I’ll get to the downloadable SOX segregation of duties matrix in a moment, but first let me address a question from one of our readers.
Needless to say, I appreciate all feedback, including one recent comment regarding my article Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues:
Mr. Hankewicz mis-states Section 404 in his article “Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues.” He says “this section (404) is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur.” We WISH it was a “comprehensive list.” In fact, the adequacy of controls are all subject to individual interpretation. It DOES NOT have “key provisions in this section [for] segregation of duties.” This is all interpretation being made but presented as fact!
I believe the introduction of SOX and section 404 (Assessment of internal control) was an attempt to restore investor confidence in publicly traded organizations in the aftermath of some well publicized incidents of fraudulent reporting activity. Section 404 stated that an internal control report must be included the financial reports for all publicly traded organizations. I concur, section 404 does leave much room for individual interpretation by indicating in rather broad terms that company management is responsible for ensuring an “adequate internal control structure” and that all auditors must be able to attest to the organization’s level of “internal control.”
Clearly, section 404 has been the most difficult part to manage of SOX. However, there have been a few attempts by the Public Company Accountability Oversight Board (PCAOB) to demystify the more ambiguous elements of the section. Along these lines, in 2004 the PCAOB released its Auditing Standard No. 2, and in 2007 it delivered the AS 5 Guidance report.
These guidance reports were modeled after standards set in place by the long-established (since 1965) Committee of Sponsoring Organization of the Treadway Commission (COSO).
Among the key provisions:
1. identifying significant financial reporting elements
2. identifying material financial reporting risks within these accounts or disclosures
3. determining which entity-level controls would address these risks with sufficient precision
4. determining which transaction level controls would address these risks in the absence of precise entity-level controls
5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls
You can find further information at the COSO and PCAOB web sites:
SOX Segregation of Duties Matrix
Download your SOX segregation of duties matrix here. Here’s how it works:
A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties is that no employee or group should be in a position to commit systemic errors or fraud in the normal course of duties. In general, the principal incompatible duties to be segregated include
An essential feature of segregation of duties/responsibilities within an organization is that no employee or group of employees has unrestricted control over any transaction or group of transactions.
Based on the above criteria, I’ve constructed a matrix to highlight duties performed by one individual or group of individuals that could potentially lead to improper segregation of duties.
The matrix is divided into three areas:
1. accounting and inventory controls
2. expenditure and financial controls
3. organization and IT infrastructure
Each tab has four key areas:
a) From left to right each section lists a set of activities, for a total of 98 activities across all three tabs.
b) The column on the far left lists individual roles for people who generally execute the activity criteria
c) I’ve checked off the cells where roles align with the activities–this helps you easily determine potential areas of conflict.
d) At the bottom of each tab I’ve summarized the total number of overlapping responsibilities and assigned a risk factor:
High: 0- 4 overlapping responsibilities
Medium: 5-9 overlapping responsibilities
Low: more than 9 overlapping responsibilities
The risk factors are based on generally accepted accounting principles, as well as SOX section 404 principles. They are meant as a guideline to rate organizations and to highlight areas that require further refinement.
The greater number of individuals there are who review an activity, the lower the risk to your organization of fraudulent activity. I’ve created a section (shaded blue) where you can evaluate your own organization.
The goal is to ensure that sufficient segregation of duties is in place and that there are multiple checks and balances to minimize the risk of fraud.
I just wanted to say that this is a good article, I especially liked the matrix scorecard with concerns to SOX segregation of duties outline.
I appreciate your words of support,at TEC we appreciate our readers and want to provide value that endures.Please feel free to refer your colleagues to our site. Is there areas that you could suggest that you as our reader would like us to cover.
I had gone through the article and the matrix. Excellent guide, and reflects sweating out for days together to produce such a piece.
I am an Oracle apps R12 consultant from Hyderabad, India, and find this a handy guide/checklist for completing control studies, even in non-SOX countries.
I especially liked the matrix scorecard with concerns to SOX segregation of duties outline.
Please provide information to me in reference to SOX and Software; I recall hearing that SOX prefers that companies utilize their operating systems to their full capacity and do not integrate excel spreadsheets, crystal reports etc. with data due to the risk of part of the information being lost or not accurate from a download or risk of human error at data entry;
Is this a true statement?
Thanks for the matrix on segregation. That may well be the most important download I’ve had in many years. I have something similar although much less comprehensive. Keep up the good work.
I took the liberty of modifying the segregation of duties matrix and automating the calculation of the “Number of overlaps” and the “Risk factor”. If you’d like, I can send you the spreadsheet. Thanks.
What about SOX compliance for SUPPLY CHAIN MANAGEMENT.
I like this matrix. As someone else pointed out it shows that you took the time and did a good job.
Harold, please upload this automated spreadsheet.
To Chandra, maybe the TEC’s earlier article below can be of some help with regards to SOX and SCM:
Thanks and regards, P.J.
Thansk for the article and the spreadsheet. I have found it most useful in keeping the focus on transparency and checks and balances.
Thanks again.. The time and dedication to providing a great solution shows.
All the best
May I please have a copy of the modified document you created.
May I please have a copy of the modified document you created.
I am not clear why you considered low numbers of overlapping to be high risk and vice versa.
As I understand accountability, shared accountability is equal to no accountability. (As in “I thought you did it!!”)
I think it would be helpful in the future if you can explain more clearly the context of your risk ranking system.
Also, given the ubiquitousness of project management, (not only IT project managers, but ANYONE managing projects in the organization, it would also be great if you add in that role within the organizational matrix.
Many thanks for an excellent product and one I hope to be able to cite in my research.
Dr. PDG, Jakarta, Indonesia
The definition of risk in your SOD matrix seems to look at risk from only one side.
While having a greater no people reviewing an activity is good, there is a different kind of risk, where the sam eperson should not be doing multiple things in a process. For example, the buyer initiating a asset pruchase should not be approving it or be responsible for receiving it.
Where is this kind of risk covered in your matrix?
You have raised a number of excellent issues that I will try to respond to in this limited amount of space: The number system was simply a means to distinguish and prioritize risk. The issue of accountability within Sox is to deal with another set of eyes to look at the particular set of issues,the premise being that someone independent of performing a set of tasks has the ability to review and monitor a subject independently of the person performing a task to ensure that no errors or improper reporting takes place as per SOX Segregation of Duties guidelines.
Of interesting note is if SOX is so seemingly onerous to deploy ,imagine the challenges in 2014 when GAAP financial reporting is replaced with IFRS
I would like to thank you and all readers for taking the time to express your thoughts and opinions,this type of dialogue is always appreciated I also welcome the the critical views as this is ultimately wil serve to make me a better analyst and broaden my perspective so that our readers are collectively better served. In terms of identifying risk as stated earlier risk is maninly addressed from a finacial perspective and how duties need to be looked at to identify potential areas where it can be addressed. In your experience what other elements do you feel SOX does cover or does not address. Risk Management is an interesting subject although somewhat alarmist I have always had the thought that at least once a year just at auditing time that a lecture be given to raise sensibilities to all areas of the organizatiuon to remind people that business proicesses should be aligned to minimize the exposure in these areas.
I wish you have highlight the process owner so it will mitigate the benefit.
for example you could highlight (X) that link between Deposit Cash Receipt with Sales/Customer Service so everyone knows that AR Clerk shouldn’t have that task not to conflict with posting deposits.