複数のビジネス アプリケーションにおける不正な内部トランザクションのリスクを軽減するのに最適な制御は、職務の分離です。職務の分離とは、ビジネス プロセスまたは IT サービスに関与するさまざまな個人またはグループの役割と責任を分割し、1 人の個人またはグループがプロセスまたはサービス全体を完全に制御できないようにするという原則です。職務の分離により、チェックとバランスが確保され、適切な監視と説明責任が確保されるため、不正、エラー、利益相反、またはリソースの不正使用を防止または検出できます。また、職務の分離により、ビジネス アプリケーションとデータへのアクセスと権限が制限されるため、社内スタッフ間の共謀、侵害、または強制のリスクを軽減できます。定期的なユーザー権限の確認、ログの監視、および定期的な内部監査も、有用な制御ですが、これらはプロアクティブで予防的な手段ではなく、リアクティブで検出的な手段であるため、職務の分離ほど効果的ではありません。参考文献 = CRISC レビューマニュアル、第 6 版、ISACA、2015 年、217 ページ。

The greatest concern with the situation of combining the second and third lines of defense in a new department that reports to a recently appointed C-level executive is that the independence of the internal third line of defense may be compromised. The second line of defense is the function that oversees and supports the risk management activities of the first line of defense, which is the function that owns and manages the risks.
The third line of defense is the function that provides independent assurance of the risk management activities, such as the internal audit function. Combining the second and third lines of defense in a new department may compromise the independence of the internal third line of defense, as it may create a conflict of interest, bias, or influence among the functions, and impair the objectivity, credibility, and quality of the assurance activities.
The independence of the internal third line of defense is essential for ensuring that the risk management activities are performed in a consistent and effective manner, and that the issues and gaps are identified and reported without fear or favor. The risk governance approach of the second and third lines of defense may differ, cost reductions may negatively impact the productivity of other departments, and the new structure may not be aligned to the organization's internal control framework are also concerns, but they are not as great as the compromise of the independence of the internal third line of defense, as they do not directly affect the assurance and accountability of the risk management activities. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 36.

Section: Volume D