The whole audit of one control, laid out plainly: a developer must not be able to build a change and release it to production without independent approval. Follow the flow, use the tool named at each step.
Re-perform the conflict analysis yourself — pull the access data and flag the toxic combinations — then prove the control technically enforces the separation. Source-code review only where it's enforced in custom code.
Nine stages in three phases. Each card says what you do and which part of the pack you use — expand a step for what a pass and an exception look like.
Define the control, the conflicting duties in scope, the systems and pipelines involved, and the audit period.
Interview the control owner, IAM admin and DevOps lead; walk one change from a developer's commit all the way to production.
Decide whether the process, as designed, actually stops one person from holding conflicting duties.
Export who can develop, who can approve and who can deploy — plus the list of production deployments for the period.
Map every user to their capabilities and flag anyone holding a conflicting combination. Your independent re-run — don't rely on the client's own analysis.
Prove the control enforces it: approval gate required and non-self-approvable, branch protection on, deploy restricted to a separate role.
For each conflict found, check whether an independent detective review catches it, and judge the residual risk.
Reference every piece of evidence, record the result of each step, and conclude on whether SoD operated effectively.
Summarise the findings, the risk and the recommendations for the report.
The heart of the test. Any single person holding two capabilities marked Conflict breaches segregation of duties. This is what step 1 defines and step 5 checks against.
C1 Develop / commit · C2 Review / approve · C3 Deploy to prod · C4 Manage access · C5 Modify pipeline
Step 8 lives or dies on evidence quality. Whatever you capture, hold it to four tests.
Record the capture date and time in UTC — and get the on-screen clock into the screenshot where you can.
Note which system and account it came from, and which export or query produced it.
A single point-in-time snapshot won't survive a review that covers a whole period.
Keep the raw export. Note any redaction. Reference every item to the step it supports.
The walkthrough above maps onto eight working tabs — the fillable tools you actually run the audit in.