In the after-effects of some awful publicized cases of accumulated fraud, the US government appear legislation advised to apparatus acquiescence and financial-reporting standards. The a lot of notable of these laws is the Sarbanes-Oxley Act (SOX) of 2002. The primary ambition of SOX is to accomplish a college akin of accuracy into organizations' business processes, banking transactions, and accounting methods, to ensure that accustomed and accustomed accounting attempt are practiced.
In this new SOX era, the affair of acquiescence spans several industries, attempting to accordance evolving standards beyond both accessible and clandestine area organizations. The claim of connected advertisement of banking advice now armament organizations that had already been beneath cellophane to bind and accumulate their analysis and ascendancy practices on an advancing basis.
Traditional Analysis and Acquiescence Standards Above-mentioned to SOX
Pre-SOX standards were advised to ensure a atom of accumulated babyminding by absorption on the areas categorical by the Board of Sponsoring Organizations (COSO) and on an IT arrangement action framework. This framework was provided by the Ascendancy Objectives for Advice and Related Technology (COBIT) IT action standard, which was developed in 1992 by the Advice Systems Analysis and Ascendancy Association (ISACA). COBIT was to accommodate able ascendancy levels for authoritative structure, ethical standards, and lath and analysis board review. It was the ancient set of analysis standards accustomed to cope with IT processes and analysis procedures. COBIT focused on appliance controls, accepted ascendancy of advice systems, and aegis issues.
Reporting standards acclimated above-mentioned to SOX abide in abode today. Of these, the a lot of notable are the EU's adopted adaptation of the International Banking Advertisement Standards (IFRS) and the US's Generally Accustomed Accounting Attempt (GAAP). In 2002, an accordance accustomed in banking industry circles as the Norwalk Acceding was struck. This acceding states that US-based companies' financial-reporting procedures are to be harmonized with the European accepted by the end of 2008. The accomplishing of SOX for firms that acceptation into and consign out of the United States is yet addition band of acquiescence standards afresh introduced. Table 1 lists several added analysis ascendancy standards, both pre- and post-SOX.
Regulation | Purpose/Target Industry |
SOX | publicly traded US companies |
ISO 17199 | IT security standards |
Canadian bills 198, 52-109, and 52-111 | Canada 's SOX equivalents |
Basel II Accords | G8 regulations for international banking |
Health Insurance Portability and Accountability Act (HIPAA) | US health and medical industries |
Office of Management and Budget (OMB) Circular A-123 | US government agency financial standards |
Solvency II | European insurance industry standards |
IFRS | European accounting standards |
Office for Economic Co-operation and Development (OECD) principles | EU agencies of internal controls |
GAAP | US-based generally accepted accounting principles |
Within SOX is a accouterment advantaged Area 404. This area is a absolute annual of accustomed centralized controls organizations accept to accept in abode to be accounted SOX-compliant. The annual targets appliance centralized controls and highlights areas area counterfeit advertisement is acceptable to occur, whether advised or not. A part of key accoutrement in this area is allegory of duties (SOD). SOD aims to abutting loopholes that would contrarily admittance ambiguous accounting practices; one of its key attributes is that it allows the ecology of processes and cross-verification of affairs candy in absolute time.
In simplified terms, SOD is based on the abstraction of accepting added than one being in an alignment that is able and allowable to complete a task. SOD is a aegis assumption whose capital goals are the blockage of artifice and errors. These two objectives are accomplished through the reviewing of business processes and the broadcasting of tasks and associated authorizations a part of several levels of hierarchy. Such accomplishments serve as validationin added words, they are a alternation of checks and balances.
One way to allegorize the key credo of SOD is to accede an accounting administration in any baby to average business (SMB). Here, some of the circadian activities cover the accepting of checks as balance payments, approval of agent time cards, processing of amount checks, and adaptation of coffer statements. Within these activities a anatomy of SOD is already in placeusually the arising of checks requires altered levels of approval and added than one signature. In essence, added than one being validates a action or activity.
In agreement of IT, SOD issues are not as acutely defined, and in abounding instances, individuals in an SMB accept assorted levels of responsibility, which can alarm into battle the declared goals of SOX and SOD.
Following are 5 affairs in which IT processes can battle with the goals of SOD:
1.
Improper annual accessories for change, acceptation admission rights to applications are not afflicted (revoked) if advisers leave the alignment or a department.
2.
Insufficient ascendancy of change administration issues, acceptation a change is fabricated to a banking appliance or action after accurate almanac of the date the change occurred, the attributes of the change, and which bodies in the alignment are impacted by the change, for superior affirmation purposes.
3.
IT departments abridgement an compassionate of key arrangement agreement workflow processes.
4.
No assay logs are acclimated to certificate abnormal arrangement or appliance occurrences.
5.
No basis could cause assay is performed to actuate what acquired an abnormal event.
Twin Pillars of Protection
In any organization, IT serves as both the attendant and the administration point for information. Financial-reporting serves as the agency to abutment an IT infrastructure. Insofar as systems basement and banking advertisement are linked, the claim to ensure the candor of the arrangement and the processes that abutment it are in acquiescence with accustomed standards and practices. Within these accompanying pillars of aegis are attempt that accept to be adhered to in adjustment to ensure the candor of the system, the public's aplomb in the system, and that all key requirements of SOX Area 404 are met. Figure 1 depicts the basal accomplish to yield to accommodated these requirements.
1. Study business ascendancy processes.
Below are three of the primary business ascendancy processes capital to abutment SOX compliance:
1. Controls begin aural a lot of ERP systemsthese controls accommodate orders candy alone with assigned chump acclaim limits. All appurtenances alien accept an associated invoice.
2. Accepted IT controlsthese acquiesce accustomed individuals admission ascendancy to adjustment administration and receivables applications. This action ensures that arrangement upgrades and fixes are documented.
3. Manual controlsthese controls ensure that alone accustomed individuals can adapt or abolish a chump order.
2. Develop and automate centralized testing to abutment the system.
Most organizations about run banking letters on a account and a annual basis, advertisement the organization's achievement in agreement of account and projected sales. To ensure acquiescence to SOX-SOD requirements, these two procedures are essential:
1. Using centralized abstracts to ensure that no sales or banking annal can be adapted afterwards getting identified, logged, and brash by three levels of authorization.
2. Reviewing examples of area individuals abjure SOD requirements (e.g., bodies who accomplish accretion activities cannot aswell be complex in the accepting of account and the announcement of accounts payable).
The purpose of this exercise is to authenticate that an internal, accurate action exists to choose responsibilities and anticipate any adeptness to adapt or abort financial-related data.
3. Analyze analysis after-effects with accustomed acquiescence standards (e.g., COBIT, COSO).
When organizations are in the action of selecting action software applications (e.g., an ERP system), due action is brash as allotment of the appeal for angle (RFP) action to ensure that the proposed vendor's band-aid adheres to accustomed financial-reporting and acquiescence standards in its industry. When interfacing a new band-aid with a bequest appliance or with an internally developed centralized system, the COBIT and SOX models should be the axiological belief for assessing whether the new arrangement meets your organization's acquiescence and financial-reporting requirements. Following are some added credibility to consider:
* Abstracts afterlight managementchanges to financial-reporting abstracts should be anxiously managed, ensuring that all modifications are accustomed and documented.
* Contractsall IT bell-ringer affairs and account akin agreements (SLAs), including their banking implications, accept to be acutely defined.
* Third-party equipmentthird-party software accept to accept by accustomed and accustomed standards. License and user requirements accept to be authentic in vendors' contracts, as these requirements are aswell accountable to accustomed achievement belief adumbrated in the bell-ringer SLA at the time of software purchase.
* Admission controlensure users accept an identifiable aegis countersign and user code, which advance admission and affairs performed.
* Securitythe arrangement accept to be in acquiescence with ISO 17799 and advised in a way that banned acknowledgment or admission to crooked parties.
* Incident managementthe arrangement accept to almanac all incidents of abortion or accident of data, and accept to abutment Advice Technology Infrastructure Library (ITIL) guidelines. Corrective action to be taken accept to be accurate so that it can be retrieved, and the plan performed by addition person.
SOD Checklist
If your alignment is planning to analysis its SOX- and SOD-readiness, again a acceptable starting point is to access a archetype of the ISACA's allegory of duties ascendancy cast to use as a accepted guideline. If afterwards reviewing the cast you accomplish that your aggregation performs assertive tasks that cannot be segregated, again you can apparatus a alternation of added controls. Below are a few abstracted ascendancy procedures to advice accomplish SOX-SOD compliance:
* Ensure that cellophane analysis trails are in place, that administration is acquainted of anniversary individual's akin of responsibility, and that agnate approval is established.
* Ensure that advice accompanying to who did the work, who accustomed the work, and the date and time the action was accomplished are accurate in the analysis trail.
* Enable the adeptness to analysis affairs at accidental times, appropriately instilling aplomb in the process.
A Final Word
The addition of SOX is hoped to accompany a new akin of accountability to the accumulated world. It is believed by abounding that from the cases of accumulated artifice in the United States several years ago, a new befalling has emerged for accumulated America to appearance candor and prove that the interests of customers, employees, and shareholders are its primary concern. The absolute aftereffect in all of this has been that those active organizations apprehend that their companies are allotment of the association they serve, and bent behavior will not be tolerated. The acquiescence aspects of SOX and SOD, admitting arduous to accept at first, absolute the befalling (or chance) for wrongdoing, and ensure that organizations apply automated and absolute processes to run their business.
Stay acquainted for an accessible blog column that will affection TEC's own SOX-SOD acquiescence matrix. This account will highlight the key areas to analysis in adjustment to actuate your organizations SOD-readiness, as able-bodied as appearance how your alignment compares with industry standards.
0 comments:
Post a Comment