In the aftermath of some highly publicized cases of corporate fraud, the US government announced legislation designed to implement compliance and financial-reporting standards. The most notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary goal of SOX is to enforce a higher level of transparency into organizations' business processes, financial transactions, and accounting methods, to ensure that known and accepted accounting principles are practiced.
In this new SOX era, the issue of compliance spans several industries, attempting to harmonize evolving standards across both public and private sector organizations. The requirement of standardized reporting of financial information now forces organizations that had once been less transparent to tighten and streamline their audit and control practices on an ongoing basis.
Traditional Audit and Compliance Standards Prior to SOX
Pre-SOX standards were designed to ensure a modicum of corporate governance by focusing on the areas outlined by the Committee of Sponsoring Organizations (COSO) and on an IT system process framework. This framework was provided by the Control Objectives for Information and Related Technology (COBIT) IT process standard, which was developed in 1992 by the Information Systems Audit and Control Association (ISACA). COBIT was to provide adequate control levels for organizational structure, ethical standards, and board and audit committee review. It was the earliest set of audit standards established to cope with IT processes and audit procedures. COBIT focused on application controls, general control of information systems, and security issues.
Reporting standards used prior to SOX remain in place today. Of these, the most notable are the EU's adopted version of the International Financial Reporting Standards (IFRS) and the US's Generally Accepted Accounting Principles (GAAP). In 2002, an accord known in financial industry circles as the Norwalk Agreement was struck. This agreement states that US-based companies' financial-reporting procedures are to be harmonized with the European standard by the end of 2008. The implementation of SOX for firms that import into and export out of the United States is yet another layer of compliance standards recently introduced. Table 1 lists several other audit control standards, both pre- and post-SOX.
Segregation of Duties
Within SOX is a provision entitled Section 404. This section is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur, whether intentional or not. Among key provisions in this section is segregation of duties (SOD). SOD aims to close loopholes that would otherwise permit questionable accounting practices; one of its key attributes is that it allows the monitoring of processes and cross-verification of transactions processed in real time.
In simplified terms, SOD is based on the concept of having more than one person in an organization that is able and mandated to complete a task. SOD is a security principle whose main goals are the prevention of fraud and errors. These two objectives are realized through the reviewing of business processes and the dissemination of tasks and associated authorizations among several levels of hierarchy. Such actions serve as validation—in other words, they are a series of checks and balances.
One way to illustrate the key tenets of SOD is to consider an accounting department in any small to medium business (SMB). Here, some of the day-to-day activities include the receiving of checks as invoice payments, approval of employee time cards, processing of payroll checks, and reconciliation of bank statements. Within these activities a form of SOD is already in place—usually the issuing of checks requires different levels of authorization and more than one signature. In essence, more than one person validates a process or activity.
In terms of IT, SOD issues are not as clearly defined, and in many instances, individuals in an SMB have multiple levels of responsibility, which can call into conflict the stated goals of SOX and SOD.
Following are five circumstances in which IT processes can conflict with the goals of SOD:
1.
Improper account provisioning for change, meaning access rights to applications are not changed (revoked) when employees leave the organization or a department. 2.
Insufficient control of change management issues, meaning a change is made to a financial application or process without documented record of the date the change occurred, the nature of the change, and which persons in the organization are impacted by the change, for quality assurance purposes. 3.
IT departments lack an understanding of key system configuration workflow processes. 4.
No audit logs are used to document unusual system or application occurrences. 5.
No root cause analysis is performed to determine what caused an unusual event.
Twin Pillars of Protection
In any organization, IT serves as both the gatekeeper and the distribution point for information. Financial-reporting serves as the means to support an IT infrastructure. Insofar as systems infrastructure and financial reporting are linked, the requirement to ensure the integrity of the system and the processes that support it are in compliance with accepted standards and practices. Within these twin pillars of protection are principles that must be adhered to in order to ensure the integrity of the system, the public's confidence in the system, and that all key requirements of SOX Section 404 are met. Figure 1 depicts the basic steps to take to meet these requirements.
SOURCE:http://www.technologyevaluation.com/research/articles/segregation-of-duties-and-its-role-in-sarbanes-oxley-compliance-issues-19369/
No comments:
Post a Comment