SOX Segregation of Duties Matrix

I'll get to the downloadable SOX segregation of duties matrix in a moment, but first let me address a question from one of our readers.

Needless to say, I appreciate all feedback, including one recent comment regarding my article Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues:
Mr. Hankewicz mis-states Section 404 in his article "Segregation of Duties and Its Role in Sarbanes-Oxley Compliance Issues."  He says "this section (404) is a comprehensive list of accepted internal controls organizations must have in place to be deemed SOX-compliant. The list targets application internal controls and highlights areas where fraudulent reporting is likely to occur." We WISH it was a "comprehensive list." In fact, the adequacy of controls are all subject to individual interpretation. It DOES NOT have "key provisions in this section [for] segregation of duties.” This is all interpretation being made but presented as fact!

I believe the introduction of SOX and section 404 (Assessment of internal control) was an attempt to restore investor confidence in publicly traded organizations in the aftermath of some well publicized incidents of fraudulent reporting activity. Section 404 stated that an internal control report must be included the financial reports for all publicly traded organizations. I concur, section 404 does leave much room for individual interpretation   by indicating in rather broad terms that company management is responsible for ensuring an “adequate internal control structure” and that all auditors must be able to attest to the organization’s level of “internal control.”

Clearly, section 404 has been the most difficult part to manage of SOX. However, there have been a few attempts by the Public Company Accountability Oversight Board (PCAOB) to demystify the more ambiguous elements of the section. Along these lines, in 2004 the PCAOB released its Auditing Standard No. 2, and in 2007 it delivered the AS 5 Guidance report.

These guidance reports were modeled after standards set in place by the long-established (since 1965) Committee of Sponsoring Organization of the Treadway Commission (COSO).

Among the key provisions:
1. identifying significant financial reporting elements
2. identifying material financial reporting risks within these accounts or disclosures
3. determining which entity-level controls would address these risks with sufficient precision
4. determining which transaction level controls would address these risks in the absence of precise entity-level controls
5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls
You can find further information at the COSO and PCAOB web sites:


SOX Segregation of Duties Matrix

Download your SOX segregation of duties matrix here. Here's how it works:

A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties is that no employee or group should be in a position to commit systemic errors or fraud in the normal course of duties. In general, the principal incompatible duties to be segregated include

  • custody of assets

  • authorization or approval of related transactions affecting those assets

  • recording or reporting of related transactions

  • execution of the transaction or transaction activity

An essential feature of segregation of duties/responsibilities within an organization is that no employee or group of employees has unrestricted control over any transaction or group of transactions.

Based on the above criteria, I've constructed a matrix to highlight duties performed by one individual or group of individuals that could potentially lead to improper segregation of duties.

The matrix is divided into three areas:
1. accounting and inventory controls
2. expenditure and financial controls
3. organization and IT  infrastructure

Each tab has four key areas:

a) From left to right each section lists a set of activities, for a total of 98 activities across all three tabs.
b) The column on the far left lists individual roles for people who generally execute the activity criteria
c) I've checked off the cells where roles align with the activities--this helps you easily determine potential areas of conflict.
d) At the bottom of each tab I've summarized the total number of overlapping responsibilities and assigned a risk factor:

High: 0- 4 overlapping responsibilities
Medium: 5-9 overlapping responsibilities
Low: more than 9 overlapping responsibilities

The risk factors are based on generally accepted accounting principles, as well as SOX section 404 principles. They are meant as a guideline to rate organizations and to highlight areas that require further refinement.

The greater number of individuals there are who review an activity, the lower the risk to your organization of fraudulent activity. I've created a section (shaded blue) where you can evaluate your own organization.

The goal is to ensure that sufficient segregation of duties is in place and that there are multiple checks and balances to minimize the risk of fraud.

Download your SOX segregation of duties matrix here.
comments powered by Disqus