Introduction to Technology Role Based Access Controls

Two fundamental elements of internal control are restricted access and segregation of certain key duties. Segregation of duties (SOD) and system access controls are used to prevent fraud and safeguard information assets, intellectual property, personally identifiable information (PII) and protected health information (PHI).

The underlying idea behind SOD is that no employee or group of employees should be in a position to both perpetrate and conceal errors or fraud in the normal course of their duties. The principal duties typically outlined as incompatible and which should be segregated are:

• Custody of assets
• Authorization or approval of related transactions affecting those assets
• Recording or reporting of related transactions

In Information Technology (IT), privilege controls are usually restricted according to user role. With today’s evolving technologies, SOD for information technology processes are critical to maintain safe and reliable data and protect against fraud.  A consistent framework should also encompass management duties (e.g., granting or revoking the proper rights to the appointed people, reporting and managing any exception to the procedures) and governance duties (evaluating, directing and monitoring SOD rules and practices in accordance with corporate governance).

This alternate model encompasses some management duties within the authorization of access granted and segregates them from the other duties.