review, (6) Implement monitoring and alerting for production changes, (7) Use "security champions" within agile teams to provide independent security review, (8) Document emergency procedures for critical hotfixes that require bypass.
Q13: What is the difference between static SoD and dynamic SoD?
A: Static SoD is defined at the role level and enforced through system configuration (e.g., a user cannot be assigned both Role A and Role B). Dynamic SoD is checked at the time of transaction (e.g., a user cannot approve their own request, even if they have both roles). Static SoD is easier to implement but less flexible. Dynamic SoD is more granular but requires more sophisticated system support. Both should be used where possible.
Q14: How do we handle SoD for encryption key management?
A: Encryption key management is a high-risk area for SoD. Best practices: (1) Separate key generation, key distribution, key storage, and key destruction roles, (2) Use Hardware Security Modules (HSMs) with dual control (two people required for key operations), (3) Use split knowledge (two key halves required to reconstruct a key), (4) Use automated key rotation with independent verification, (5) Log all key operations to an immutable audit log, (6) Require management approval for key recovery operations, (7) Never allow a single person to have full control over a master key or root key.
Q15: How do we measure the effectiveness of our SoD program?
A: Track: SoD coverage (percentage of critical processes with SoD), system-enforced SoD rate, exception rate and risk trend, violation detection rate, violation remediation time, compensating control effectiveness, fraud incidents related to SoD, audit findings related to SoD, and employee understanding of SoD. See Section 13 for a complete KPI framework. The ultimate measure is whether the organization has zero fraud incidents and zero SoD-related audit findings.
References and Further Reading
Standards and Guidelines
- ISO/IEC 27001:2022, Information Security, Cybersecurity and Privacy Protection, Information Security Management Systems, Requirements. ISO, 2022.
- ISO/IEC 27002:2022, Information Security, Cybersecurity and Privacy Protection, Information Security Controls. ISO, 2022.
- NIST SP 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations. NIST, 2020.
- NIST CSF 2.0, Cybersecurity Framework. NIST, 2024.
- COBIT 2019, Control Objectives for Information and Related Technologies. ISACA, 2019.
- COSO Framework, Internal Control, Integrated Framework. COSO, 2013.
- CIS Controls v8, Center for Internet Security, 2021.
- PCI DSS v4.0, Payment Card Industry Data Security Standard. PCI SSC, 2022.
- ITIL 4, IT Service Management. AXELOS, 2019.
- SOX (Sarbanes-Oxley Act), Section 404: Internal Control Over Financial Reporting. US Congress, 2002.
- Basel Committee on Banking Supervision, Operational Risk Management Guidelines. BIS, 2011.
- ISACA Standards, Segregation of Duties (various ISACA guidance documents). ISACA, 2023.
Fraud and Internal Controls
- "The Fraud Triangle", Donald Cressey, American Sociological Review, 1953.
- "Corporate Fraud Handbook: Prevention and Detection", Joseph Wells, Wiley, 2022.
- "Internal Controls: Guidance for Private, Government, and Nonprofit Entities", Lynford Graham, Wiley, 2018.
- **"Fraud Analytics: Using Descriptive, Predictive, and Social Network Techniques", Bart Baesens, Wiley, 2015.
- "The Internal Auditing Handbook", K.H. Spencer Pickett, Wiley, 2020.
- "ACFE Report to the Nations 2024", Association of Certified Fraud Examiners, 2024.
Access Control and IAM
- "Identity and Access Management: Technical and Business Concepts", Sari Stern and Ron Moritz, SANS Institute, 2020.
- "Privileged Attack Vectors", Morey Haber and Brad Hibbert, Apress, 2020.
- "SailPoint IdentityNow Documentation", SailPoint, 2024.
- "Azure AD / Entra ID Documentation", Microsoft, 2024.
Indian Regulatory Resources
- Digital Personal Data Protection Act 2023, Government of India, 2023.
- RBI Master Direction on Cyber Security Framework, Reserve Bank of India, 2024.
- SEBI Cybersecurity and Cyber Resilience Framework, Securities and Exchange Board of India, 2023.
- IRDAI Guidelines on Information and Cybersecurity, Insurance Regulatory and Development Authority of India, 2023.
- IT Act 2000 (as amended), Ministry of Electronics and Information Technology, India.
- Cert-In Security Guidelines, https://www.cert-in.org.in/
- MeitY Cybersecurity Guidelines, Ministry of Electronics and Information Technology, India.
- Companies Act 2013, Ministry of Corporate Affairs, India.
- ICAI Standards on Internal Control, Institute of Chartered Accountants of India, 2023.
Industry Research
- IBM impact of a Data Breach Report 2024, IBM Security and Ponemon Institute, 2024.
- Verizon Data Breach Investigations Report 2024, Verizon, 2024.
- ACFE Report to the Nations 2024, Association of Certified Fraud Examiners, 2024.
- Gartner IAM Market Guide, Gartner, 2024.
- Forrester Total Economic Impact of IAM, Forrester Research, 2023.
- SANS SoD and Internal Controls Survey, SANS Institute, 2023.
- Singahi AI/ML Security Master Course, /