Mini-gods and SoD Controls

IT AuditRisk & Compliance
Written By Jacques Nack
"Mini-gods" in the context of segregation of duties in software engineering refer to individuals or teams who have a broad knowledge of the software development process and who may have a high level of control or influence over the development and implementation of software systems.

In software engineering organizations, the segregation of duties is a principle designed to reduce the risk of errors or fraud by dividing responsibilities among different individuals or teams. The goal is to ensure that no person or group has complete control over all aspects of the software development process. By dividing responsibilities in this way, it becomes more difficult for an individual to engage in fraudulent or dishonest activities without being detected.

Going around the door

However, if an individual or team is considered a "mini-god," it may mean that they have a high level of knowledge and expertise in the software development process and a significant amount of control or influence over the development and implementation of software systems. In this case, ensuring adequate segregation of duties may be more challenging, as the "mini-god" may have a broad range of responsibilities and can override the controls and go around the door.

When these controls work, such as preventing any person or team's ability to write and deploy new code without oversight, they can help ensure the software's accuracy and integrity. However, suppose the controls over the segregation of duties are lacking or ineffective. In that case, it can lead to deficiencies in the financial audit report in several ways when the new code functions impact revenue generation, reporting, or recognition pipelines:

  1. Inaccurate financial statements: If controls over the segregation of duties are ineffective, there is a greater risk of errors or fraud in the software development process. This flaw may provide a reasonable possibility— as those terms are used in paragraph 3 of Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies— in inaccurate financial statements, leading to deficiencies in the financial audit report.

  2. Internal control deficiencies: Ineffective segregation of duty controls can also result in defects in the internal control environment. The auditor can identify this as a significant deficiency or material weakness. A material weakness is a deficiency, or a combination of defects, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis as defined in PCAOB AS 2201.62-.70 paragraph 02 and 03.

  3. Increased risk of fraud: Lack of segregation of duty controls can also increase the risk of fraud, which the auditor can identify as a potential issue during the audit. The auditor may report this risk in the financial audit report.

Given the size of some software development teams and the complexity of their environments, mini-god may be necessary to ensure the system's ongoing performance. Mitigation strategies may include:

  1. Requiring approvals involves establishing a process for reviewing and approving changes to the software before they are implemented. It can help to ensure that changes are reviewed by multiple people, reducing the risk of errors or fraud.

  2. Implementing access controls involves restricting access to certain parts of the software development process or system to specific individuals or teams.

  3. Implementing separation of duties: This involves dividing responsibilities so that no individual or team has complete control over all aspects of the software development process.

  4. Conducting regular reviews and audits: This involves regularly reviewing the software development process and conducting audits to ensure that SOD controls are followed and effective. Consider deploying data analytics and automation tools to assess system-borne logs systematically.

  5. Provide training and education: Ensuring that all employees involved in the software development process are aware of the importance of SOD controls and how to follow them can help to reduce the risk of errors or fraud. Training and education on these controls can help ensure that they are observed consistently.

  6. Establish a robust internal control environment: A robust internal control environment can help ensure that SOD controls are followed consistently and effectively. Part of the effort consists of establishing clear policies and procedures, setting up a system for monitoring and reviewing rules, and providing employees with the resources and support they need to follow the controls.


Overall, it is essential for software engineering organizations to have adequate segregation of duty controls in place to ensure the accuracy and integrity of their software and financial statements.

Jacques Nack