[USA] The SOX segregation of duties matrix

The financial scandals of certain American companies in the early 2000s (of which Enron is the best known) prompted the United States to reform the accounting of publicly-traded companies in order to protect investors. This 2002 law, passed by the US Congress and known as the Sarbacane-Oxley (or SOX) Act, imposes new financial standards on companies, with the aim of making financial reporting more reliable. One of these is the SOX matrix.
We'll talk about the SOX matrix in a moment, but first let me answer a question from one of our readers.

Needless to say, I appreciate all feedback, including a recent comment on my article, Segregation of Duties and its Role in Sarbanes-Oxley Compliance Issues:

Hankewicz mentioned Section 404 in his article "Segregation of duties and its role in Sarbanes-Oxley compliance issues". He stated that "this section (404) is a comprehensive list of accepted internal controls that companies must have in place to be considered SOX compliant. The list targets the application's internal controls and highlights areas where fraudulent reporting is likely to occur." We would LOVE this to be an "exhaustive list". In fact, the adequacy of controls is subject to individual interpretation. THERE IS NO "key guidance in this section [for] segregation of duties".

I believe that the introduction of SOX and Section 404 (Internal Control Assessment) was an attempt to restore investor confidence in listed organizations following high-profile incidents of fraudulent reporting activities. Section 404 stipulates that an internal control report must include financial reports for all listed organizations. I agree, section 404 leaves a lot of room for individual interpretation by stating in rather general terms that company management is responsible for establishing an "adequate internal control structure" and that all auditors must be able to attest to the organization's level of "internal control".

Clearly, Section 404 was the most difficult part of SOX to deal with. However, the Public Company Accountability Oversight Boardle (PCAOB) has attempted to demystify the more ambiguous elements of the section. To this end, in 2004, the PCAOB issued its Auditing Standard No. 2 and, in 2007, issued its AS 5 Guidance Report.

These guidance reports were modeled after the standards established by the long-established Committee of Sponsoring Organization of the Treadway Commission (COSO) (since 1965).

Key provisions include

1. identifying the key elements of financial reporting
2. identifying risks related to material financial reporting items in these accounts or disclosures
3. determining which transaction-level controls will address these risks in the absence of controls at the appropriate level of precision
4. determine which transaction-level controls would address these risks in the absence of precise entity-level controls
5. determine the nature, extent and chronology of facts gathered to complete the assessment of internal controls.

Further information can be found on the COSO and PCAOB websites.

See all software Compliance

The SOX segregation of duties matrix

See all software Compliance

A fundamental element of internal control is the segregation of certain key tasks. The basic idea behind segregation of duties is that no single employee or group should be in a position to commit systemic errors or fraud in the normal course of business. In general, the main incompatible tasks that need to be segregated are :

• custody of assets
• authorization or approval of related transactions affecting these assets
• recording or reporting related transactions
• execution of the transaction(s)

An essential feature of segregation of duties/responsibilities within an organization is that no single employee or group of employees of a U.S. company has unlimited control over any transaction or group of transactions.

Based on the above criteria, I have constructed a matrix to highlight the tasks performed by an individual or group of individuals that could lead to inappropriate segregation of duties.

The matrix is divided into three parts:

1. Accounting and inventory control
2. Expense and financial control
3. Organization and IT infrastructure

Each tab contains four main areas:

• From left to right, each section lists a set of activities, for a total of 98 activities in the three tabs.
• The column on the far left lists the individual roles for the people who generally perform the activity criteria.
• I've checked the cells where the roles align with the activities - this makes it easy for you to identify potential areas of conflict.
• At the bottom of each tab, I summarized the total number of overlapping responsibilities and assigned a risk factor:

High: 0-4 overlapping responsibilities
Medium: 5-9 overlapping responsibilities
Low: more than 9 overlapping responsibilities

The risk factors are based on generally accepted accounting principles, as well as the SOX principles of Section 404. They are designed as a guideline for assessing organizations and highlighting areas requiring further adjustment.

The more people who review an activity, the lower the risk for your organization of fraudulent activity. I've created a section (dark blue) where you can rate your own organization.

The aim is to ensure that sufficient segregation of duties is in place and that there are several checks and balances to minimize the risk of fraud.