maek's picture

I stumbled on this post on the SOX (Sarbanes-Oxley) life blog about implementing controls and Segregation of Duty (SoD). Although the post is quite old (19.05.2007), I felt it contained important points that I wanted to report on. First of all the post gives another argumentation for the need for controls (for me, the need for policies can be justified in a similar way). The authors reports on experience with controls and SoD.

He observes two problems in companies:

  • An employee having too much responsibilities can be tempted to diminish the quality of his work, either by frauding the realization of his tasks because of improper supervision or by simply not being ready to deliver the performance that is expected from him. Not being able to discover and control these discrepancies is certainly a big leak in a company's internal procedures. This point related to SoD controls.
  • The second problem according to [1] is that there is a inherent risk in companies, and that is of continuously forgetting about the most important things to do and concentrating on the most urgent things to do. He makes a parallel between our own lives and companies. We tend to give a higher priority to urging tasks that have to be done and neglect what is really important, although we know that it is. Example: I know that it is important to control the quality of the development of an application that is being developed in India by providing and testing adequate test data. the problem is that at the same time, I have to deliver reports to the management about project planning and expenses for development projects for the region. I will eventually forget about the first task and accept the delivered product because of no time to test it. The same thing happens to companies when it is about designing internal controls.

The author in [1] gives a simple tip to follow when proceeding to the design of SoD controls. For each risk-related task or activity, ask the question: "If I make an error in my work, will someone downstream of me detect it before it becomes a major issue for management and shareholders to read about?" ([1]). I like this formulation because it uncovers the underlying view on tasks as processes. Business processes are actually the place where you should start looking for your controls to be defined. They give you the necessary overview, perspective and documentation o your real activities.

These are two points coming from the reality of the business. Although most companies starting to struggle with compliance management do so because of the legal pressure applied on them, taking such concerns int o account will eventually make its place, when companies understand the value they get out of internal controls because they allow them to actively manage risks and avoid unexpected failures of business processes.

[1] Explaining Segregation of Duties. SOX Life Blog Post:

Read more about compliance management with ARIS:

Tags: GRC