SOX and Risk
Home Business Change Analysis & Design Agile Testing Templates About us

Key Steps

Impact on Business Process Documentation

SOX mandated areas

The following sections describes the areas of SOX mandated input on the deliverables that a typical finance process may need to satisfy. Whilst this document is primarily concerned with guidance to the process and owner template, not all of what is described here will be relevant to this deliverable, but is described as it describes the overall context, and may be relevant elsewhere.

It should also be noted that in many cases, given the evolving and interpretive nature of SOX, many of these assertions are taken as a best guess.

SOX and Risk

SOX has moved from the mandated checklist suggested by COBIT towards a risk based approach. Different organisations have categorised the key risks differently, but the following are industry-standard key risks that must be mitigated or prevented. Financial reporting risk for business processes at the transaction level is classified into five categories:


Segregation of Duties: The risk that individual(s) within a process that impacts financial reporting are performing incompatible duties


Authorisation: The risk that transactions within a process that impacts financial reporting are not executed in accordance with managementís general or specific authorization


Access to Assets (physical and logical security): The risk that there is unauthorized access to use of assets/records


Asset Accountability: The risk that recorded and actual assets are not compared at reasonable intervals and/or appropriate action with respect to differences is not taken


Recording: The risk that transactions within processes which impact financial reporting are not all recorded, real, properly valued, recorded timely, properly classified, summarized correctly, and/or posted correctly.


Change Management: The risk that changes either in software or to transactions (for example adjustments) is not managed to identify or prevent potential material loss or fraud.


SOX Impact on Process and Owner Deliverable

These considerations are directly relevant to this deliverable.

These risks must appear in the ownership document as the owner is agreeing to the adoption and is accountable for these controls in their areas. At the process and ownership level it is enough simply to identify (i.e. name) these controls. These will be designed as part of the process designs.

For each sub-process it must be assessed if the above risk areas that if relevant, and so must be either mitigated or prevented by the (sub) process by a named control.


SOX Impact on Process Design Deliverable

These considerations are directly relevant to this deliverable.

The detailed assignment and segregation of responsibility, activity within each of the procedureís steps, the handover and delivery between different participants must be written in direct response of the above.

If there is a constraining reason why these categorises cannot be satisfied within a procedure, exception scenarios must be written to mitigate the risk category.

For example if segregation of duties is not possible due to team size, an exception scenario to mitigate this (e.g. enhanced recording of activity) will be required

Back Next

© 2002-2007 Codel Services Ltd

This paper has been prepared by Codel Services Ltd to illustrate how structured business modelling can help your organisation. Codel Services Ltd is an IT Consultancy specialising in business modelling. If you would like further information, please contact us at: Deryck Brailsford, Codel Services Ltd, Dale Hill Cottage, Kirby-Le-Soken, Essex CO13 0EN,United Kingdom. Telephone: +44 (0)1255 862354/Mobile: + 44 (0)7710 435227/e-mail: