Reusable SOD Matrix for IT 1111
I am currently working on a reusable SOD matrix we can run our employees through. I am only working with the IT end of SARBOX at this time so my matrix should only reflect IT related roles an duties.? I have been using this resource as a baseline or starting point to creat my own refilable and reusable matrix/spreadsheet isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf
I am however, having a problem with the SOD Matrix i linked above because the roles and duties are too general and because it seems that conflict of duties are found too frequently.
My idea is to take this matrix and make a form that each manager can use to interview thier subordinates. the managers will fill out a checkilist of roles and responsibilities for each employee that we can then take and compare against our SOD matrix and decide if SOD is being maintained.
I have 2 questions.
- Does this process i have explained above seem the logical course towards an SOD compliant environment?
- Does anyone have a SOD matrix (perhaps in excel) with more defined roles and resposibilities for it roles and duties than the one i linked above?
Thank you in advance for the help and any other ideas regarding my query will certainly be helpful.
We tested some key IT general computing controls for SOD along with job descriptions. The person testing the scripts conducted interviews of IT staff that was representative sample including IT Mgt, system admin/security admin, and programmers.
The following questions were asked in the interviews:
was the job description accurate?
does the job description match their day-to-day duties?
did they acknowledge/signoff on their job description?
do they have or perform hands-on IT MGT duties? (the business of running IT) Note: IT team leads and supervisors are not usually charged with these duties.
do they write programs?
do they perform hands-on operations?
do they perform hands-on security admin?
do they have direct involvement in the financial reporting processes/controls?
do they have end-user access within the ERP/Accounting/financials software?
In a spreadsheet, the answer for each question was a column. The row was the person interviewed and their current title/function.
We tested for additional things to prove that the roles were being peformed.
The points we are trying to proved are:
IT Mgt runs the business of IT as evidenced by decisions, meeting minutes, ect… and they were not doing hands-on programming/operations/security etc…
Programmers write code as evidenced by assigned tasks and deliverables, etc… and they were not doing hands-on IT Mgt/operations/security etc…
System admin/security admin were doing hands-on operations for infrastruction/servers/networks/software and security functions as evidenced by help desk requests for specific tasks to be peformed and assignments in project plans, etc… and they were not doing hands-on IT Mgt, not programming, not involved in financial reporting processes/controls, and not an end-user in ERP system.
I know this is not what you asked for but it can be start to getting you where you want to be. We used general roles because it seemed easier than getting too granular.
That is some great information. I think i could possibly use the information you provided me in combination with the info from the isaca matrix to creat a reusable of my own. I like the way you laid the information out for me there. Very helpful.
I would still love to see a link to a premade excel matrix that more suits my needs. Hopefully after i creat one for our use I will link it to this board for others to use.
In the mean time if anyone has any more info or a reusable i could download that would be great.
One more silly question. I understand ERP as enterprise resource planning. ERP meaning a financialy based app or any in scope DB? Could you give me an example of an ERP system?
Could you give me an example of an ERP system?
Examples include Oracle, PeopleSoft, JD Edwards, SAP, and Microsoft application suites which have a number of modules you can purchase and install. Modules can include general ledger, accounts payable, accounts receivable, payroll, HR, purchasing/procurement, etc…
If you don’t have ERP systems then you may have custom developed financial systems.
I could think of 2 more good questions to ask with reagrds to seperation programming duties; development, testing and implementation.
-do they preform UAT (user acceptance testing)?
-do they implement programed and tested code to the production environment?
what do you think?
Those are good questions.
Each environment is different. Also, the way in which test scripts are developed and organized can be very different.
For my current client, the system admins are the people that promote the code to production. we tested that in different scripts when looking at who has access privledges to production servers. we also tested in the change management and SDLC areas who performs QA testing and User Acceptance Testing.
BTW–the questions we used for SOD were very much tied to what the external auditor was looking to see. We have to make it extremely clear for them or they get confused. All other test scripts previously tested that are related to SOD, such as access to production servers, was referenced in the new SOD test scripts. We don’t want duplication of effort and risk the possibility of getting different results in testing.
You can include your new questions in SOD if that is what makes sense for your organization and environment. I don’t know enough about your organization or environment.
Richib last edited by
Working on a client going public that needs to implement SOX (and improve their IT Gov, on the side). Does anyone has an IT SOD Matrix to share?