Third Party Reporting
Cross Platform Segregation of Duties: The Next Key Report Crisis
February 2, 2021 • Jacob Nix
When the PCAOB’s Staff Audit Practice Alert No. 11 was released in 2013, it disrupted the entire audit industry, reverberating throughout public companies and the entire internal controls landscape. While eight years have already passed since Staff Audit Practice Alert No. 11 was introduced, current Segregation of Duties controls are poised to face the same level of scrutiny from the PCAOB in this decade.
The inital impact caused hundreds of additional hours spent conducting external audits and significant controls and technical remediation to increase confidence in the accuracy of information generation from systems used to facilitate the controls in place. This added time and labor resulted in clients being charged with additional fees. The coming scrutiny of the Segregation of Duties controls will generate disruption on a similarly large, costly scale.
Why? Because as management continues to automate business processes through transformation and technology enablement, the importance of Segregation of Duties controls and audit firms’ reliance on them will only continue to increase. This technology enablement will naturally expose intricate complexities within business processes, including expanding critical functions to systems outside of the primary ERP.
These cross-platform functions will create difficulties for management and auditors alike as they seek to ensure all appropriate segregation of duties have been maintained, something audit firms have struggled with for years, but soon will not be able to ignore. We speculate that these Cross-ERP and Segregation of Duties concerns will eventually mirror those of Key Reports.
The Next Key Report Crisis
The adoption of Auditing Standard No. 5 in 2007 established a top-down, risk-based approach to the audit of internal controls. Over the next three years, the PCAOB monitored its implementation and observed a significant number of deficiencies in audits of internal controls.
In their general inspection report, it was noted:
- In 15% of the 309 integrated audit engagements, the audit firm failed to have sufficient appropriate evidence to support the firm’s internal control opinion. 85% of which also failed to have sufficient evidence to support their opinion on the financial statements.
- Among the frequently cited deficiencies was a failure to sufficiently test controls over the system-generated data and reports that support important controls.
As a result of these findings, the PCAOB indicated that auditors and management needed to do more to increase confidence in the completeness and accuracy of the data used. Many companies lacked firm stances from management, and working with vague guidance from the PCAOB, subsequently experienced an increase in external audit fees, as well as hours allocated to achieving SOX compliance.
A 2015 report found that audit fees for 2,169 companies grew from $3.7 billion in 2002 to $9.2 billion in 2015 - a $5.5 billion increase. Additionally, a 2016 Protiviti survey observed the majority of public companies experienced a substantial increase in internal hours devoted to SOX compliance.
In our experience, companies that were able to avoid disruption, unnecessary expense and audit complications were those whose management anticipated the shifting landscape and evaluated their internal controls objectively, implementing solutions to improve their control environment and fortify their posture. Similar to the Key Report Crisis, we believe management which evaluates their internal controls environment critically will be able to circumvent disruption caused when the PCAOB uncovers inadequate practices.
So, how can companies prepare? First, we first must better understand Segregation of Duties.
What is Sensitive Access and Segregation of Duties?
Sensitive Access and Segregation of Duties (SoD) are two crucial controls necessary for reducing systematic failures including processing errors, fraud, inaccurate reporting, and non-compliance.
Sensitive access, also known as restricted access, is a function that permits users to perform a function that is high-risk in nature (Manual Journal Entry, User Creation, etc.). SoD on the other hand is a set of two functions that, when performed by an individual, create the risk of material error, or fraud (Create a Vendor and Pay a Vendor).
Determining your current risk level
The risk associated with Segregation of Duties depends greatly on the make-up of your control environment, your system landscape, and how you currently obtain comfort over your Segregation of Duties controls.
Some common illustrative use cases can help us understand the combination of factors that impact your overall profile. For example, the following environments all leverage multiple platforms to support key business processes (think SAP and Salesforce, or High Radius) and the organization relies on systematic access control
High Risk Environment:
- Access within applications supporting key business process control is not well inventoried and defined
- Cross platform Segregation of Duties is not captured as risk and controls
- Cross platform segregation of Duties is not evaluated by management when gaining comfort over controls
- Access within applications supporting key business process control is generally understood from a privileged access perspective
- Cross platform Segregation of Duties is captured as a risk and controls are built to address the risk
- Cross platform segregation of Duties is not evaluated consistently, completely, or accurately by management when gaining comfort over controls
Leading Practice Environment:
- Access within applications supporting key business process control is well inventoried
- Functional access and how systems rely on one another throughout the business process is both defined and understood by control owners.
- Cross platform Segregation of Duties is captured as risk and controls are built to address the risk
- Cross platform segregation of Duties is evaluated at all control points, including access provisioning, user transfer, and periodically.
What to Expect
As the IT landscape continues to pivot in the direction of technology enablement and transformation, Segregation of Duties controls will continue to increase in quantity and urgency. We expect manual solutions will become more time intensive, and native solutions will continue to be complex in their installation and maintenance. We also anticipate centralized reporting and monitoring will be key for management to maintain comfort levels and minimize efforts when it comes to internal testing and monitoring.
What Can You Do To Prepare?
Companies and management that wish to prepare as much as possible should seek to do the following:
- Review key business processes in a critical, objective manner
- Include all supporting technology in any reviews
- Develop process flowcharts
- Evaluate “Mega processes”
- Create SoD and Sensitive Access inventories
Have questions about the changing SoD and Sensitive Access landscapes? Our consultants can help you optimize your processes and minimize the burden of compliance. Get in touch with us here.