05-14-2007 4:43 AM
hi all,
am confused that SODs is for the end users? or for the project members? please some one explain me in detail..
05-14-2007 7:42 AM
Hi Kamal,
SOD:
Sarbanes-Oxley has become the ad hoc standard for financial transparency, trust, and corporate accountability. While mandatory for all publicly-owned companies, Sarbanes-Oxley is also becoming a best practice for all types of companies who wish to identify with good governance practices.
A significant amount of attention is currently focused on Section 302 (Disclosure) and Section 404 (Internal Controls). Sarbanes-Oxley Sections 302 and 404 are designed to ensure information required to be disclosed is initiated, processed, recorded, and reported, and that management has assessed the effectiveness of internal controls regarding the reliability of financial reporting.
CEOs and CFOs of public companies must:
- Certify that they have reviewed financial statements and each annual or quarterly report.
- Certify that each such report fairly represents the company's financial condition.
- Certify that they have established and are maintaining internal controls
- Ensure the effectiveness of such internal controls every quarter.
- Address significant changes in internal controls or other factors that could significantly affect such controls.
- Identify corrective actions taken regarding deficiencies/weaknesses in controls.
- Disclose any significant deficiencies in internal controls and/or any fraud involving persons with a significant role in upholding such controls.
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh
05-14-2007 5:29 AM
Hello,
SOD stands for Segregation of Duties and is typically applicable to end-users. Check this link for more info.
http://www.sapsecurityonline.com/sox_sod/sod_matrix.htm
Cheers !
05-14-2007 7:42 AM
Hi Kamal,
SOD:
Sarbanes-Oxley has become the ad hoc standard for financial transparency, trust, and corporate accountability. While mandatory for all publicly-owned companies, Sarbanes-Oxley is also becoming a best practice for all types of companies who wish to identify with good governance practices.
A significant amount of attention is currently focused on Section 302 (Disclosure) and Section 404 (Internal Controls). Sarbanes-Oxley Sections 302 and 404 are designed to ensure information required to be disclosed is initiated, processed, recorded, and reported, and that management has assessed the effectiveness of internal controls regarding the reliability of financial reporting.
CEOs and CFOs of public companies must:
- Certify that they have reviewed financial statements and each annual or quarterly report.
- Certify that each such report fairly represents the company's financial condition.
- Certify that they have established and are maintaining internal controls
- Ensure the effectiveness of such internal controls every quarter.
- Address significant changes in internal controls or other factors that could significantly affect such controls.
- Identify corrective actions taken regarding deficiencies/weaknesses in controls.
- Disclose any significant deficiencies in internal controls and/or any fraud involving persons with a significant role in upholding such controls.
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh
05-14-2007 8:35 AM
Hi Kamal
Segregation of Duties as a method of control applies to both project and end users.
In the production environment, all users (regardless of job) should have restricted access to functions that are deemed incompatible for risk purposes e.g. raise PO & perform goods reciept for that PO.
Where users do have access to conflicting functions then mitigating controls should be put in place. Managing SOD's via access is a preventative control, often seen as the most effective. However in a small company or business function users often need to perform what are considered as conflicting functions as part of their job & segregating these is not practicable. In those cases a detective/reporting control could be implemented to manage the risk.
In the non-production environments, access to process business transactions is less important and the SOD requirements are different. Some segregation of duties could include:
Restrictions over creating, approving & importing transports
Restrictions over writing code and changing configuration
User Maintenance and Role Maintenance