Back to Blog
CISA Tips

Segregation of Duties in IT: What Auditors Need to Know

TKFebruary 22, 2026audit, exam-prep

Segregation of Duties (SoD) is one of the most important internal controls in IT — and one of the most tested topics on the CISA exam. Here's everything you need to know.

What Is Segregation of Duties?

SoD ensures that no single individual has control over all phases of a process. The goal is to prevent fraud, errors, and unauthorized activities by requiring multiple people to complete critical tasks.

The Classic SoD Model

In any process, there are typically four functions that should be separated:

Authorization — Approving transactions or changes
Custody — Physical or logical access to assets
Recording — Maintaining records of transactions
Reconciliation — Verifying that records match reality

No one person should perform more than one of these functions for the same process.

IT-Specific SoD Conflicts

Development vs. Production

Developers should NOT have access to production systems. If they can deploy their own code, they could introduce unauthorized changes.

DBA vs. Security Administrator

DBAs manage databases; security admins manage access permissions. Combining these roles lets one person grant themselves unrestricted data access.

System Admin vs. User

System administrators should not be end-users processing business transactions on the systems they manage.

Change Management Conflicts

The person requesting a change should not approve it
The person developing a change should not migrate it to production
The person testing a change should not be the developer

Common SoD Matrix

When SoD Isn't Possible

Small organizations often can't fully segregate all duties. In these cases, implement compensating controls:

Activity logging and monitoring — Record all actions by users with conflicting roles
Management review — Regular review of activities by someone independent
Access reviews — Periodic certification of who has access to what
Automated alerts — Trigger notifications when conflicting actions occur
Dual authorization — Require two people to approve critical changes

How SoD Appears on the CISA Exam

Common question patterns:

"What is the GREATEST risk when a developer has access to production?" → Unauthorized code changes
"What is the BEST compensating control for inadequate SoD?" → Activity logging and management review
"Which combination of duties creates the HIGHEST risk?" → Authorization + custody (someone who approves AND handles the asset)

Exam tip: When asked about the "greatest risk" of poor SoD, the answer almost always relates to the potential for fraud or unauthorized modification going undetected.

Practice SoD scenarios with our CISA Course — includes domain-specific quizzes and flashcards.

Share this article:

Comments

Sign in to join the discussion

Sign In to Comment

No comments yet. Be the first to share your thoughts!

Ready to start your certification journey?

Explore our courses and take the first step toward passing your exam.

Browse Courses