Agenda Sarbanes Oxley Act Compliance(SOX)
- SOX Compliance Requirements
- Control System and Sections in SOX
- Advantages and Disadvantages of SOX
Segregation of Duties (SOD)
- SOD Conflicts
- Segregation of Duties and Role Matrix
- SOD Risks and Remediation Approach
- SOD Implementation
- Advantages of SOD
Historical Perspective of SOX• SOX Act is a United States Federal Law• SOX created as a reaction to corporate scandals like, 1960-1980’s : Quality Movement(TQM,BPR, Deming, etc) 1990’s : Dot-com-bubble, Market Euphoria 2001 : Enron 2002 : WorldCom 2002 : Sarbanes Oxley • Also known as - 'Public Company Accounting Reform and Investor Protection Act' and - 'Corporate and Auditing Accountability and Responsibility Act‘ • It is named SOX, after sponsors U.S. Senator Paul Sarbanes and
U.S.Representative(Congressman) Michael G. Oxley
Sarbanes Oxley Act 2002• To prevent the corporate and accounting scandals of prominent public
companies, and to protect the investors.
• SOX is designed to protect from scandal and deception of shareholders investment
• It does not apply to privately held companies.
• The act contains 11 titles or sections ranging from additional corporate board responsibilities to criminal penalties
• And requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply
• Changes how companies manage :
- Auditors
- Financial Reporting
- Executive Responsibility
- Internal Controls
SOX Compliance Requirements• SOX Act are based on three principles
- Integrity
- Accuracy
- Accountability
• SOX must comply all public traded companies in the United States
• Companies initiating their Initial Public Offering(IPO) and also must comply with SOX
• Companies release all relevant financial data ensure the ‘integrity’ of data
• The released data is reliable to ensure its ‘accuracy’
• Finally, mandates the Chief Executive Officer(CEO) and Chief Financial Officer(CFO) verify the data and accept ‘accountability’ for errors
Control System• What is Control System ?
For sox compliance, the process of organizing and monitoring the different procedures and processes that happens in an organization at company’s and investor’s best interest is called as control system.
• Many industries follow COSO(Committee of Sponsoring Organizations) and ITGI standards for SOX compliance.
• Financial reporting system heavily dependent on well controlled IT Environment(ITGI 2004)
• Internal controls include information security controls
• ITGI identified security controls required by SOX in the following areas:
- Security Policy
- Security Standards
- Access and Authentication
- Network Security
- Monitoring
- Segregation of Duties
- Physical Security
Sections of SOX• The Sarbanes-Oxley Act is arranged into eleven titles or sections. As far as
compliance is concerned, the most important sections are as follows
• Section 103 - Auditing, Quality Control, And Independence Standards and Rules - Requires maintenance of all audit-related records (including electronic) for 7 years.
• Section 201 - Services outside the scope of practice of Auditors
• Section 302 - Corporate Responsibility For Financial Reports - Requires CEO and CFO to certify the accuracy of corporate financial reports.
• Section 404 - Management Assessment Of Internal Controls - Requires CEO, CFO and auditors to confirm the effectiveness of internal controls for financial reporting.
• Section 406 - Code of Ethics for senior financial officers
• Section 409 - Real Time Disclosure - Requires any significant changes in financial state of issuer "on a rapid and current basis."
• Section 802 - Criminal Penalties For Altering Documents - Requires retention and protection of audit and related documents, including electronic records.
Importance of 302,404 • Section 302 requirements CEO and CFO must certify the following: - Review the financial report quarterly or annually - Report fairly represents the company’s financial position - Responsible for disclosure of controls and procedures - Evaluate the effectiveness of controls and procedures - Disclose any weaknesses or control charges to external auditors • Section 404 requirements Internal Control reports and external auditor attestation: - Each auditor report must contain an internal control report - The internal control report requires external auditors to attest to management’s assertions about internal controls and procedures for financial reporting
Advantages of SOX
• Improves to organize and develop controls• Encouragement to reevaluate and monitor
current controls• Organize year-end financial process effectively• Prevention of fraud• Improved company image
Disadvantages• Increasing the number and functions of
internal controls slows, delays financial statement preparation.
• Using current employees outside the accounting office is not acceptable because it breaks down the internal controls function
• Global problem local hell
Segregation of Duties (SOD)• To segregate the separation of incompatible business duties and/or
responsibilities
• Segregation of Duties deals with access controls
• Access Control ensures that no single individual should have control over two or more phases of a transaction or operation
• SOD controls only Information Technology and Business Unit
• Segregation of Duties ensures that:
- There are no errors, as SoD ensures cross check of roles/responsibilities.
- Risk of Fraud is reduced as fraud will involve two or more than two individuals.
- Clear separation of Roles/Responsibilities across various functions in
organization.
- Sarbanes-Oxley regulation specifically states the need for good SOD controls
What will happen if SOD does not exists?
• If proper SoD does not exist in an organization, then:
- Ineffective internal access controls
- Improper use of materials, money, financial assets and resources.
- Estimation of financial condition may be wrong.
- Financial documents produced for audits and review may be incorrect.
• If the company hires good people ,SOD is not an issue
• Proper SOD cannot be implemented, in such cases there should be a mitigating control designed in order to keep a check on the unresolved SoD.
• Mitigating control that checks on database ,that is where his(User) creation and modification transactional data is saved, or may be a review of transactional logs can be a mitigating control.
404 and Segregation of Duties• To comply with section 404 of SOX, we should:
Requirements of Management:
- Identify the document processes and SOD controls across IT Security and
financial processes.
- When appropriate SOD cannot be implemented then design mitigating
controls and document
- Design monitoring controls for critical processes and critical roles
- Implement SOD and mitigating controls
- Ensure continuous compliance by monitoring and tracking of
controls
Requirements of Auditors:
- Auditor must understand how management contemplated the Segregation of
Duties in its 404 compliance program
- Auditor must test the effectiveness of the SOD controls
SOD Components• Incompatible job function To maintain the proper SODs, no employee should be
responsible for two or more of the following four functions for a single transaction class.
Record Keeping
Creating and maintaining Departmental records
Asset CustodyAccess to and/or control
of physical assets
AuthorizationReviewing and approving
transactions
ReconciliationAssurance that
transactions are proper
Common SOD Conflicts• Common causes of SOD Conflicts
- Lack of understanding of application security
- Excessive access assigned to user community
- Lack of management oversight and review
- Organizational structure
• Information Technology Organization
- Developers with update access to production data and mitigation
processes
- Security officers with system administration capabilities
• Process level
- User with ability to add vendors and control payments
- Payroll and employee administration capabilities
- Input and review performed by same person
Technical Conflicts• There are two types of technical conflicts 1. Intra Conflict - Arises from a role (e.g. user profile) being defined with excessive conflicting privileges - Risk when assigned to a user through a single security object 2. Extra Conflicts - Multiple security roles being assigned to user, conflicting privileges
through multiple security objects
Intra Conflict Extra Conflict
Security Object
Privilege
Privilege
User User
Security Object
Security Object
Privilege
Privilege
Segregation of Duties and Role Matrix• Segregation of Duties can be represented over a role matrix.
• Role Matrix is a two dimensional matrix.
• All the roles/responsibilities and functions/processes in an enterprise are recognized and they are represented over each axis of matrix.
• It is identified by putting a flag, across each set of roles/responsibilities and function/processes, over x and y – axis, whether they are conflicting or not.
Here is a sample role matrix. This role matrix has been identified for a set six processes and a set of six responsibilities, one for each process. X - Existence of Conflict
SOD Risks• SOD conflicts exist when a user is assigned to multiple roles that allow a significant amount of control
over a business process
• Control ID: This is the unique id which identifies the mitigation control.
• Control ID need to have functional team information so the team can be identified
Mitigate Control
• Once you accept an SOD conflict, you must mitigate the risk caused by allowing the SOD conflict to exist. To mitigate the risk, you must assign a Mitigating Control to the SOD conflict
• A Mitigating Control is in place to document:
– The reason why a risk is permitted to exist
– Names of the individuals who will own and monitor the risk
– The actions that a mitigation monitor will take to effectively monitor the risk
– The frequency that the risk will be monitored
Remediate Control
• You can remediate an SoD conflict by deleting the conflicting role assignment. The other option is to remove the transaction within the role
Remediation approach
• Risk Identification and Remediation software helps automate all SOD - related activities.
• Risk Identification and Remediation detect even the most obscure access
• Authorization risks across SAP and non-SAP applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring.
• Enables fast access and authorization control, efficient remediation
• Mitigation of access and authorization risks by automating workflows
• Enabling collaboration among business and technical users.
Examples of functional risks
• To create a vendor and process payment to other vendor
• Change vendor bank account and process payment to a fraudulent bank account
• To enter invoice and invoice release• Process purchase order to vendor• To create or maintain shopping cart and approve
shopping cart• To maintain employee and process payroll
SOD Implimentation Implementation of SOD is done in form of a project the following rules are
described below:
• Identify the objective of organization and scan nature and job profiles in the organization
• Identify the processes that are being followed in organization.
• Identify the current state of roles/responsibilities and authorization in the enterprise.
• Create the Role Matrix. Mark roles on one axis of Matrix and functions on other axis. Identify will there be any SOD conflict if role access to particular function is given to a single individual. Assign Yes or No, flag the position in matrix
• After analyzing the SOD conflict from role matrix, discuss with management and make the required changes to resolve SOD conflicts.
• In role matrix at position where SOD Conflicts cannot be resolved, design the mitigating controls.
• According to findings in role matrix, generate the roles and mitigating controls within the enterprise system.
• Create a document that will well-define the changes required in a simple and organized manner.
• Document various roles, processes and mitigating controls for auditing and reporting.
• Inform and report the changes required to management
Advantages of SOD
• SOD helps to managing risks. • SOD controls when there are frequent audits
and reviews. • SOD controls can be use to measure and resolve
the risks associated with the different roles and access to functions.
• To resolve conflicts, design various roles, functions and processes being executed in an enterprise as per the business needs
Top Related