Question

In finance and accounting system, if you have established an (Separation of Duty) SoD rule, is there ever a time when the rule should be broken to allow an SoD violation in the system? Please provide the rationale for your response.

Answer 1

The answer to the following question

It is a well known theory and a top contributor for fraud activties which are taken part in the SOX act.The challenge of achieving is more found in case of small and medium sized companies where there is lack of advanced tools and managers do not have the expertise to mange this risk.So the internal audit team should work closely with the business and IT teams to segregate the duties and assign mitigation control where the feasibility is not there.Also monitoring of these activties have to be done and reported to senior management.

So for the remediation and assessment Process following are the initiatives which are needed to determine and address SOD .

Phase 1;Gather a List of applicable SOD conflicts;

So to gather on the list of SOD conflict which can happen in any business and this can be achieved as follows:

• Identify the key respinsibilities for each business process areas
• Define the segregation of duties rules
• Create a SOD matrix from these rules

Phase II Analyze SOD Output:

This can be performed manually or with the help of a tool.In case of using a tool following are the activtites which should be followed

• Upload the details of the SOD in the tool which it is referred
• Execute the SOD tool
• Perform the SOD conflict analysis.

Phase III Remedy and Cleaning

• In this phase evaluate whether the conflicts can be performed by alternate persons to enable it to be done by the help of the IT team.
• If it is not possible becuase of practical difficulties formulate an appropriate control to mitigate that risk.
• That would enable working within the group and doing setting up the additional monitoring activties to achieve that .

Finally everything is measured and a go forward is given after a request is reviewed against the SOX matrix prior to implementing in the system.