Independent Code Review (systematically enforced segregation of duties)

AL Refs: CHM07, VMN04, ACL20


Segregation of duties is a key control activity that ensures at least two individuals are involved in every code change. This mitigates the risk of error, inappropriate changes (eg. Rogue developer) and helps ensure the formal change control processes are followed. There are four main methods used:

  1. Systematically enforced peer review of code changes (example below);
  2. Systematically enforced approval of releases prior to deployment;
  3. Complete segregation of developer and operations roles including the access so developers cannot release to production;
  4. Configured alerts for code changes and deployments to ensure adequate oversight.

That last method is generally a last resort for small organisations where the other three are not feasible.

Example Evidence


Screen Shot 2022-08-16 at 1.44.43 pm