How can an IS auditor best evaluate the segregation of duties in an IT department?

Evaluating the segregation of duties in an IT department is crucial for ensuring that no single individual has control over multiple aspects of a process, which could lead to fraud or errors. Engaging in discussions with IT managers provides a comprehensive understanding of the current processes, responsibilities, and any potential overlaps in duties that may not be evident through documentation alone.

Through discussions, an IS auditor can gather insights about the rationale behind the assignment of specific roles, identify any areas of concern regarding potential conflicts of interest, and assess how management has implemented controls to enforce segregation of duties. This approach also allows for clarification of any ambiguous job roles and responsibilities, which cannot be as effectively addressed by just reviewing job descriptions or consulting past audit reports.

While reviewing job descriptions and evaluating the organizational structure are valuable actions, they often provide a static view of roles rather than an understanding of the dynamic interactions and practices within the team. Researching past audit reports can inform the auditor about historical issues but may not address the current state of segregation of duties directly. Engaging with IT managers is a proactive and effective way to gather real-time data regarding the effectiveness of existing controls related to segregation of duties.