Home > Risk > Advice on scoping SOX work on segregation of duties (SOD) and restricted access (RA)

Advice on scoping SOX work on segregation of duties (SOD) and restricted access (RA)

Many organizations do far too much work on these areas, primarily because they scope the work in isolation from their top-down approach to the identification of key controls. They base their scope on good business practice, and/or a list of ‘rules’ from a consultant or software vendor, rather than focusing on the access limitations necessary to prevent an action that might lead to a material misstatement of the financials.

The following discussion is taken from my book, Minimize Costs and Increase the Value of Your Sarbanes-Oxley 404 Program: Management’s Guide to Effective Internal Controls, published by and available from the Institute of Internal Auditors (just $35 for members in hard copy, $25 as a PDF download).

Segregation of duties and restricted access controls must be identified, assessed, and tested where they are key controls. (A key control is one that is relied upon to either prevent of detect a material misstatement of the financials.) Key SOD and RA controls include those that:

  • Are required for an authorization control to be effective. For example, if the business control requires that all purchase orders be approved in the system by the purchasing manager, it is critical to ensure that only the purchasing manager has that capability.
  • Reduce the risk of a material fraud that could be reported incorrectly in the financial statements.

With restricted access and segregation of duties, there is a risk of doing more work than is required for Sarbanes-Oxley. While there are excellent business reasons for restricting access to only those functions individuals need to perform their assigned tasks, it is important to remember that only fraud risk that is both material and also misstated in the financials is within scope for Sarbanes-Oxley.

This last point is important. Many companies test SOD using a standard set of “rules” (combinations of access privileges deemed inappropriate) that have been provided by a consultant or vendor. While they may represent a risk to the business (at least in theory), they may not represent a risk of material misstatement for your organization. The rules used to drive SOD testing should be based on the top-down, risk-based approach described above, to support a key control or reduce the risk of a material fraud.

As an example, at a company where I was responsible for the Sarbanes-Oxley program, both the external auditor and the internal auditor (at that point, the internal audit activity was outsourced) had tested user access consistently for several years. They each used a standard set of more than 150 rules to identify (a) access to important ERP transactions, and (b) SOD conflicts where one individual would have the ability, using a combination of ERP transactions, to commit a fraud. When the Sarbanes-Oxley team changed to a risk-based approach, concentrating on testing access rights that represented a risk of material misstatement, the number of rules was cut to about 20.

Is your SOX scope based on a top-down, risk-based assessment when it comes to SOD and RA?

Please share how many rules you test (tests of SOD and/or RA).

  1. Linda DiPaola, CPA CISA CGEIT
    March 4, 2013 at 12:21 PM

    We use a top-down, risk-based methodology that starts with financial statement line items; materiality and qualitative scope is determined and the line items are linked to the underlying processes and software. Our key controls, therefore are limited to those processes only; flowcharts and key controls display or test segregation of duties and restricted access, but only for those processes already determined to be in scope. We therefore do not have a list of “rules” to determine inappropriate access, except maybe that developers should not have the ability to migrate code to production, or in the financial area – people do not have access to assets and recordkeeping (for example, the person who cuts checks cannot approve purchases or perform the bank reconciliation). Using a holistic approach to SOX keeps us from getting carried away, especially in the IT arena – we keep in mind that many IT deficiencies are mitigated in the financial process area through the use of timely reconciliations.

    • Norman Marks
      March 5, 2013 at 7:32 AM

      Linda, this reads as if every control in an ‘in-scope’ process is considered key. Is that right?

      Also, if developers were able to migrate code into production what would happen? I would have to believe there would be at least a reasonable likelihood that it might result in the introduction of a material error in the financial statements.

  2. Andrew Noone
    March 4, 2013 at 1:26 PM

    A great piece on moving away from the established and frankly old school approach to managing systematic risks. I am constantly challenged by the non-finance community to justify why extensive SOD rules are required across processes that contain no direct fraud or Mis-statement risks. I personally advise clients to focus extensively on key risks and controls which often causes a great deal of debate with the external auditors as its is opposed to their standard approach of using 100’s of pre-determined rules.

    Keep up the good work Norman.

    • Norman Marks
      March 5, 2013 at 7:32 AM

      Thanks, Andrew

  3. Richard Fowler
    March 5, 2013 at 5:36 AM

    I’d be very interested in learning more about your former company’s process of moving to the risk-based approach. What was the primary driver? Did you have external audit support for the change? Who conducted the risk assessments? Since Year 1 of SOX ,we have regularly re-evaluated our key controls to ensure that they are, in fact, key to the financial statements and we get buy-in on these changes from our external auditors. This has greatly reduced the number of controls we test, but SOD remains a key control.

    We have also reduced the number of ERP transactions we include in our SOD testing, but it still includes almost 100 since most critical transactions do not have an inherent dollar limit. We then review and assess the risks of any unusual transaction combinations. If we added materiality into the equation, we could easily reduce at least the number of users we review. But in theory, even if they had a $5000 transaction limit, users could still create material deficiencies if they created thousands of incorrect transactions. Obviously, the risk of such a deficiency is extremely low. Do you have any suggestions in that regard? What would be a good approach to start reducing the number of SOD rules we review?

    • Norman Marks
      March 5, 2013 at 7:37 AM

      Richard, I admit that I was the driver. Every additional key control carries a significant cost – in terms of management and external audit testing, and in operating management support.

      When you look at SOD, you need (IMHO) to consider what might be the result of a failure in any one of them. Remembering that the only fraud you need to worry about for SOX is one that would result in a material misstatement, usually only a few SOD tests are needed. Very few, because it is unusual for an SOD failure to cause a key control to fail (usually only where a key control should only be performed by specific individuals) or otherwise cause a material error in the financials.

      I have taken this approach at several companies, without having any problem with the external auditors. They often come forward and say “what about this rule” and I simply ask what the effect would be if it failed.

  4. March 5, 2013 at 8:54 AM

    Really….too much work? That is not what I have seen since Sarbanes-Oxley (SOX) was introduced. Prior to SOX, most companies didn’t even look twice at segregation of duties and Internal Audit functions performed little work in this area. SOX required organizations to look at their control environment, document such, identify and remediate gaps, etc., with a hope to provide assurance to investors that what is reported has integrity and that assets are safeguarded; segregation of duties helps achieve the latter. Also, organizations that manage segregation of duty efficiently and effectively do a lot in minimizing the risk of fraud within the organization!!! An area that the external auditors are now placing more focus on – e.g., must assess risks of material misstatement due to fraud as noted in AS13.

    Unfortunately, when Companies tried to setup a sustainable work program with regards to segregation of duties, they failed miserably primarily due to the amount of resources dedicated to such; most programs were manual, took weeks to analyze, review, correct, finalize and conclude (a lot more time and effort needed than was initially anticipated – JMO)…..and as such, more often than the not, segregation of duties took a back seat to other control activities. Many SOX programs only looked at SOD once a year (clearly on the wrong side of the pendulum particularly with the quarterly section 302 certification requirements). Still to this day, there are plenty of organizations that do what they consider is the bare minimum as it relates to segregation of duties, since they place too much reliance on other control activities to offset of the risks associated with an inadequate process to manage segregation of duty conflicts.

    As it relates restricted access, I believe this can go hand in hand with managing incompatible functions / responsibilities with gives rise to segregation of duty conflicts. Again, what I have seen is that this was a manual effort prior to SOX and little time was spent in that area. After SOX though, I believe many companies improved in this area as it was much easier to manage than segregation of duties. Companies, oftentimes working with consultants and the external auditors, identified a list of critical transactions where access should be restricted (many times combined with the annual segregation of duty review). However, as managing access to specific transactions is relatively easy to do, the frequency moved to a minimum of quarterly review to be line with the quarterly section 302 certification requirements. And many companies now use tools to manage access continuously, either through their ERP’s GRC function or a third party software or service provider.

    But at the end of the day, how much is too much and how little is too little? Obviously, this is at the discretion of management (based on their risk appetite) but what I have seen is that many organization still do too little. There is always room to improve particularly as it relates to the level of assurance the company provides its shareholders that it is effectively safeguarding company assets. And if you believe the latest statistics (2012) from the ACFE, i.e., estimated that the typical organization loses 5% of its revenues to fraud each year, why wouldn’t an organization evaluate the risk of fraud within the organization and dedicate sufficient resources, e.g., in the areas of managing access to critical transactions and managing segregation of duty? Both key fraud controls!!!

    That’s all for now. I could ramble on for hours on this topic.

    Have a good day!

  5. Norman Marks
    March 5, 2013 at 9:03 AM

    Bill, may I suggest that we need to separate two issues:
    1. The work required for SOX: an assessment as of year-end that the system of internal control provides reasonable assurance that the financial statements are free from material error
    2. The work required to provide reasonable assurance that the controls necessary to run the business are adequately designed and operating effectively.

    The first is as of year-end and focuses on reasonable assurance that there will not be material misstatements – and material means in the eyes of a reasonable investor.

    The second is year-round and includes how all risks of importance to the achievement of objectives are managed.

    The external auditors are only required to assess the first scope, so costs are managed by ensuring that controls included in #2 are not unnecessarily included in #1.

    As you correctly state, the external auditors “must assess risks of material misstatement due to fraud as noted in AS13”.But most frauds either do not rise to the level of materiality to the financial statements, and few even cause an error in the published financials!

    For example, if a fraudulent vendor is created and an employee is able to obtain funds by getting fictitious invoices for supplies paid, the financials will correctly report cash and expenses.

    I do ramble on for hours on this, whenever I hold my SOX training classes. My mantra is to ask whether the failure of any control (including any single SOD rule) is likely to result in a material misstatement.

  6. John Parsons
    March 15, 2013 at 6:35 AM

    Thank you for this informative post which fits my views on the overuse of SOD controls exactly. I am also pleased that you are focusing SOD risks on intentional actions (frauds, obfuscation of mistakes, etc.) rather than errors as I have seen in other guidance.

    I am trying to give theoretical guidance to our IT function as to which SOD pairs in the ERP system would be higher-risk and which can be merely monitored periodically, but I have seen little thought on this topic. From discussion, and your previous commentators, it is clear that materiality “per transaction” is not relevant as a fraudster would normally prefer to have smaller individual transactions to avoid detection. Your advice about top-down analysis is good in theory, but difficult to implement in practice as any transaction will affect key balances (most frauds appear in SG&A or cost of sales, so what).

    I am trying to breakdown the judgment calls for determining which pairs of transactions are high-risk, and which are lower. For example, I know that the ability to purchase and receive materials is risky, but the ability to enter a customer order and receive is less so, but theoretically why. Is it merely the seperation by department?

    What guidance do you, or the community, have for breaking down the judgment calls so that I can advise experts in the ERP system on which pairs are worthy of segregating, and which are less risky?

    • Norman Marks
      March 15, 2013 at 2:41 PM

      If you are focused on fraud risk (and my comment was about SOX), it is very useful to work through the fraud schemes that would be involved. For example, is access to the inventory records and to inventory adjustments and issue when the employee is in China and the inventory is in Mexico?

      Does that help?

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Evangelist and Mentor for better run business

      • John Parsons
        March 18, 2013 at 6:45 AM

        Thanks for the reply. The reason I focused on intentional single-person cover-ups is I believe these are the only risk that SOD controls mitigate (not accidental error, or any collusion). Material financial misstatement (covered by SOX) are extreme examples due to materiality limits – the largest frequency of single-person frauds cannot materially misstate.

        I am mainly interested in risk-ranking logical-access SOD controls which, I believe, are mostly to prevent occupational frauds, not financial statement frauds. My reasoning is that people with the most motivation to commit fin stmt fraud can do so without entering any system as they normally have sufficient authority in the organization (e.g. Madoff or Fastow).

        I have found some guidance from an Internal Auditor (April 2009) article by Nick Stone regarding the need to focus on the critical few SOD risks. Unfortunately, there seems to be little theoretical guidance on how to differentiate high- from low-risk access. As we try to classify thousands of potential pairs of access, it would be nice to have a model of which pairs are risky, and which are unlikely to allow for a fraud.

  7. Chris Simpson
    March 20, 2014 at 4:55 PM

    How far is too far? There are certain individuals in my accounts team that perform certain tasks and have restricted access to performing them so, with access to other functions that may conflict and lead to manipulation of the numbers. Fine, no issue. Is it then a step to far to state that their direct line manager, who would not normally perform such tasks in their day to day role, would be restricted from performing these very same tasks of the person they manage? Technically there could be conflict given the line manager also has certain privileges to perform a conflicting task. In my opinion this restricts the business though. A line manager will at some point need to perform these tasks for a number of reasons. Do their other privileges need to be removed for this to happen, if so then this is not reasonable. Would love to hear thoughts on this.

    • Norman Marks
      March 21, 2014 at 6:03 AM

      Chris, its a matter of risk: what is the level of risk and what is your and management’s judgment about whether it is acceptable. Are there mitigating detective controls that would let management know should the line manager abuse his authorities?

      Sometimes, a line manager (up to and including the CFO) may say he needs the same access rights as his staff so he can back them up. But, that is not always good business practice. What would you think of a CFO preparing and approving journal entries?

      • Dav
        January 11, 2016 at 4:35 PM

        You don’t think a CFO can modify his results after the data has been extracted but before he hands it off to external reporting bodies? That is far easier and more likely event than a back office IT guy having advanced access. Overall the majority of this effort is proving a pile of rubbish for the company in most cases and a pile of cash for those firms doing the audits.

  8. idm
    March 21, 2014 at 4:30 AM

    After looking over a few of the articles on your web page,
    I honestly like your way of blogging. I added it to my bookmark
    website list and will be checking back soon. Please check out my web site as well
    and let me know how you feel.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: