GOV-009 Segregation of Duties
Description
Conflicting duties and responsibilities that could enable fraud or error are identified and separated across different individuals or automated controls. Where full separation is not feasible due to organisational size, compensating controls are documented.
Rationale
Segregation of duties is a fundamental internal control preventing any single individual from having end-to-end control over a critical business process, reducing the risk of both fraud and undetected errors.
Framework Mappings (4)
| IAM-04 | Separation of Duties | full |
| 5.3 | Segregation of duties | full |
| AC-5 | Separation of Duties | full |
| CC6.3 | Role-Based Access Controls and Least Privilege | partial |
Evidence (2)
Segregation of duties matrix or documented SoD policy identifying conflicting roles and the required separations or compensating controls.
Example: Segregation of Duties Policy and conflict matrix (Confluence / GRC platform), identifying roles that must not be combined (e.g. code deploy and production access approval), with compensating controls documented for any exceptions due to organizational size.
Test: Request the SoD policy and conflict matrix. Verify: (1) conflicting role combinations are explicitly listed, (2) each conflict has either a required separation or a documented compensating control, (3) the policy has been approved by management within the last 12 months.
System access configuration records showing that conflicting roles are not simultaneously assigned to the same user accounts.
Example: Access control export from IAM system (Okta, Azure AD, AWS IAM) or ticketing system showing user-to-role assignments, confirming no user account holds both sides of a defined SoD conflict.
Test: Export user-role assignments from the IAM system. Cross-reference against the SoD conflict matrix. Verify: (1) no active user account is assigned both roles in any identified conflict pair, (2) for any exceptions, a documented compensating control record exists with a named approver.
Questions (2)
Has your organization identified conflicting duties that could enable fraud or error, and documented required separations or compensating controls?
A segregation of duties (SoD) matrix or conflict register should list role pairs that must not be combined, with compensating controls for any necessary exceptions.
How does your organization verify that SoD conflicts are not present in the live IAM environment?
An IAM export cross-referenced against the SoD conflict matrix, showing no user holds both sides of a conflict, is the expected evidence.