Segregation of duties trivia

[Faheem SIDDIQUI <fahimdxb () gmail com>]

Hi All...

I am preparing a "Segregation of Duties' Matrix within my IS function 
(Is there a better way to hit at the non-compliance point of 'lack of 
segregation of duties within the organisation', by external auditors?)

I found a very basic chart at ISACA website:
http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf 
<http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf>

According to this chart, some of the things in the Control Matrix are 
obvious but some aren't so.

For example: The chart suggests that A DB Admin cannot be an Application 
Programmer neither can he be a Sys Admin or Network Admin..Why?

Or a security administrator can be a Help Desk support personnel but 
cannot be a Systems Analyst or a Systems/Application programmer.

I was wondering, what's the potential control weakness in these two points??

What's the best way of documenting this 'Segregation of 
Duties' procedure for satisfying External Auditors?

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------