Profile picture for user maek

I stumbled on this post on the SOX (Sarbanes-Oxley) life blog about implementing controls and Segregation of Duty (SoD). Although the post is quite old (19.05.2007), I felt it contained important points that I wanted to report on. First of all the post gives another argumentation for the need for controls (for me, the need for policies can be justified in a similar way). The authors reports on experience with controls and SoD.

He observes two problems in companies:

  • An employee having too much responsibilities can be tempted to diminish the quality of his work, either by frauding the realization of his tasks because of improper supervision or by simply not being ready to deliver the performance that is expected from him. Not being able to discover and control these discrepancies is certainly a big leak in a company's internal procedures. This point related to SoD controls.
  • The second problem according to [1] is that there is a inherent risk in companies, and that is of continuously forgetting about the most important things to do and concentrating on the most urgent things to do. He makes a parallel between our own lives and companies. We tend to give a higher priority to urging tasks that have to be done and neglect what is really important, although we know that it is. Example: I know that it is important to control the quality of the development of an application that is being developed in India by providing and testing adequate test data. the problem is that at the same time, I have to deliver reports to the management about project planning and expenses for development projects for the region. I will eventually forget about the first task and accept the delivered product because of no time to test it. The same thing happens to companies when it is about designing internal controls.

The author in [1] gives a simple tip to follow when proceeding to the design of SoD controls. For each risk-related task or activity, ask the question: "If I make an error in my work, will someone downstream of me detect it before it becomes a major issue for management and shareholders to read about?" ([1]). I like this formulation because it uncovers the underlying view on tasks as processes. Business processes are actually the place where you should start looking for your controls to be defined. They give you the necessary overview, perspective and documentation o your real activities.

These are two points coming from the reality of the business. Although most companies starting to struggle with compliance management do so because of the legal pressure applied on them, taking such concerns int o account will eventually make its place, when companies understand the value they get out of internal controls because they allow them to actively manage risks and avoid unexpected failures of business processes.

[1] Explaining Segregation of Duties. SOX Life Blog Post: http://www.insidesarbanesoxley.com/soxlife/2007/05/explaining-segregation-of-duties.asp

Read more about compliance management with ARIS: www.aris.com/compliance

Featured achievement

Genius
You like to help others solve their problems by answering questions.
Recent Unlocks
  • KF
  • KH
  • RG
  • Profile picture for user Vee_ARIS
  • Profile picture for user smarty
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock