..part 2 of a 17-part series
In our initial post on this subject, we covered the overall approach to SoD and SA. In this and the following updates, we are drilling down into the details of each segment.
Understand the Basics
Define SoD Rules
SoD involves separating responsibilities to prevent any single individual from having complete control over a process or transaction.
- Understand SOX Requirements
- Review / Update Policies and Procedures
- Identify Key Processes and Functions
- Conduct Risk Assessment
- Define Segregation of Duties
- Map Responsibilities and Roles
- Implement Controls and Procedures
- Provide Training and Awareness
1. Understand SOX Requirements
Begin by thoroughly understanding the requirements of SOX legislation, particularly Section 404, which mandates internal controls over financial reporting. Familiarize yourself with the key principles and objectives of SOX, including the need for effective internal controls, transparency, and accountability.
Section 404 is rather short and provides for the requirements of establishing and maintaining an adequate internal control structure and procedures for financial reporting, and an assessment of the effectiveness of those controls.
2. Review / Update Policies and Procedures
Document segregation of duties policies and procedures in a formal document, such as an internal control framework or policy manual. Ensure that all relevant stakeholders have access to these documents and understand their roles and responsibilities.
Policies
- Formal statement guiding decisions and actions.
- Sets organizational objectives, values, and rules.
- Ensures consistency, compliance, and accountability.
Procedures
- Detailed steps outlining how policies are executed.
- Provide specific instructions for tasks in line with policy objectives.
- Ensure consistency, compliance, and effectiveness in policy implementation.
3. Identify Key Processes and Functions
Identify the critical business processes, functions, and activities within your organization that directly impact financial reporting. This may include areas such as financial transactions, revenue recognition, procurement, inventory management, and financial reporting.
Authorization of Transactions
Separating the authorization of financial transactions from the execution and recording of those transactions is crucial. This ensures that transactions are approved by appropriate individuals who have the authority and responsibility to do so, reducing the risk of unauthorized or fraudulent activities.
Recording of Transactions
Segregating the responsibility for recording financial transactions from the initiation and approval of those transactions helps maintain the integrity of financial records. It prevents individuals from both creating and recording transactions, reducing the risk of errors or manipulation.
Custody of Assets
Separating the custody of assets from the authorization and record-keeping of related transactions is essential. This ensures that individuals who have access to assets physically cannot also control the related accounting entries, reducing the risk of misappropriation or theft.
Financial Reporting Process
Segregation of duties is necessary in the financial reporting process to ensure the accuracy and integrity of financial statements. Different individuals or teams should be responsible for preparing, reviewing, and approving financial statements to prevent bias or errors in reporting.
AP and AR
Required in AP and AR processes to prevent fraud and errors. For example, individuals responsible for approving vendor invoices should not be processing payments, and those responsible for receiving payments should not be recording receivables.
Inventory
In organizations that deal with inventory, segregation of duties is necessary to prevent inventory shrinkage and misstatements. Individuals responsible for inventory receipt and issuance should be separate from those responsible for inventory valuation and recording.
Cash and Banks
Segregation of duties is crucial in cash handling and bank reconciliation processes. Individuals responsible for receiving cash should not be involved in reconciling bank accounts to ensure that all transactions are accurately recorded and reconciled.
4. Conduct Risk Assessment
Perform a comprehensive risk assessment to identify potential risks and vulnerabilities within each key process or function. Consider both internal and external factors that could impact the integrity of financial reporting, such as fraud, errors, system failures, and regulatory compliance risks.
Process-Level Risk Assessment
Identify Key Processes
Begin by identifying the critical business processes within the organization that directly impact financial reporting, such as revenue recognition, purchasing, and financial reporting.
Assess Risks
Evaluate each key process to identify potential risks and vulnerabilities that could lead to errors, fraud, or non-compliance with regulations.
Consider Impact
Assess the potential impact of identified risks on financial reporting accuracy, regulatory compliance, and overall organizational objectives.
Likelihood Analysis
Estimate the likelihood of occurrence for each identified risk based on historical data, industry benchmarks, and expert judgment.
Control Evaluation
Evaluate
Review existing controls within each key process to determine their effectiveness in mitigating identified risks.
Assessment
Assess the design adequacy of existing controls to determine if they adequately address segregation of duties requirements.
Effectiveness
Evaluate the operating effectiveness of existing controls to determine if they are consistently implemented and functioning as intended.
Segregation of Duties Analysis
Requirements
Based on the risk assessment and control evaluation, identify specific segregation of duties requirements for each key process.
Levels
Determine the level of segregation required for each identified risk based on the severity of the risk, the likelihood of occurrence, and the effectiveness of existing controls.
Define
Develop and implement segregation controls to ensure that incompatible duties are separated effectively to mitigate identified risks.
Risk Prioritization and Mitigation
Prioritize
Prioritize identified risks based on their potential impact on financial reporting and regulatory compliance.
Mitigation
Develop risk mitigation strategies to address prioritized risks, including implementing segregation of duties controls, enhancing existing controls, or implementing compensating controls.
Monitor
Continuously monitor and review the effectiveness of segregation of duties controls and risk mitigation strategies, making adjustments as necessary based on changing business conditions or regulatory requirements.
5. Define Segregation of Duties
Based on the risk assessment, define the segregation of duties requirements for each key process or function. Segregation of duties should involve separating incompatible duties to prevent any single individual from having control over multiple stages of a critical process. Common segregation of duties principles include-
Authorization
Separate the authorization of transactions or activities from the execution and recording of those transactions.
Custody
Segregate the custody of assets from the authorization and record-keeping of related transactions.
Recording
Segregate the responsibility for recording transactions from the initiation and approval of those transactions.
Should you decide to take up the task of defining SoD rules from scratch, a good place to start would be using ISO 27002 as your reference. There are a number of services in the marketplace that make this process easier and much quicker to execute. We provide this service in an offline model as well as implementation services for different software solutions integrated with your systems. Contact Us for more information.
6. Map Responsibilities and Roles
Clearly define the roles and responsibilities of individuals involved in each key process or function. Identify the specific tasks, activities, and decision-making authority associated with each role.
Processes and Functions
Begin by identifying the key processes and functions within your organization that directly impact financial reporting or other critical areas
Examples of key processes may include revenue recognition, accounts payable, inventory management, payroll processing, and financial reporting.
Define Process Owners
For each key process, designate a process owner who is responsible for overseeing the entire process.
The process owner should have a clear understanding of the process, its objectives, and its importance to the organization.
Identify Roles and Responsibilities
Work with process owners and relevant stakeholders to identify the roles and responsibilities involved in each key process.
Document the roles, including job titles or positions, and their corresponding responsibilities.
Document Tasks and Activities
Break down each role’s responsibilities into specific tasks and activities that need to be performed to complete the process.
Ensure that tasks are clearly defined, measurable, and aligned with the objectives of the process.
Decision-Making Authority
Identify the decision points within each process where key decisions need to be made.
Determine who has the authority to make these decisions and document their decision-making authority.
Matrix
Create a roles and responsibilities matrix or chart that clearly outlines the roles, responsibilities, tasks, activities, and decision-making authority associated with each role.
Use a standardized format to ensure consistency and clarity across different processes.
Review and Validate
Review the roles and responsibilities matrix with process owners, department heads, and other relevant stakeholders to ensure accuracy and completeness.
Validate the matrix against existing organizational structures, job descriptions, and operational realities.
Communicate and Train
Communicate the roles and responsibilities matrix to all individuals involved in the key processes.
Provide training and guidance as needed to ensure that everyone understands their roles, responsibilities, and the importance of segregation of duties.
Monitor
Regularly review and update the roles and responsibilities matrix to reflect changes in organizational structure, processes, or personnel.
Ensure that the matrix remains up-to-date and accurately reflects the current state of roles and responsibilities within the organization.
Integrate with Control Framework
Integrate the roles and responsibilities matrix with the organization’s overall control framework, including internal control policies and procedures.
Ensure that segregation of duties controls are appropriately designed and implemented based on the mapped roles and responsibilities, and vice versa.
7. Implement Controls and Procedures
Develop and implement controls and procedures to enforce segregation of duties effectively. This may include establishing approval workflows, access controls, and monitoring mechanisms to ensure compliance with segregation of duties requirements.
There are two major approaches to SoD rule implementation: Preventive or Detective.
Preventive: Approval Required – This type of SoD enforcement provides for the following process
- The user requests access to a new entitlement.
- The provisioning solution gathers the information about the user and the entitlement interrogates the SoD rule library and runs the user with their newly requested (not provisioned yet) access against the SoD rule library.
- If no new or non-mitigated violations are found, then the provisioning request returns to the provisioning solution and continues upon its approval workflow path.
- If violations are found, then the provisioning request is put on hold and an approval request for the SoD violations is sent according to the organization’s policy and approval matrix.
- If the request is reviewed and denied, the SoD solution returns the denial back to the provisioning solution and declines the provisioning request to the user.
- If the request is reviewed and approved, then the SoD solution should record the approval along with the mitigating controls provided. It will then return the approval to the provisioning solution, where it will continue upon the provisioning workflow approval process.
All of this takes place between a user provisioning request and the user being provisioned access. This reduces (but does not eliminate) the need for a lot of monitoring controls and frequency of regular review.
Detective: Monitoring – A detective: monitoring solution provides after-the-fact SoD violation reporting. This enables users to gain access (after working through the user provisioning process) whether the newly granted access creates violations or not. Detective SoD solutions require a more robust review cycle of violations, mitigating controls, and testing.
8. Provide Training and Awareness
Congratulations! The SoDs are in place but not yet published to your production / live environment. As part of your ITGC Change Management Process, you need to conduct User Acceptance Testing (UAT). In order for this to be successful, you need to provide training and awareness programs to educate employees about segregation of duties requirements and the importance of adhering to internal controls. Ensure that employees understand how their roles contribute to SOX compliance and the prevention of fraudulent activities.
Training Materials
- Creation of user manuals, guides, and FAQs.
- Development of video tutorials or online resources.
- Distribution of training materials for self-paced learning.
Orientation Session
- Introduction to the importance of segregation of duties.
- Overview of the new system and its benefits.
- Explanation of the training objectives and agenda.
System Demonstration
- A detailed walkthrough of the segregation of duties system.
- Live demonstration of how to use the system for different roles.
- Highlighting key features and functionalities.
Hands-on Practice
- Guided practice sessions for employees to interact with the system.
- Exercises to simulate real-world scenarios and role-based tasks.
- Encouragement for participants to ask questions and seek clarification.
Role-Specific Training
- Tailored sessions for different departments or job roles.
- Focus on specific functionalities relevant to each role.
- Customized examples and case studies for better understanding.
Assessment and Feedback
- Conducting quizzes or knowledge checks to assess understanding.
- Collecting feedback from participants on the training content and delivery.
- Addressing any misconceptions or gaps identified during the training.
Need help?
HALEY Consulting and Advisory Services are here every step of the way. Contact us for a free consultation.
