As part of an IS audit, the auditor notes the practices listed below.
Which of the following would be a segregation of duties concern?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Segregation of duties (SoD) is an essential control in information systems to prevent fraud, error, or abuse. It is a practice of separating different functions or responsibilities so that no single individual can complete a transaction from start to finish.
The principle of segregation of duties requires that no single individual has control over all aspects of a transaction. It divides the functions of authorization, custody, and record-keeping among different people to ensure that no single person has the ability to both perpetrate and conceal errors or fraud.
Now, let's analyze each of the practices listed and determine which one represents a segregation of duties concern.
A. Operators are degaussing magnetic tapes during night shifts. This practice does not present a segregation of duties concern as there are no conflicting roles or functions that are being performed simultaneously by a single person.
B. System programmers have logged access to operating system parameters. This practice could represent a segregation of duties concern as it could allow the system programmers to make unauthorized changes to the system. Without proper controls in place, a system programmer could use their access to the system to modify data, override security measures, or conceal their tracks.
C. System programmers are performing the duties of operators. This practice could represent a segregation of duties concern as the same person would be responsible for both maintaining the system and running it, which increases the risk of errors or fraud. It would be difficult for one person to maintain the integrity of the system and at the same time operate it without an effective check and balance mechanism.
D. Operators are acting as tape librarians on alternate shifts. This practice could represent a segregation of duties concern as it could allow an operator to access confidential information or tamper with the tapes. If an operator has access to both the physical tapes and the data on them, there is an increased risk of unauthorized access or data modification.
Therefore, options B, C, and D could represent segregation of duties concerns, but the most significant concern is option C, where system programmers are performing the duties of operators. It represents a higher risk of errors or fraud as one person has too much control over the system, which increases the possibility of unauthorized changes or data manipulation.