Monday, June 1, 2009

Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues

In the aftermath of some highly publicized cases of corporate fraud, the US government announced legislation designed to implement compliance and financial-reporting standards. The most notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary goal of SOX is to enforce a higher level of transparency into organizations' business processes, financial transactions, and accounting methods, to ensure that known and accepted accounting principles are practiced.

In this new SOX era, the issue of compliance spans several industries, attempting to harmonize evolving standards across both public and private sector organizations. The requirement of standardized reporting of financial information now forces organizations that had once been less transparent to tighten and streamline their audit and control practices on an ongoing basis.

Traditional Audit and Compliance Standards Prior to SOX

Pre-SOX standards were designed to ensure a modicum of corporate governance by focusing on the areas outlined by the Committee of Sponsoring Organizations (COSO) and on an IT system process framework. This framework was provided by the Control Objectives for Information and Related Technology (COBIT) IT process standard, which was developed in 1992 by the Information Systems Audit and Control Association (ISACA). COBIT was to provide adequate control levels for organizational structure, ethical standards, and board and audit committee review. It was the earliest set of audit standards established to cope with IT processes and audit procedures. COBIT focused on application controls, general control of information systems, and security issues.

Reporting standards used prior to SOX remain in place today. Of these, the most notable are the EU's adopted version of the International Financial Reporting Standards (IFRS) and the US's Generally Accepted Accounting Principles (GAAP). In 2002, an accord known in financial industry circles as the Norwalk Agreement was struck. This agreement states that US-based companies' financial-reporting procedures are to be harmonized with the European standard by the end of 2008. The implementation of SOX for firms that import into and export out of the United States is yet another layer of compliance standards recently introduced. Table 1 lists several other audit control standards, both pre- and post-SOX.

Regulation

Purpose/Target Industry

SOX

publicly traded US companies

ISO 17199

IT security standards

Canadian bills 198, 52-109, and 52-111

Canada 's SOX equivalents

Basel II Accords

G8 regulations for international banking

Health Insurance Portability and Accountability Act (HIPAA)

US health and medical industries

Office of Management and Budget (OMB) Circular A-123

US government agency financial standards

Solvency II

European insurance industry standards

IFRS

European accounting standards

Office for Economic Co-operation and Development (OECD) principles

EU agencies of internal controls

GAAP

US-based generally accepted accounting principles

Table 1. Key audit control standards.

Segregation of Duties

Within SOX is a provision entitled Section 404. This section is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur, whether intentional or not. Among key provisions in this section is segregation of duties (SOD). SOD aims to close loopholes that would otherwise permit questionable accounting practices; one of its key attributes is that it allows the monitoring of processes and cross-verification of transactions processed in real time.

In simplified terms, SOD is based on the concept of having more than one person in an organization that is able and mandated to complete a task. SOD is a security principle whose main goals are the prevention of fraud and errors. These two objectives are realized through the reviewing of business processes and the dissemination of tasks and associated authorizations among several levels of hierarchy. Such actions serve as validation—in other words, they are a series of checks and balances.

One way to illustrate the key tenets of SOD is to consider an accounting department in any small to medium business (SMB). Here, some of the day-to-day activities include the receiving of checks as invoice payments, approval of employee time cards, processing of payroll checks, and reconciliation of bank statements. Within these activities a form of SOD is already in place—usually the issuing of checks requires different levels of authorization and more than one signature. In essence, more than one person validates a process or activity.

In terms of IT, SOD issues are not as clearly defined, and in many instances, individuals in an SMB have multiple levels of responsibility, which can call into conflict the stated goals of SOX and SOD.

Following are five circumstances in which IT processes can conflict with the goals of SOD:

  1. Improper account provisioning for change, meaning access rights to applications are not changed (revoked) when employees leave the organization or a department.

  2. Insufficient control of change management issues, meaning a change is made to a financial application or process without documented record of the date the change occurred, the nature of the change, and which persons in the organization are impacted by the change, for quality assurance purposes.

  3. IT departments lack an understanding of key system configuration workflow processes.

  4. No audit logs are used to document unusual system or application occurrences.

  5. No root cause analysis is performed to determine what caused an unusual event.

Twin Pillars of Protection

In any organization, IT serves as both the gatekeeper and the distribution point for information. Financial-reporting serves as the means to support an IT infrastructure. Insofar as systems infrastructure and financial reporting are linked, the requirement to ensure the integrity of the system and the processes that support it are in compliance with accepted standards and practices. Within these twin pillars of protection are principles that must be adhered to in order to ensure the integrity of the system, the public's confidence in the system, and that all key requirements of SOX Section 404 are met. Figure 1 depicts the basic steps to take to meet these requirements.

Figure 1. Key elements to support SOX and SOD.

1. Study business control processes.

Below are three of the primary business control processes essential to support SOX compliance:

  1. Controls found within most ERP systems—these controls reconcile orders processed only with prescribed customer credit limits. All goods shipped have an associated invoice.

  2. General IT controls—these allow authorized individuals access control to order management and receivables applications. This process ensures that system upgrades and fixes are documented.

  3. Manual controls—these controls ensure that only authorized individuals can alter or cancel a customer order.

2. Develop and automate internal testing to support the system.

Most organizations typically run financial reports on a monthly and a quarterly basis, reporting the organization's performance in terms of budget and projected sales. To ensure compliance to SOX-SOD requirements, these two procedures are essential:

1.

Using internal data to ensure that no sales or financial records can be altered without being identified, logged, and reviewed by three levels of authorization.
2.

Reviewing examples of where individuals contravene SOD requirements (e.g., persons who perform procurement activities cannot also be involved in the receiving of inventory and the posting of accounts payable).

The purpose of this exercise is to demonstrate that an internal, documented process exists to segregate responsibilities and prevent any ability to alter or destroy financial-related data.

3. Analyze test results with known compliance standards (e.g., COBIT, COSO).

When organizations are in the process of selecting enterprise software applications (e.g., an ERP system), due diligence is advised as part of the request for proposal (RFP) process to ensure that the proposed vendor's solution adheres to known financial-reporting and compliance standards in its industry. When interfacing a new solution with a legacy application or with an internally developed in-house system, the COBIT and SOX models should be the fundamental criteria for assessing whether the new system meets your organization's compliance and financial-reporting requirements. Following are some additional points to consider:

*

Data revision management—changes to financial-reporting data should be carefully managed, ensuring that all modifications are authorized and documented.
*

Contracts—all IT vendor contracts and service level agreements (SLAs), including their financial implications, must be clearly defined.
*

Third-party equipment—third-party software must abide by known and accepted standards. License and user requirements must be defined in vendors' contracts, as these requirements are also subject to known performance criteria indicated in the vendor SLA at the time of software purchase.
*

Access control—ensure users have an identifiable security password and user code, which tracks access and transactions performed.
*

Security—the system must be in compliance with ISO 17799 and designed in a way that limits disclosure or access to unauthorized parties.
*

Incident management—the system must record all incidents of failure or loss of data, and must support Information Technology Infrastructure Library (ITIL) guidelines. Corrective action to be taken must be documented so that it can be retrieved, and the work performed by another person.

SOD Checklist

If your organization is planning to review its SOX- and SOD-readiness, then a good starting point is to obtain a copy of the ISACA's segregation of duties control matrix to use as a general guideline. If after reviewing the matrix you conclude that your company performs certain tasks that cannot be segregated, then you can implement a series of further controls. Below are a few separate control procedures to help achieve SOX-SOD compliance:

*

Ensure that transparent audit trails are in place, that management is aware of each individual's level of responsibility, and that corresponding authorization is established.
*

Ensure that information related to who did the work, who approved the work, and the date and time the activity was executed are documented in the audit trail.
*

Enable the ability to review transactions at random times, thus instilling confidence in the process.

A Final Word

The introduction of SOX is hoped to bring a new level of accountability to the corporate world. It is believed by many that from the cases of corporate fraud in the United States several years ago, a new opportunity has emerged for corporate America to show integrity and prove that the interests of customers, employees, and shareholders are its primary concern. The positive outcome in all of this has been that those running organizations realize that their companies are part of the community they serve, and unethical behavior will not be tolerated. The compliance aspects of SOX and SOD, though challenging to understand at first, limit the opportunity (or chance) for wrongdoing, and ensure that organizations employ streamlined and verifiable processes to run their business.

1 comment:

  1. Firstly, I do not disagree with the concept of Separation/Segregation of Duties as an internal control. That said, I don't know why I see all of these references to SOX. The Sarbanes-Oxley act does not require, or even mention, SoD. You mention above that it is part of section 404, it's not. Here is section 404 in its entirety:
    SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
    (a) RULES REQUIRED.—The Commission shall prescribe rules
    requiring each annual report required by section 13(a) or 15(d)
    of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d))
    to contain an internal control report, which shall—
    (1) state the responsibility of management for establishing
    and maintaining an adequate internal control structure and
    procedures for financial reporting; and
    (2) contain an assessment, as of the end of the most recent
    fiscal year of the issuer, of the effectiveness of the internal
    control structure and procedures of the issuer for financial
    reporting.
    (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With
    respect to the internal control assessment required by subsection
    (a), each registered public accounting firm that prepares or issues
    the audit report for the issuer shall attest to, and report on, the
    assessment made by the management of the issuer. An attestation
    made under this subsection shall be made in accordance with standards
    for attestation engagements issued or adopted by the Board.
    Any such attestation shall not be the subject of a separate engagement.

    As you can see, SoD is not mentioned, nor is it "..a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant."

    How is it that you can make such a statement without actually reading the law?

    ReplyDelete