Digitizing actual SoD violation detection; The role of technology in compliance

“32% of issues contributing to material weaknesses are attributed to SoD” (Source: KPMG)

This article is aimed at all the experienced finance professionals out there who have already understood that adopting digitization is not “nice to have” but a “must have” when compliance is in question.

In 2002, the Sarbanes-Oxley Act (SOX) was passed by the US Congress and officially made into a federal law. The regulation is quite extensive, containing eleven titles that add new requirements for companies and accounting firms. Sections 303 and 404 are the ones most pertinent to this discussion, as they require senior management to take legal responsibility over the accuracy of financial statements (303) and the establishment, testing and reporting on the adequacy of an organization’s internal controls (404). 

Among the incorporated requirements is SoD (Segregation of Duties), which basically boils down to a requirement to have more than one person involved in the completion of a task. The point of setting up SoD is the establishment of checks and balances for all processes and activities that can have a significant financial impact on an organization. 

The Current State of SOD Analysis

To prevent these issues in an ideal world, we would segregate responsibilities and duties appropriately so that we in fact have an effective system of checks and balances. However, we don’t live in an ideal world, and we sometimes have good reasons for allocating consolidated tasks to an individual, especially in smaller companies or organizational units where resources are limited.

In larger organizations, auditors are challenged to stay on top of the different transactional duties carried out across the organization. In some cases, enterprises boast multiple locations across the world with each potentially carrying out thousands of transactions daily. That’s quite a tall order when it comes to monitoring and ensuring that processes are carried out exactly as they’re supposed to.

In smaller companies that have just gone public, the challenge is different. Setting controls to manage and detect SoD is not required until a company IPOs but needs to be set in place when the company reaches the point of SOX Compliance requirements. 

Setting this control and new procedures takes time and resources, something that smaller companies usually do not have.

Luckily for us, the latest technologies deliver the ability to track actual violations of the same person performing multiple steps in a specific process flow. Actual SoD violations analysis is a powerful tool that enables organizations to identify and mitigate SoD violations across multiple platforms so that they’re protected from potential fraud and other SOX violations. 

The Professional Approach to Ad-Hoc SOD Analysis

Datricks advanced SOD analysis implements a best-practice approach to name violations according to international standards, with more than 200 known violations built into its system, specifically tailored to the needs of internal accounting and finance teams. Auditors and controllers can create ad-hoc queries about specific
incidents, business processes, org. units and users receive insights into actual actions and investigate processes even if they weren’t predefined as SOD violations. Queries are flexible and can be tailored to the specific process under investigation. 

Technology based ad-hoc SOD violation analysis benefits:

• Discover what userד are really doing with authorizations and optimize accordingly.
• Quantify potential risk of actual violations to enable effective mitigation in accordance with real priority of risks.
• Highlight actual company policy that differs from standard best practices by creating ad-hoc queries.
• Simulate new SoD rules with ad-hoc analysis that is tailored to real business processes.
• Leverage Artificial Intelligence and Machine Learning to discover patterns hidden within the data and understand the root cause of actual SOD violations.
• Automate insights into action – Customize rules that will automatically block instances discovered as actual SoD violations

Now let’s look at an example of an ad-hoc actual SOD violation analysis. Through the use of Datricks intuitive flow filters, users can ask complex business process related questions in a simple, user-friendly way.

As an example, we’ll define an ad hoc SOD scenario that shows an auditor, all the cases related to purchase orders. In this scenario, one individual user created both the purchase order (PO) and the invoice receipt (IR) for the same order line, using the same accounting system.

First, we’ll define those steps in the flow filter, when the same user performs more than one step.

 

Now we’ll add a condition of a two-day time difference between each activity and only receive cases that conform to that condition.

 

Next, we’ll see an overview of the process.

Using Datricks Machine-Learning model, we’re able to visualize the most significant attributes of our population.

 

Forensic data per each individual transaction allows us to easily drill-down into the full details of the violation.

 

Last but not least, we can create an alert that automatically will notify us, in real-time, whenever this scenario happens, and we can also create a rule to block such case from continuing to payment, enabling a continuous ongoing control without the need to change existing system customization or requiring any technical expertise. 

Summary

Across the world, large organizations are challenged to continuously track and monitor financial transactions that take place across all of their locations. SOX mandates strict internal controls that ensure stringent SOD to protect organizations against fraud and to prevent them from releasing inaccurate financial reports.

To ensure that they remain in compliance with these regulations, organizations need a robust technological solution that empowers ongoing analysis to prevent actual SOD violations across the company. The right solution enables ad-hoc queries of financial processes taking place across the enterprise and goes even beyond simple access controls, to look into the actual business practices being carried out by individuals within the organization.