1) What is the objective of segregation of duties and what are two key aspects of it?
Segregation of Duties (SOD) is used to heighten security within internal controls. SOD's main objective is to reduce malicious activity that may occur as a result of human error or in the event that someone tries to cover up a technological mishap that may occur as a result of hacking, etc. The focal point of SOD is to ensure that one person is not the only one who has access to internal controls. According to Gregory Spafford (2006) "an individual should not be able to perform a transaction and delete all the logs" (Spafford, 2006) or information pertaining to that transaction in an effort to erase his/her steps so the transaction cannot be traced. SOD places limitations on what organizations can do and is most frequently used in audits and/or security reviews.
Reference:
Spafford, G. (2006) Segregate Duties to Lessen Security Risks. Retrieved February 22, 2011 from
https://itmanagement.earthweb.com/columns/article.php/3578216/Segregate-Duties-to-Lessen-Security-Risks.htm
2) What is control risk? Describe the steps involved in the process of assessing control risk.
Control Risk is the probability that an organizations' internal control effectiveness could depreciate over a length of time. In essence, control risk is a mitigation technique that most organizations should employ in order to identify and rectify potential risk and work towards an alleviation or preventative strategy.
Steps of Assessment:
- Identify potential risks that may negatively affect the overall functionality of a project or operation.
- Decide what entity will be greatly impacted by the risk-once a manager can pinpoint who will be affected he/she can begin the process of further evaluation and strategy implementation.
- Evaluate the risk-Once the risks is properly assessed, a manager can apply the right prevention method for the potential risk.
- Determine a mitigation strategy of prevention.
- Maintain a record of key findings based on your observations.
- Review assessments and make the necessary recommendations.
Reference:
HSE (2003) Five Steps to Risk Assessment: Five Steps to Risk Assessment Aims to Help Assess Health and Safety Risks. Retrieved February 22, 2011 from https://www.hse.gov.uk/risk/fivesteps.htm