High level controls within Accounting environment 1997



  • Hi all,
    maybe you guys can give me an idea on how to carry on with the following issue:
    What happens ,within the Sox world, if the Head of accounting has all the power to do any transaction (change and review master data, pursue bookings, review and relase payment proposal lists etc.) within the accounting environment? This is not sox conform I assume…
    However, who can control this in a medium sized business (_and_lt;200 employees)? Or better asked, what do you think, how can this fact be controlled at all?
    Any ideas are highly appreciated.
    Thanks for your time
    Lee



  • On a basic level, this looks like a Segregation of Duties issue, combined with a risk of Management Override.
    Both could be determined as signficant/ material if they were not compensated by something else.
    COSO’s guidance for ICFR in Smaller Companies recommends that certain reviews are performed by managers, but as the head of accounting is the person in question, it looks like there is no-one available to perform these reviews.
    In order to determine whether or not the issue can be resolved, you will have to provide us with details as to how many persons report to the Head of Accounting, and who he reports to (i.e CEO or group CFO in a head office location).
    If the head of accounting reports into another office, which performs further reviews of the department’s work, this may not be as significant an issue as it looks.
    In any case, I would question the Head of Accounting as to why he needs to have transactional entry for everything. Surely his access should be on a review and monitor basis with transactional acces relating only to complex areas of accounting?



  • You are definitely right with all you said. However, in smaller departments ( about four to five bookkeepers reporting to Head of accounting and HoA reporting to CFO and Headquaters) he has to conduct booking and reporting tasks as well. In addition, he is the only person who is really trained in the new SAP software (accounting matters ), which has been installed without proper SoD and access right definition by the way. He could basically conduct fraudulent tasks without notice (because he is really the main control).
    I think this is the main topic about SOA. It gives middle managers and clerks a whole workload to deal with, but does not really influence the high class employees (in middle sized companies). Certainly apart from the fact that misstatements and fraud resulting from non-compliance might send you to prison eventually. I am interested how high level controls are installed in other countries (for me it is Germany), because internal audit always lacks of resources and sometimes authority to implement internal controls on high level.
    Oh, that sounds resignative, but I am still enjoying working on this topic, however I am not sure if SOA meets its goals it has been installed for initially.
    Thank for your feedback
    Lee



  • Lee- Michael,
    That is exactly the same structure that one of the entities in our group operates (4 bookkeepers and one financial controller).
    I really do not believe that there is any reason why he should have access to every single transaction. There should be enough room here for him to approve journals only. He should not be creating and posting under the same transactions.
    If you feel that there is absolutely no-way out of this, I would recommend that you place an order for the COSO guidance for Internal Controls over Financial Reporting in smaller companies. The guidance provides useful alternative controls to compensate where there are segregation of duties issues and a risk of management override.
    I would also suggest that your CFO gets more heavily involved in the monthly/quarterly review of financial reports so as to hinder any risk that fraudulent financial reporting by the head of accounting may go undetected.



  • I also agree with EMM’s good advice. Additionally, some ideas include:

    1. If you have a company auditor as part of your staff (e.g., Internal Auditor), maybe they can help provide some of the checks-and-balances required.
    2. Setting up secure directories if some of this is done in Excel (so that working copies are formally published to production)
    3. Versioning and change control products can help with Excel and other file formats
    4. Have IT create special reports for all the special transactions processed during a period of time and someone might review these periodically with the CFO.
      In a smaller company, it is difficult to create the same type of controls you would see in larger firms. Still, material risks should be researched and controlled to the best of one’s ability.
      Finally, these types of controls aren’t necessarily about fraud or ‘cooking the books’, but primarily to prevent accidents, as we’re all human 🙂

Log in to reply