A fundamental component of internal control is the separation of duties for high-risk transactions. The underlying separation of duties concept is that no individual should be able to execute a high-risk transaction, conceal errors, or commit fraud in the normal course of their duties.
You can apply separation of duties at either a transactional or an organizational level. For example, payroll has access to employee financial records, but only payroll managers can approve raises.
Answer the following question(s):
- How do you define a high-risk transaction?
- If you were a security professional in a company, what are four roles (two sets of two related roles) you would separate and why?