Do we have enough IT automation to avoid corporate frauds?
Following are certain IT SOX compliance areas which deserve to be prioritized for IT automation within each organization.
What is SOX?
Following are certain IT SOX compliance areas which deserve to be prioritized for IT automation within each organization.
What is SOX?
Sarbanes
Oxley (SOX) Compliance monitors controls for key enterprise-wide
processes that have a direct impact on an enterprise's financial
reporting. SOX Compliance documents, standardizes, tests and reports on
these key controls in IT and the business to meet annual legislative
requirements.The Sarbanes-Oxley
Act of 2002 (often shortened to SOX) is legislation enacted in response
to the high-profile Enron and WorldCom financial scandals to protect
shareholders and the general public from accounting errors and
fraudulent practices in the enterprise. These
scandals, which cost investors billions of dollars when the share
prices of the affected companies collapsed, shook public confidence in
the nation's securities markets.
The rules and enforcement policies outlined by the SOX Act amend or supplement existing legislation dealing with security regulations. The basic outline is as follows:
1. Establishment of a Public Company Accounting Oversight Board, where public companies must now be registered.
2. Strict auditor regulation and control by means of auditing committees and inspecting accounting firms.
3. Heightened corporate responsibility for any fraudulent actions taken.
4. Stricter disclosure within company financial statements, and ethical
guidelines to which senior financial officers must adhere.
5. Authorities available to the Commission and the Federal Court, as well as required broker and dealer qualifications.
What are Key Financial Controls?
What are Key Financial Controls?
§ Financial Controls are those controls that primarily:
Act as “checks and balances” to ensure that the information on a company’s financial statements is correct.
Relate
to the preparation of reliable external financial statements as
published in SEC filings (10Q’s, 10K’s, annual reports) or earnings
releases.
§ Key Financial Controls (KFCs) are the Financial Controls deemed most essential to a process.
§ SOX compliance only requires documentation and testing of KFCs.
The
controls are generally 'programmed' into application systems with the
objective of ensuring integrity of transactional and master data related
to financial reporting that is initiated, recorded, stored and reported
on in the application system or between multiple systems by executing
automated functions related to completeness, accuracy and validity of
the data.
Application controls are classified into two types:
§ Combo controls: control activity includes both a manual portion and IT system dependent portion
§ Automated Controls: control activity is 100% IT system dependent (i.e. has no human involvement)
General examples of application controls are:
§ Embedded controls: controls programmed into a system e.g. calculations, edit checks, automatic holds etc
§ Reports: system generated reports e.g. application custom reports or standard reports and business object reports
§ Interfaces: data transfer between systems
§ Workflow: system generated workflow specific to a business process e.g. transaction approval routing.
What is User Access Controls (UAC)?
User
access controls protect organizations information resources and the
integrity of financial data entered, authorized, stored, processed and
reported on, in applications used for financial transactions and
reporting.
What is Segregation of Duties?
Segregation
of Duties (SOD) is a key internal control that, at the most basic
level, attempts to ensure that a user’s access to two or more phases of a
transaction or operation does not create risk.
Within
any flow of transactions, the same person should not be responsible for
conflicting tasks, because this creates RISK. By dividing
responsibilities, no one person has the ability to perpetrate fraud or
cause errors in the financial statements.
What is Restricted Access (RA)?
Many
processes and controls are fully or partially automated. It is
impossible to think about the division of responsibility without
examining the power that is given through user access to applications. “Who
has access to what” is a critical part of examining opportunities to
commit fraud or cause errors in the financial statements.Through
the proper restriction of access to applications by roles and job
functions, an organization can help minimize these risks.