Skip to main content

3.10C Segregation of Duties, Cross training and Job Rotation

3.10C Segregation of Duties, Cross training and Job Rotation


Segregation of duties is the process of assigning responsibility for different functions of a job to separate individuals so as to prevent or detect the irregularities and fraud. For example, for entering a transaction one employee initiates the transaction and the other person records the transaction i.e. a single person cannot execute a complete transaction.


SoD also includes two people to participate in a task simultaneously which is also known as dual control. Though SoD does not guarantee security as both the employee may collude to commit the fraud or or other irregularities.


Addressing violation of segregation of duties


Implementing a role based access is a preventive method to address the risk of violation of segregation of duties. When an employee has restricted access, he will not be able to perform any job which is not assigned to him.


SoD is a best way to ensure that developers do not make any unauthorized changes in the production environment. He should not have access to the production environment.


Compensating control in absence of segregation of duties


In small organizations, it may not be feasible to segregate each function. In such cases appropriate compensating controls like audit and log reviews should be enabled.


Cross-training and Job Rotation


  • Many organizations have the process of cross training in which people on the same team are trained in one another’s roles. However, one risk with cross training is that a single employee can bypass the control if he is aware of all the related processes.


  • Job rotation and mandatory vacation plays a dual role of improving employee’s productivity as well as helps to detect fraud or other irregularities.


  • Mandatory job rotation also reduces the risk of collusion between two employees as two employees will not be allowed to work together over an extended period of time.


Key aspects from CRISC exam perspective



CRISC Questions 

Possible Answer 

How to address the risk of violation of segregation of duties?   

To implement a role based access


Best way to ensure that developer do not make any unauthorized changes in production environment   


  • Segregation of duties between developer and production staff.

  • Developers should not have access to the production environment.

What should be compensating control in case segregation of duties cannot be implemented?   


  • Review of logs 

  • Audit

Risk of collusion between two employees can be addressed by   

Mandatory job rotation


Flashcards - 3.10C Segregation of Duties, Cross training and Job Rotation



Practice Questions - 3.10C Segregation of Duties, Cross Training and Job Rotation



Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more