Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues
In the aftermath of some highly publicized cases of corporate fraud, the US government announced legislation designed to implement compliance and financial-reporting standards. The most notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary goal of SOX is to enforce a higher level of transparency into organizations' business processes, financial transactions, and accounting methods, to ensure that known and accepted accounting principles are practiced.
In this new SOX era, the issue of compliance spans several industries, attempting to harmonize evolving standards across both public and private sector organizations. The requirement of standardized reporting of financial information now forces organizations that had once been less transparent to tighten and streamline their audit and control practices on an ongoing basis.
Traditional Audit and Compliance Standards Prior to SOX
Pre-SOX standards were designed to ensure a modicum of corporate governance by focusing on the areas outlined by the Committee of Sponsoring Organizations (COSO) and on an IT system process framework. This framework was provided by the Control Objectives for Information and Related Technology (COBIT) IT process standard, which was developed in 1992 by the Information Systems Audit and Control Association (ISACA). COBIT was to provide adequate control levels for organizational structure, ethical standards, and board and audit committee review. It was the earliest set of audit standards established to cope with IT processes and audit procedures. COBIT focused on application controls, general control of information systems, and security issues.
Reporting standards used prior to SOX remain in place today. Of these, the most notable are the EU's adopted version of the International Financial Reporting Standards (IFRS) and the US's Generally Accepted Accounting Principles (GAAP). In 2002, an accord known in financial industry circles as the Norwalk Agreement was struck. This agreement states that US-based companies' financial-reporting procedures are to be harmonized with the European standard by the end of 2008. The implementation of SOX for firms that import into and export out of the United States is yet another layer of compliance standards recently introduced. Table 1 lists several other audit control standards, both pre- and post-SOX.
Regulation
Purpose/Target Industry
SOX
publicly traded US companies
ISO 17199
IT security standards
Canadian bills 198, 52-109, and 52-111
Canada 's SOX equivalents
Basel II Accords
G8 regulations for international banking
Health Insurance Portability and Accountability Act (HIPAA)
US health and medical industries
Office of Management and Budget (OMB) Circular A-123
US government agency financial standards
Solvency II
European insurance industry standards
IFRS
European accounting standards
Office for Economic Co-operation and Development (OECD) principles
EU agencies of internal controls
GAAP
US-based generally accepted accounting principles
Table 1. Key audit control standards.
Segregation of Duties
Within SOX is a provision entitled Section 404. This section is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur, whether intentional or not. Among key provisions in this section is segregation of duties (SOD). SOD aims to close loopholes that would otherwise permit questionable accounting practices; one of its key attributes is that it allows the monitoring of processes and cross-verification of transactions processed in real time.
In simplified terms, SOD is based on the concept of having more than one person in an organization that is able and mandated to complete a task. SOD is a security principle whose main goals are the prevention of fraud and errors. These two objectives are realized through the reviewing of business processes and the dissemination of tasks and associated authorizations among several levels of hierarchy. Such actions serve as validation—in other words, they are a series of checks and balances.
One way to illustrate the key tenets of SOD is to consider an accounting department in any small to medium business (SMB). Here, some of the day-to-day activities include the receiving of checks as invoice payments, approval of employee time cards, processing of payroll checks, and reconciliation of bank statements. Within these activities a form of SOD is already in place—usually the issuing of checks requires different levels of authorization and more than one signature. In essence, more than one person validates a process or activity.
In terms of IT, SOD issues are not as clearly defined, and in many instances, individuals in an SMB have multiple levels of responsibility, which can call into conflict the stated goals of SOX and SOD.
source
http://www.technologyevaluation.com/research/articles/segregation-of-duties-and-its-role-in-sarbanes-oxley-compliance-issues-19369/
In the aftermath of some highly publicized cases of corporate fraud, the US government announced legislation designed to implement compliance and financial-reporting standards. The most notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary goal of SOX is to enforce a higher level of transparency into organizations' business processes, financial transactions, and accounting methods, to ensure that known and accepted accounting principles are practiced.
In this new SOX era, the issue of compliance spans several industries, attempting to harmonize evolving standards across both public and private sector organizations. The requirement of standardized reporting of financial information now forces organizations that had once been less transparent to tighten and streamline their audit and control practices on an ongoing basis.
Traditional Audit and Compliance Standards Prior to SOX
Pre-SOX standards were designed to ensure a modicum of corporate governance by focusing on the areas outlined by the Committee of Sponsoring Organizations (COSO) and on an IT system process framework. This framework was provided by the Control Objectives for Information and Related Technology (COBIT) IT process standard, which was developed in 1992 by the Information Systems Audit and Control Association (ISACA). COBIT was to provide adequate control levels for organizational structure, ethical standards, and board and audit committee review. It was the earliest set of audit standards established to cope with IT processes and audit procedures. COBIT focused on application controls, general control of information systems, and security issues.
Reporting standards used prior to SOX remain in place today. Of these, the most notable are the EU's adopted version of the International Financial Reporting Standards (IFRS) and the US's Generally Accepted Accounting Principles (GAAP). In 2002, an accord known in financial industry circles as the Norwalk Agreement was struck. This agreement states that US-based companies' financial-reporting procedures are to be harmonized with the European standard by the end of 2008. The implementation of SOX for firms that import into and export out of the United States is yet another layer of compliance standards recently introduced. Table 1 lists several other audit control standards, both pre- and post-SOX.
Regulation
Purpose/Target Industry
SOX
publicly traded US companies
ISO 17199
IT security standards
Canadian bills 198, 52-109, and 52-111
Canada 's SOX equivalents
Basel II Accords
G8 regulations for international banking
Health Insurance Portability and Accountability Act (HIPAA)
US health and medical industries
Office of Management and Budget (OMB) Circular A-123
US government agency financial standards
Solvency II
European insurance industry standards
IFRS
European accounting standards
Office for Economic Co-operation and Development (OECD) principles
EU agencies of internal controls
GAAP
US-based generally accepted accounting principles
Table 1. Key audit control standards.
Segregation of Duties
Within SOX is a provision entitled Section 404. This section is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur, whether intentional or not. Among key provisions in this section is segregation of duties (SOD). SOD aims to close loopholes that would otherwise permit questionable accounting practices; one of its key attributes is that it allows the monitoring of processes and cross-verification of transactions processed in real time.
In simplified terms, SOD is based on the concept of having more than one person in an organization that is able and mandated to complete a task. SOD is a security principle whose main goals are the prevention of fraud and errors. These two objectives are realized through the reviewing of business processes and the dissemination of tasks and associated authorizations among several levels of hierarchy. Such actions serve as validation—in other words, they are a series of checks and balances.
One way to illustrate the key tenets of SOD is to consider an accounting department in any small to medium business (SMB). Here, some of the day-to-day activities include the receiving of checks as invoice payments, approval of employee time cards, processing of payroll checks, and reconciliation of bank statements. Within these activities a form of SOD is already in place—usually the issuing of checks requires different levels of authorization and more than one signature. In essence, more than one person validates a process or activity.
In terms of IT, SOD issues are not as clearly defined, and in many instances, individuals in an SMB have multiple levels of responsibility, which can call into conflict the stated goals of SOX and SOD.
source
http://www.technologyevaluation.com/research/articles/segregation-of-duties-and-its-role-in-sarbanes-oxley-compliance-issues-19369/
0 comments:
Post a Comment