[USA] The SOX segregation of duties matrix

The financial scandals involving a number of American companies in the early 2000s (Enron being the best known) prompted the United States to reform the accounting of companies listed on the stock exchange in order to protect investors. This 2002 law, passed by the US Congress and known as the Sarbacanes-Oxley Act (or SOX), imposes new financial standards on companies with a view to improving the reliability of financial information. One of these standards is the SOX matrix.
We'll talk about the SOX matrix in a moment, but first let me answer a question from one of our readers.

Needless to say, I appreciate all feedback, including a recent comment on my article, Segregation of Duties and its Role in Sarbanes-Oxley Compliance Issues:

Hankewicz referred to Section 404 in his article "Segregation of Duties and its Role in Sarbanes-Oxley Compliance Issues". He stated that "this section (404) is a comprehensive list of accepted internal controls that companies must have in place to be considered SOX compliant. The list targets internal controls within the application and highlights areas where fraudulent reporting is likely to occur." We would LOVE this to be an "exhaustive list". In fact, the adequacy of controls is subject to individual interpretation. THERE IS NO "key guidance in this section [for] segregation of duties".

I believe that the introduction of SOX and Section 404 (Internal Control Assessment) was an attempt to restore investor confidence in listed organisations following high profile incidents of fraudulent reporting activity. Section 404 states that an internal control report must include financial reports for all listed organisations. I agree, Section 404 leaves a lot of room for individual interpretation by stating in rather general terms that the management of the company is responsible for putting in place an "adequate internal control structure" and that all auditors must be able to attest to the level of "internal control" in the organisation.

Clearly, Section 404 was the most difficult part of SOX to deal with. However, the Public Company Accountability Oversight Boardle (PCAOB) has attempted to demystify the more ambiguous elements of the section. In 2004, the PCAOB issued its Auditing Standard No. 2 and, in 2007, it issued its AS 5 guidance report.

These guidance reports were modelled on the standards established by the long-established Committee of Sponsoring Organization of the Treadway Commission (COSO) (since 1965).

The main provisions include

1. identifying the key elements of the financial report
2. identifying the risks associated with the significant elements of financial reporting in these accounts or disclosures
3. determining which transaction-level controls will address these risks in the absence of controls at the appropriate level of precision
4. determine the transaction-level controls that would address those risks in the absence of specific entity-level controls
5. Determine the nature, extent and timing of evidence gathered to complete the assessment of internal controls.

Further information can be found on the COSO and PCAOB websites.

See all software Compliance

The SOX segregation of duties matrix

See all software Compliance

A fundamental element of internal control is the segregation of certain key tasks. The basic idea behind segregation of duties is that no single employee or group should be in a position to commit systemic errors or fraud in the normal course of business. In general, the main incompatible tasks that need to be segregated are :

• custody of assets
• authorising or approving related transactions affecting those assets
• recording or reporting related transactions
• execution of the transaction(s)

An essential feature of segregation of duties/responsibilities within an organisation is that no single employee or group of employees of a US company has unlimited control over any transaction or group of transactions.

Based on the above criteria, I have constructed a matrix to highlight the tasks performed by an individual or group of individuals that could lead to inappropriate segregation of duties.

The matrix is divided into three parts:

1. Accounting and stock control
2. Expenditure and financial control
3. Organisation and IT infrastructure

Each tab has four main areas:

• From left to right, each section lists a set of activities, for a total of 98 activities in the three tabs.
• The column on the far left lists the individual roles for the people who typically perform the activity criteria
• I've checked the cells where the roles align with the activities - this allows you to easily identify potential areas of conflict.
• At the bottom of each tab, I've summarised the total number of overlapping responsibilities and assigned a risk factor:

High: 0-4 overlapping responsibilities
Medium: 5-9 overlapping responsibilities
Low: more than 9 overlapping responsibilities

The risk factors are based on generally accepted accounting principles, as well as the SOX principles of Section 404. They are designed as a guideline for assessing organisations and highlighting areas that require further adjustment.

The more people looking at an activity, the lower the risk to your organisation of fraudulent activity. I've created a section (dark blue) where you can rate your own organisation.

The aim is to ensure that sufficient segregation of duties is in place and that there are a number of checks and balances to minimise the risk of fraud.