I am new at this and need to understand about SOX and SOD, do you have any other resources? I am looking for Purchases Orders to Negotiations for credit terms, to who enters the new vendor and who signs and who does Accounts Payable all the way through to Fixed Assets? Can you help or recommend a book on SOD or an inexpensive software solution?

Resource constraints may limit the number of employees, sometimes resulting in concerns regarding segregation of duties.

There are, however, actions management can take in order to compensate for potential inadequacy. These include managers reviewing system reports of detailed transactions; selecting transactions for review of supporting documents; overseeing periodic counts of physical inventory, equipment or other assets and comparing them with accounting records; and reviewing reconciliations of account balances or performing them independently. In many small companies managers already are performing these and other procedures supporting reliable reporting, and credit should be taken for their contribution to effective internal control.

• Job descriptions never reflect what needs to be done. They are at best a starting point that companies use to describe the general requirements and abilities necessary to fulfiling the role. Since these are rarely comprehensive or exact, little time is put into linking these documented descriptions
• Access to systems is quick to add, slow to delete. "Old timers" often have far more access than is appropriate for their current job - introducing both fraud risk AND the "easier to do it myself than ask someone else" viewpoint. This adds to the to-do list of those that are likely your most valuable resources for getting things done - and they continue to mess with things they did in past "lives" at the company.
• Weak or absent desktop procedures make transitioning work difficult. If people don't document what they do, it becomes a very involved process to eventually transition the work. It also makes it harder for an independent person (i.e. manager, new hire) to grasp the nuances and intricacies of the work, so transition time of tasks is delayed.
• Employees don't think about their tasks as discrete parts of a larger process. This is both the curse and magic that gets revealed when a company expends the effort to either perform a COSO framework assessment or bring their practices up to snuff for SOX compliance. Often, individual workers are seeing their efforts as part of a whole transaction process, and can see the importance of their work relative to the overall company. (I love when AP Clerks discover - and can boast - the critical role of 3-way match in safeguarding a company's assets!)
• It will never happen here. There is no SOD issues if we haven't discovered
  embezzlement in the past.

"Our employees are all trustworthy and reliable."

"Our professionals are all dilligent and properly trained."

"We expect our professionals to act ethically and only access what is required for their job duties, not everything that is available to them on the network."

• Most companies manage by crisis and design by accident. Processes grow up organically, a result of many different professionals coming from several different companies and working to blend their views and experiences together in a way that benefits the company.

We don't talk about properly segregated activities usually, and this isn't something that is well explored in the typical undergraduate business programs (maybe accountancy and auditing, rarely in management programs). This makes what should be a very natural design consideration a very foreign topic when folks encounter it for the first time.

So beyond my rant, here are a few resources that I think do help you in sorting out the logic of segregation of duties. I would also invite reader comments where other useful resources have been found). Here are a few things I've found useful:

• "COSO's Guide for Smaller Public Companies" noted above (executive summary). Note that Volume 2 really gets into some good specific examples on a transasction level as well.
• "Montgomery's Auditing", a classic guide for internal auditors. In particular, see chapter 11, "Understanding Activity Level Controls" for a good explanation and breakdown of how parts in a transaction should be seperately managed, and the role that management oversight and reporting can play in detecting errors or misbehavior after the fact.
• Borrow or buy an old college Intermediate Accounting text book for some discussion of the topic with examples.
• Talk with your system administrator or vendor for your financial software, and find out what native "SOD" considerations are built into the access management component of the software. Also, ask them how other clients are evidencing SOD within the system (great approach if you haven't had to become SOX compliant already, as most software vendors have had to scramble to help their clients assess this within systems already. This should also be a key component in your RFPs when it comes to any financially-related software selection process).
• A useful excel layout from John Gregg at UC Davis maps standard duties against roles, referenced as part of a discussion at the SANS Technology Institute website under the title "Seperation of Duties in Information Technology."

Whatever your process for coming to understand the current state of affairs in your organization, "begin with the end in mind" and consider how you will not only identify issues, but how you will implement necessary changes and monitor these changes going forward.

Labels: access managment, COSO, fraud, segregation of duties, seperation of duties

• List One of Activity Conflicts
• List Two of Activity Conflicts
• List Three of Activity Conflicts

Labels: activity conflicts, segregation of duties

If I make an error in my work, will someone downstream of me detect it before it becomes a major issue for management and shareholders to read about?

Labels: segregation of duties