Segregation of Duties

Segregation of duties (SoD) is the principle that no single individual should have control over all phases of a critical process. By dividing responsibilities among multiple people, organizations reduce the risk of fraud, errors, and unauthorized actions going undetected. It is a cornerstone of internal control design and a requirement across all major compliance frameworks.

How Segregation of Duties Works

The core idea is to separate three functions:

• Authorization — Who approves an action
• Execution — Who performs the action
• Review/Monitoring — Who verifies the action was performed correctly

For example, in a change management process: one person submits a code change, a different person reviews and approves it, and a third person (or automated system) deploys it to production. No single individual controls the entire pipeline.

Common SoD Conflicts

• The same person who writes code also deploys it to production without review
• The same person who creates vendor invoices also approves payments
• The same person who provisions user accounts also performs access reviews
• The same person who develops security policies also audits compliance with those policies

Why It Matters

SOC 2 Common Criteria CC5.2 specifically addresses segregation of duties. Auditors evaluate whether management has defined incompatible functions and established controls to prevent individuals from performing conflicting duties.

ISO 27001 addresses segregation through access control and operational security controls. The principle applies to both technical and administrative processes.

PCI DSS requires separation between personnel who perform security functions and those who perform operational functions in the cardholder data environment.

SoD in Small Teams

Segregation of duties is especially challenging for startups and small teams where one person wears many hats. Strategies to address this include:

• Compensating controls — When full segregation is not feasible, implement additional monitoring, logging, or management review
• Automated enforcement — Use tools that require pull request approvals from someone other than the author
• Regular reviews — Conduct periodic reviews of actions taken by individuals who have broad access
• Document exceptions — Acknowledge SoD limitations and document the compensating controls in place