IT Audit: Control of Access Rights and Segregation of Duties

IT audit plays a major role in ensuring the safety and reliability of the use of an organization’s information systems. It is responsible for assessing the effectiveness of the organization’s internal control in the field of information security, identifying potential risks, and finding ways to minimize them. The article defines the main areas of conducting an IT audit and examines in more detail the audit of the distribution of access rights to IT systems, since granting users excessive access rights can lead to the implementation of the following risks: unavailability of the company’s services and information systems, data compromise, fraudulent transactions, and unintentional errors. The article examines in more detail the principle of segregation of duties (SoD) as a mechanism for ensuring the reliability of the access management process and reducing the risks identified in this area. An algorithm of actions that must be taken to implement an SoD system in an organization is given, namely: analyze business processes, assess risks, separate processes and functions, distribute roles and responsibilities, implement access controls, and monitor processes and functions. As one of the practices for implementing a system of segregation of duties, the formation of an SoD matrix is proposed for both business processes in general (segregation of duties by positions) and for individual information systems (segregation of duties by roles).