July 9, 2008
Like controls documentation and access provisioning in previous years, segregation of duties management is part of this year’s initiative for auditors and their review of your internal controls. Unfortunately, this can escalate the already excessive costs of Sarbanes-Oxley compliance if companies continue to manage and test their internal controls like they have in the first years under Section 404 of the Enron-inspired law.
With a bottom-up approach to implementing and testing controls, companies spent millions to document and validate low-level process controls without consideration of financial risk. These largely manual efforts led to rather tedious work that consumed thousands of man hours and produced minimal benefit.
To extend this bottom-up approach for segregation of duties controls, companies are forced to identify all users of corporate financial systems that can potentially violate SoDs and then reconfigure – or redeploy – the ERP systems to eliminate the SoD weaknesses. However, most financial executives realize that all segregation of duties weaknesses cannot be completely eliminated without reengineering financial processes or hiring dozens of new employees to properly separate functions without overlapping responsibilities.
Compliance costs then shift from mundane controls testing and documentation to complex IT projects and permanent additions to overhead costs. In many cases, the cost to eliminate a SoD weakness far exceeds its financial risk.
Segregation of duties in the real world demands top-down management that eliminates financial risk without adding overhead costs or extinguishing ERP-fueled efficiency gains of the last decade. Fortunately, auditors and government regulators are moving beyond simple checklists of mandates to advocate a risk-based approach to SOX compliance and internal controls. This is great news for finance executives and compliance managers who can lead their companies to reduce compliance costs while accomplishing the ultimate goal of SOX – financial integrity.
