Peer review as a SOX Control 1925

  • Hi,
    I am in the process of updating SOX controls for new FY. Process/Control owner (Financial Controller) now wants to delegate some ‘review’ responsibility down to his team members, asking everyone to review each other’s work instead of him reviewing everything. He (Financial Controller) would review and sign off only on balances or deltas in excess of a defined threshold amount.
    I am not so sure this ‘peer review’ would be permissable as a Primary/Key SOX control. From a SOX perspective should review not be on a ‘one-up’ basis?
    Any help advice would be welcomed.

  • We were told by KPMG (Dublin office by the way - are you Irish?) that peer review is acceptable on a multiple transaction level such as invoice entry etc wher there were insufficient managers to perform the control on an ongoing basis.
    If this is what has been suggested, I reckon you should be alright.
    if the reviews he refers to are part of the month end report process, journal entry and approvals, i would be seriously worried about his attitude to control…

  • I would be very concerned if managers delegated their review responsibilities down to their staff in the form of peer reviews. That is completely bypassing management responsibility and should be looked upon as a weak control.
    I do not have an issue with peer testing of SOX controls, as that is after-the-fact testing to ensure that controls are being performed effectively.

  • Review should be carried out by an appropriate person and this does not necessarily mean more senior. In fact, in many cases a more senior person may not have a detailed enough understanding of the subject matter to be able to perform a review effectively.
    It is subjective and it is the responsibility of management to determine what is appropriate.

Log in to reply