Diagram excerpt from: CISA Review Manual 2008, chapter 2, page 112. (www.isaca.

org/cisabooks)

The segregation of duties control matrix below (exhibit 2.9) is illustrative of potential segregation of duties issues. It should not be viewed or used as an absolute, rather it should be used to help identify potential conflicts so proper questions may be asked to identify compensating controls. In actual practice, functions and designations may vary in different enterprises. Actual job titles and organizational structures also may vary greatly from one organization to another, depending on the size and nature of the business.

Exhibit 2.9Segregation of Duties Control Matrix

Help Desk and Support Manager Database Administrator Network Administrator Systems Administrator Security Administrator Application Programmer Systems Programmer X Quality Assurance X X X X Computer Operator X

Systems Analyst

Control Group

Control Group Systems Analyst Application Programmer Help Desk and Support Manager End User Data Entry Computer Operator Database Administrator Network Administrator System Administrator Security Administrator Systems Programmer Quality Assurance X X X

Data Entry X

End User

XCombination of these functions may create a potential control weakness.

2007 ISACA