SOX and returns/credits 1817

  • Hi, first time poster, first post…sorry if this has been posted/discussed
    Just started with a new job and this is the first publicly traded company I’ve worked for since SOX was passed, so this is all kind of new to me…
    My responsibilities include the operations department for the online retail side of the business…one of the many jobs my department handles is the processing of returns and credits…Because of SOX, we need to have the group separated into those who can receive in the returns, and those who can approve/process the credits so that the same person cannot do both tasks…
    What is the easiest way to do this? We have IT protocols in place that restrict access to one side of the system or the other.
    Thanks in advance, this is a great resource…

  • This is a straightforward control put in place so as to ensure proper segregation of duties, where the preparer is separate to the approver.
    IT restriction is definitely the easiest way to enforce the control accross the department if approval can be evidenced electronically.
    If approval is manual, then you will have to rely on sign off and/ or email approvals. All this means is that when it comes to testing you will have to test a larger sample base as manual controls are deemed riskier than automated controls

  • Hi CJB and welcome to the forums 🙂
    Your company has instituted a classical control called ‘Separation of Duties’. Also another classical audit term is ‘Checks and Balances’. A forum search of these terms will highlight a lot of past discussion.
    There may be some inherient financial risks, where when incoming items are recieved, that a person who had full privileges could do a ‘one stop’ fraudulent transaction (e.g., item is physically received and a person could do something fraudulent with the returned stock or monetary transaction).
    The formulation and implementation of SOX requires judgement and a good risk management process to determine which financial risks a company needs to invest their USDUSDUSD in implementing needed controls. However, I’ve often seen the design process stop at the risk management process, with solutions half-way thought out in terms of workflow and efficiency . This can put a drag on your operations and customer service needs.
    You all most likely need this control, but there are better ways for the work flow to take place. In my 30 years of IT and project management experience, I’ve often found you get the best answers from those doing the work 😉 🙂 Maybe through interviews, brainstorming, and idea sharing some tweeking can occur where the process can be less cumbersome and more efficient. I wasn’t certain if this is a bottleneck in your current workflows?

Log in to reply