The initial impact caused hundreds of additional hours spent conducting external audits and significant controls and technical remediation to increase confidence in the accuracy of information generation from systems used to facilitate the controls in place. This naturally added time and labor, which resulted in clients being charged with additional fees. The coming scrutiny of the Segregation of Duties controls will generate disruption on a similarly large, costly scale.
Why? Because as management continues to automate business processes through transformation and technology enablement, the importance of Segregation of Duties controls and audit firms’ reliance on them will only continue to increase. This technology enablement will naturally expose intricate complexities within business processes, including expanding critical functions to systems outside of the primary ERP.
These cross-platform functions will create difficulties for management and auditors alike as they seek to ensure all appropriate Segregation of Duties have been maintained – something audit firms have struggled with for years, but soon will not be able to ignore. We speculate that these Cross-ERP and Segregation of Duties concerns will eventually mirror those of Key Reports.
The adoption of Auditing Standard No. 5 in 2007 established a top-down, risk-based approach to the audit of internal controls. Over the next three years, the PCAOB monitored its implementation and observed a significant number of deficiencies in audits of internal controls.
In their general inspection report, it was noted:
As a result of these findings, the PCAOB indicated that auditors and management needed to do more to increase confidence in the completeness and accuracy of the data used. Many companies lacked firm stances from management, and working with vague guidance from the PCAOB, subsequently experienced an increase in external audit fees, as well as hours allocated to achieving SOX compliance.
A 2015 report found that audit fees for 2,169 companies grew from $3.7 billion in 2002 to $9.2 billion in 2015 - a $5.5 billion increase. Additionally, a 2016 Protiviti survey observed the majority of public companies experienced a substantial increase in internal hours devoted to SOX compliance.
In our experience, companies that were able to avoid disruption, unnecessary expense and audit complications were those whose management anticipated the shifting landscape and evaluated their internal controls objectively, implementing solutions to improve their control environment and fortify their posture. Similar to the Key Report Crisis, we believe management that evaluates their internal controls environment critically will be able to circumvent disruption caused when the PCAOB uncovers inadequate practices.
So, how can companies prepare? First, we first must better understand Segregation of Duties.
Sensitive Access and Segregation of Duties (SoD) are two crucial controls necessary for reducing systematic failures including processing errors, fraud, inaccurate reporting, and non-compliance.
Sensitive access, also known as restricted access, is a function that permits users to perform a function that is high-risk in nature (Manual Journal Entry, User Creation, etc.). SoD, on the other hand, is a set of two functions that, when performed by an individual, create the risk of material error, or fraud (Create a Vendor and Pay a Vendor).
The risk associated with Segregation of Duties depends greatly on the makeup of your control environment, your system landscape, and how you currently obtain comfort over your Segregation of Duties controls.
Some common illustrative use cases can help us understand the combination of factors that impact your overall profile. For example, the following environments all leverage multiple platforms to support key business processes (think SAP and Salesforce, or High Radius) and the organization relies on systematic access control.
High Risk Environment:
Average Environment:
Leading Practice Environment:
As the IT landscape continues to pivot in the direction of technology enablement and transformation, Segregation of Duties controls will continue to increase in quantity and urgency. We expect manual solutions will become more time intensive, and native solutions will continue to be complex in their installation and maintenance. We also anticipate centralized reporting and monitoring will be key for management to maintain comfort levels and minimize efforts when it comes to internal testing and monitoring.
Companies and management that wish to prepare as much as possible should seek to do the following:
Have questions about the changing SoD and Sensitive Access landscapes? Our consultants can help you optimize your processes and minimize the burden of compliance. Get in touch with us below.
Subscribe to our newsletter and get the latest cybersecurity insights, updates, and event invitations delivered straight to your inbox. Join our community and empower your security journey with RISCPoint's expert knowledge.
Join our newsletter for updates. Terms.
Get ready to harmonize your cybersecurity goals with our team of industry-leading consultants.
