UnixTime

Research Note

Template - A.5.3 Audit Checklist

Research note.

On this page

A.5.3 Segregation of Duties

Audit test Evidence to request Pass criteria
Identify conflicting duties SoD matrix, risk assessment, process documentation Key conflicts documented
Confirm critical duties are segregated Access workflows, change process, approval records Sensitive tasks require separate approval/review
Confirm privileged activities are controlled PAM records, admin logs, SIEM alerts Admin activity is logged and reviewed
Confirm logs are protected SIEM configuration, log retention settings, permissions Users cannot alter their own logs
Confirm compensating controls Exception records, monitoring evidence Lack of segregation is risk-assessed and monitored
Confirm reviews are independent Review records, reviewer role Reviewer is not the person whose activity is reviewed
Confirm holiday/sickness coverage Coverage plans, temporary access approvals Temporary cover does not break independence
Confirm high-risk processes checked Finance, access, change, supplier, backup processes High-risk processes have checks and balances
  • ISO27001
  • ISO27002
  • Template
  • Audit
  • Sod
  • A5 3

Note Metadata

Aliases: A.5.3 Audit Checklist

Source: 90 Templates/A.5.3 Audit Checklist.md