SOD - Segregation of duties 2791

  • Hi Folks 😄
    I’m new here and also for the SOX stuff
    i have a question and i hope to get an answer here if you don’t mind.
    How can you ensure a proper a segregation of duties according the SOX requirements while you are a small entity with a restrict personel numbers?
    please advice
    thanks in advance

  • The objective of internal control over financial reporting whose effectiveness is required to be evaluated in section 404 of the Sarbanes-Oxley Act (SOX) is to prevent or to timely detect material misstatements of the (consolidated) financial statements.
    So it depends which objective you want to achieve by segregating certain duties between different persons. The amounts of many types of fraud are not material to the financial statements.
    It frequently happens in small organizations that very few people have the specialized knowledge that is necessary to execute a certain duties. As a consequence, duties that are normally segregated in larger organizations are sometimes executed by the same person in smaller organizations. Typically a review of the executed transactions by a different independent person can compensate the lack of segregation of duties.
    E.g. the ability to both create/change vendor master data including bank account details and to post an invoice that relates to this vendor would normally allow payments to unauthorized bank accounts. A review of changes to bank account details in vendor master data by an independent person can serve as a compensating control.

  • As also shared in some other threads - this ‘getting started’ link might also be helpful

  • Hi folks
    thanks for replies
    i would for sure check its out 🙂

  • You need to look at the entire process inlcuding the controls and not just at access rights to IT systems in order to determine whether the combination of those access rights can be a problem and whether they need to be segregated or whether a compensating control, such as the review of transactions by an independent person is needed.
    What do you you mean with ‘authorize fund transactions’? Make payments in an electronic banking application so that money is being transferred out from the company’s bank account?
    How does the company receive payments from its customers? In cash? Through paper checks? Or just via electronic funds transfers to the company’s bank accounts?
    If the employee also has access to the physical cash or to checks, there is a risk that the money is stolen and never deposited in the company’s bank account and that it would not be detected in a bank reconciliation because the employee himself is doing the bank reconciliation and he is preventing noticing it through the overdue payments list because he is making a fake entry in the A/R ledger that the invoice to the customer was paid. A variation of this scenario where the company receives electronic transfers from the customers would be that the employee uses a funds transfer to steal the money (provided that there are no further controls where an independent person looks at documents that authorize the funds transfer).
    Another scenario involves the misappropriation of cash receipts or checks and using the following cash receipt or cash to apply it as payment to the wrong old invoice and continuing this forever. This effectively results in different amounts being used by the employee all the time and giving him the ability to spend them or at least earn interest on them.

  • As gmerkl recommends, the following are ‘FREE to download’ resources for evaluating both IT and non-IT controls. Many SOX auditors use these comprehensive documents as a framework to ascertain controls:
    COSO - Finanical workflow/process
    COBIT 4.x - Financial IT System controls

Log in to reply