Segregation of Duties 733

  • What points do you think is most important to cover?
    I am sitting here with 3 templates from D_and_T, none of them are perfect, and is going to create one that’s better than the 3
    Any guidance?

  • The principal incompatible duties to be segregated are:
    Custody of assets
    Authorization or approval of related transactions affecting those assets
    Recording of related transactions
    Execution of the transaction
    Controls over the processing of a transaction should not be performed by the same individual responsible for recording of the transaction.

    You need a simple matrix with 5 columns:

    1. Transaction Process/Execution
    2. Authorization
    3. Custody of Assets
    4. Recording
    5. Control Over Execution
      First column: We put processes like:
      Preparation of checks
      Signing of check
      Mailing of checks
      Issuance of purchase orders
      Approval of access to vendor master files
      Approval of purchase orders
      Generate revenue reporting
      Process credit card settlement transactions
      Reconcile credit card settlement transactions
      Other columns: The persons responsible
      Keep it simple

  • i’m struggling with this as well. we only have 1 DBA. That person makes changes in test and migrates to production. do we have to hire another person to have segregation of duties?

  • Overnight guest:
    Thanks, that link from Microsoft made me think of a few points that was missing from the D-and-T ones.
    Sorry, my question was probably a bit misleading. Was in a hurry when I posted it, just before I left for the weekend. I was looking for transactions that D-and-T had not included, and was looking for pointers on these.

  • ugogirl:
    I think there are a lot of companies in your position, lacking the people to do true separation of duties. In your case, here is what I would do:

    1. make sure you have identified the lack of SOD as a risk that has been evaluated by your management.
    2. identify any possible mitigating IT controls. I would rely heavily on end-user testing.
    3. identify financial controls that would mitigate the risk, such as reconcilliation efforts of the system to paper records or other records that the DBA doesn’t have access to.
    4. make sure you have a change management process that you can show is being effectively followed. part of the change process would be independent approval of the change, business unit notification of the change, and BU testing (#2 above)
      If this were a financial process SOD issue, like AP and check approval, the external auditor would have a pretty solid arguement that you need another person, and I’ve read some disclosures where the auditor has stated such, but I’ve not read any of them that said that more IT staff is needed.
      Showing diligence with what you have to work with, and an understanding of the risks involved should go far. They may hit you with a significant deficiency, but if communicated right, it will likely be acceptable to the business.
      Or, you can do what most of the other companies out there are doing and go crying to the BOD asking for more IT resources (and budget) because of the SOX monster 🙂

Log in to reply