Agenda Sarbanes Oxley Act Compliance(SOX)

- SOX Compliance Requirements

- Control System and Sections in SOX

- Advantages and Disadvantages of SOX

Segregation of Duties (SOD)

- SOD Conflicts

- Segregation of Duties and Role Matrix

- SOD Risks and Remediation Approach

- SOD Implementation

- Advantages of SOD

Historical Perspective of SOX• SOX Act is a United States Federal Law• SOX created as a reaction to corporate scandals like, 1960-1980’s : Quality Movement(TQM,BPR, Deming, etc) 1990’s : Dot-com-bubble, Market Euphoria 2001 : Enron 2002 : WorldCom 2002 : Sarbanes Oxley • Also known as - 'Public Company Accounting Reform and Investor Protection Act' and - 'Corporate and Auditing Accountability and Responsibility Act‘ • It is named SOX, after sponsors U.S. Senator Paul Sarbanes and

U.S.Representative(Congressman) Michael G. Oxley

Sarbanes Oxley Act 2002• To prevent the corporate and accounting scandals of prominent public

companies, and to protect the investors.

• SOX is designed to protect from scandal and deception of shareholders investment

• It does not apply to privately held companies.

• The act contains 11 titles or sections ranging from additional corporate board responsibilities to criminal penalties

• And requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply

• Changes how companies manage :

- Auditors

- Financial Reporting

- Executive Responsibility

- Internal Controls

SOX Compliance Requirements• SOX Act are based on three principles

- Integrity

- Accuracy

- Accountability

• SOX must comply all public traded companies in the United States

• Companies initiating their Initial Public Offering(IPO) and also must comply with SOX

• Companies release all relevant financial data ensure the ‘integrity’ of data

• The released data is reliable to ensure its ‘accuracy’

• Finally, mandates the Chief Executive Officer(CEO) and Chief Financial Officer(CFO) verify the data and accept ‘accountability’ for errors

Control System• What is Control System ?

For sox compliance, the process of organizing and monitoring the different procedures and processes that happens in an organization at company’s and investor’s best interest is called as control system.

• Many industries follow COSO(Committee of Sponsoring Organizations) and ITGI standards for SOX compliance.

• Financial reporting system heavily dependent on well controlled IT Environment(ITGI 2004)

• Internal controls include information security controls

• ITGI identified security controls required by SOX in the following areas:

- Security Policy

- Security Standards

- Access and Authentication

- Network Security

- Monitoring

- Segregation of Duties

- Physical Security

Sections of SOX• The Sarbanes-Oxley Act is arranged into eleven titles or sections. As far as

compliance is concerned, the most important sections are as follows

• Section 103 - Auditing, Quality Control, And Independence Standards and Rules - Requires maintenance of all audit-related records (including electronic) for 7 years.

• Section 201 - Services outside the scope of practice of Auditors

• Section 302 - Corporate Responsibility For Financial Reports - Requires CEO and CFO to certify the accuracy of corporate financial reports.

• Section 404 - Management Assessment Of Internal Controls - Requires CEO, CFO and auditors to confirm the effectiveness of internal controls for financial reporting.

• Section 406 - Code of Ethics for senior financial officers

• Section 409 - Real Time Disclosure - Requires any significant changes in financial state of issuer "on a rapid and current basis."

• Section 802 - Criminal Penalties For Altering Documents - Requires retention and protection of audit and related documents, including electronic records.

Importance of 302,404 • Section 302 requirements CEO and CFO must certify the following: - Review the financial report quarterly or annually - Report fairly represents the company’s financial position - Responsible for disclosure of controls and procedures - Evaluate the effectiveness of controls and procedures - Disclose any weaknesses or control charges to external auditors • Section 404 requirements Internal Control reports and external auditor attestation: - Each auditor report must contain an internal control report - The internal control report requires external auditors to attest to management’s assertions about internal controls and procedures for financial reporting

Advantages of SOX

• Improves to organize and develop controls• Encouragement to reevaluate and monitor

current controls• Organize year-end financial process effectively• Prevention of fraud• Improved company image

Disadvantages• Increasing the number and functions of

internal controls slows, delays financial statement preparation.

• Using current employees outside the accounting office is not acceptable because it breaks down the internal controls function

• Global problem local hell

Segregation of Duties (SOD)• To segregate the separation of incompatible business duties and/or

responsibilities

• Segregation of Duties deals with access controls

• Access Control ensures that no single individual should have control over two or more phases of a transaction or operation

• SOD controls only Information Technology and Business Unit

• Segregation of Duties ensures that:

- There are no errors, as SoD ensures cross check of roles/responsibilities.

- Risk of Fraud is reduced as fraud will involve two or more than two individuals.

- Clear separation of Roles/Responsibilities across various functions in

organization.

- Sarbanes-Oxley regulation specifically states the need for good SOD controls

What will happen if SOD does not exists?

• If proper SoD does not exist in an organization, then:

- Ineffective internal access controls

- Improper use of materials, money, financial assets and resources.

- Estimation of financial condition may be wrong.

- Financial documents produced for audits and review may be incorrect.

• If the company hires good people ,SOD is not an issue

• Proper SOD cannot be implemented, in such cases there should be a mitigating control designed in order to keep a check on the unresolved SoD.

• Mitigating control that checks on database ,that is where his(User) creation and modification transactional data is saved, or may be a review of transactional logs can be a mitigating control.

404 and Segregation of Duties• To comply with section 404 of SOX, we should:

Requirements of Management:

- Identify the document processes and SOD controls across IT Security and

financial processes.

- When appropriate SOD cannot be implemented then design mitigating

controls and document

- Design monitoring controls for critical processes and critical roles

- Implement SOD and mitigating controls

- Ensure continuous compliance by monitoring and tracking of

controls

Requirements of Auditors:

- Auditor must understand how management contemplated the Segregation of

Duties in its 404 compliance program

- Auditor must test the effectiveness of the SOD controls

SOD Components• Incompatible job function To maintain the proper SODs, no employee should be

responsible for two or more of the following four functions for a single transaction class.

Record Keeping

Creating and maintaining Departmental records

Asset CustodyAccess to and/or control

of physical assets

AuthorizationReviewing and approving

transactions

ReconciliationAssurance that

transactions are proper

Common SOD Conflicts• Common causes of SOD Conflicts

- Lack of understanding of application security

- Excessive access assigned to user community

- Lack of management oversight and review

- Organizational structure

• Information Technology Organization

- Developers with update access to production data and mitigation

processes

- Security officers with system administration capabilities

• Process level

- User with ability to add vendors and control payments

- Payroll and employee administration capabilities

- Input and review performed by same person

Technical Conflicts• There are two types of technical conflicts 1. Intra Conflict - Arises from a role (e.g. user profile) being defined with excessive conflicting privileges - Risk when assigned to a user through a single security object 2. Extra Conflicts - Multiple security roles being assigned to user, conflicting privileges

through multiple security objects

Intra Conflict Extra Conflict

Security Object

Privilege

Privilege

User User

Security Object

Security Object

Privilege

Privilege

Segregation of Duties and Role Matrix• Segregation of Duties can be represented over a role matrix.

• Role Matrix is a two dimensional matrix.

• All the roles/responsibilities and functions/processes in an enterprise are recognized and they are represented over each axis of matrix.

• It is identified by putting a flag, across each set of roles/responsibilities and function/processes, over x and y – axis, whether they are conflicting or not.

Here is a sample role matrix. This role matrix has been identified for a set six processes and a set of six responsibilities, one for each process. X - Existence of Conflict

SOD Risks• SOD conflicts exist when a user is assigned to multiple roles that allow a significant amount of control

over a business process

• Control ID: This is the unique id which identifies the mitigation control.

• Control ID need to have functional team information so the team can be identified

Mitigate Control

• Once you accept an SOD conflict, you must mitigate the risk caused by allowing the SOD conflict to exist. To mitigate the risk, you must assign a Mitigating Control to the SOD conflict

• A Mitigating Control is in place to document:

– The reason why a risk is permitted to exist

– Names of the individuals who will own and monitor the risk

– The actions that a mitigation monitor will take to effectively monitor the risk

– The frequency that the risk will be monitored

Remediate Control

• You can remediate an SoD conflict by deleting the conflicting role assignment. The other option is to remove the transaction within the role

Remediation approach

• Risk Identification and Remediation software helps automate all SOD - related activities.

• Risk Identification and Remediation detect even the most obscure access

• Authorization risks across SAP and non-SAP applications, providing protection against every potential source of risk, including segregation of duties and transaction monitoring.

• Enables fast access and authorization control, efficient remediation

• Mitigation of access and authorization risks by automating workflows

• Enabling collaboration among business and technical users.

Examples of functional risks

• To create a vendor and process payment to other vendor

• Change vendor bank account and process payment to a fraudulent bank account

• To enter invoice and invoice release• Process purchase order to vendor• To create or maintain shopping cart and approve

shopping cart• To maintain employee and process payroll

SOD Implimentation Implementation of SOD is done in form of a project the following rules are

described below:

• Identify the objective of organization and scan nature and job profiles in the organization

• Identify the processes that are being followed in organization.

• Identify the current state of roles/responsibilities and authorization in the enterprise.

• Create the Role Matrix. Mark roles on one axis of Matrix and functions on other axis. Identify will there be any SOD conflict if role access to particular function is given to a single individual. Assign Yes or No, flag the position in matrix

• After analyzing the SOD conflict from role matrix, discuss with management and make the required changes to resolve SOD conflicts.

• In role matrix at position where SOD Conflicts cannot be resolved, design the mitigating controls.

• According to findings in role matrix, generate the roles and mitigating controls within the enterprise system.

• Create a document that will well-define the changes required in a simple and organized manner.

• Document various roles, processes and mitigating controls for auditing and reporting.

• Inform and report the changes required to management

Advantages of SOD

• SOD helps to managing risks. • SOD controls when there are frequent audits

and reviews. • SOD controls can be use to measure and resolve

the risks associated with the different roles and access to functions.

• To resolve conflicts, design various roles, functions and processes being executed in an enterprise as per the business needs