ISACA Journal - 2012 Volume 6

Tommie W. Singleton, Ph.D., CISA, CgeI T, CITP, CPA, is an associate professor of information systems (IS) at Columbus State University (Columbus, Georgia, USA). Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting using microcomputers. Singleton is also a scholar-in-residence for IT audit and forensic accounting at Carr Riggs & Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. His articles on fraud, IT/IS, I T auditing and IT governance have appeared in numerous publications.

What Every IT Auditor Should Know About
Proper Segregation of Incompatible IT Activities

One element of IT audit is to audit the IT function. While probably more common in external audit, it certainly could be a part of internal audit, especially in a risk assessment activity or in designing an IT function. While there are many important aspects of the IT function that need to be addressed in an audit or risk assessment, one is undoubtedly proper segregation of duties (SoD), especially as it relates to risk. Similar to traditional SoD in accounting functions, SoD in IT plays a major role in reducing certain risk, and does so in a similar fashion as well. This article addresses some of the key roles and functions that need to be segregated.

DBA knows everything, or almost everything, about the data, database structure and database management system. Thus, this superuser has what security experts refer to as “keys to the kingdom”—the inherent ability to access anything, change anything and delete anything in the relevant database. This situation leads to an extremely high level of assessed risk in the IT function.

Because of the level of risk, the principle is to segregate DBAs from everything except what they must have to perform their duties (e.g., designing databases, managing the database as a technology, monitoring database usage and performance). The IT auditor should be able to review an organization chart and see this SoD depicted; that is, the DBA would be in a symbol that looks like an island—no other function reporting to the DBA and no responsibilities or interaction with programming, security or computer operations (see figure 1).

A similar situation exists for system administrators and operating system administrators.

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

IT Du TIeS VS. uSer DePAr TMen TS

The most basic segregation is a general one: segregation of the duties of the IT function from user departments. Generally speaking, that means the user department does not perform its own IT duties. While a department will sometimes provide its own IT support (e.g., help desk), it should not do its own security, programming and other critical IT duties. To mix critical IT duties with user departments is to increase risk associated with errors, fraud and sabotage.

User departments should be expected to provide input into systems and application development (i.e., information requirements) and provide a quality assurance function during the testing phase. In fact, a common principle of application development (AppDev) is to ask the users of the new application to test it before it goes into operation and actually sign a user acceptance agreement to indicate it is performing according to the information requirements. However, the majority of the IT function should be segregated from user departments.

DATAbASe ADMInISTrATOr VS. reST OF IT FunCTIOn The database administrator (DBA) is a critical position that requires a high level of SoD. The

APPDeV VS. DbA AnD IT OPerATIOnS

The development and maintenance of applications should be segregated from the operations of those applications and systems and the DBA. That is, those responsible for duties such as data entry, support, managing the IT infrastructure and other computer operations should be segregated from those developing, writing and maintaining the programs. The same is true for the DBA.

It is also true that the person who puts an application into operation should be different from the programmers in IT who are responsible for the coding and testing.