Impact on Business Process Documentation
SOX mandated areas
The following sections describes the areas of SOX
mandated input on the deliverables that a typical finance process may need
to satisfy. Whilst this document is primarily concerned with guidance to
the process and owner template, not all of what is described here will be
relevant to this deliverable, but is described as it describes the overall
context, and may be relevant elsewhere.
It should also be noted that in many cases, given the
evolving and interpretive nature of SOX, many of these assertions are
taken as a best guess.
SOX and Risk
SOX has moved from the mandated checklist suggested
by COBIT towards a risk based approach. Different organisations have
categorised the key risks differently, but the following are
industry-standard key risks that must be mitigated or prevented. Financial
reporting risk for business processes at the transaction level is
classified into five categories:
 |
Segregation of Duties: The risk that
individual(s) within a process that impacts financial reporting are
performing incompatible duties |
|
Authorisation: The risk that transactions
within a process that impacts financial reporting are not executed in
accordance with management’s general or specific authorization |
|
Access to Assets (physical and logical
security): The risk that there is unauthorized access to use of
assets/records |
|
Asset Accountability: The risk that recorded
and actual assets are not compared at reasonable intervals and/or
appropriate action with respect to differences is not taken |
|
Recording: The risk that transactions within
processes which impact financial reporting are not all recorded, real,
properly valued, recorded timely, properly classified, summarized
correctly, and/or posted correctly. |
|
Change Management: The risk that changes
either in software or to transactions (for example adjustments) is not
managed to identify or prevent potential material loss or fraud. |
|
SOX Impact on Process and Owner Deliverable
These considerations are directly relevant to
this deliverable.
These risks must appear in the ownership document
as the owner is agreeing to the adoption and is accountable for these
controls in their areas. At the process and ownership level it is
enough simply to identify (i.e. name) these controls. These will be
designed as part of the process designs.
For each sub-process it must be assessed if the
above risk areas that if relevant, and so must be either mitigated or
prevented by the (sub) process by a named control. |
|
SOX Impact on Process Design Deliverable
These considerations are directly relevant to
this deliverable.
The detailed assignment and segregation of
responsibility, activity within each of the procedure’s steps, the
handover and delivery between different participants must be written
in direct response of the above.
If there is a constraining reason why these
categorises cannot be satisfied within a procedure, exception
scenarios must be written to mitigate the risk category.
For example if segregation of duties is not
possible due to team size, an exception scenario to mitigate this
(e.g. enhanced recording of activity) will be required |
© 2002-2007 Codel Services Ltd
This paper has been prepared
by Codel Services Ltd to illustrate how structured business
modelling can help your organisation. Codel Services Ltd is an IT
Consultancy specialising in business modelling. If you would like further
information, please contact us at: Deryck Brailsford, Codel Services Ltd,
Dale Hill Cottage, Kirby-Le-Soken, Essex CO13 0EN,United Kingdom.
Telephone: +44 (0)1255 862354/Mobile: + 44 (0)7710 435227/e-mail: info@codel-services.com
