• Christine Doxey
    Addressing the Layers of Chaos: 10 Best Practices to Simply...
    Topic posted 9:42 AM by Christine DoxeyRed Ribbon: 250+ Points, tagged Error, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, Risk Management, Tip in Human Capital Management > Risk Management public
    Addressing the Layers of Chaos: 10 Best Practices to Simply Your Financial Close
    As many companies get ready for a December Fiscal Year-End Close, they should consider the best practices recommended in this article.


    Over the last decade, the financial reporting landscape has seen significant change. Finance and accounting executives face mounting pressure to increase the accuracy of financial reporting while decreasing the turnaround time needed to close the books. Regulatory agencies have introduced a host of new standards and accounting rules changing materiality  thresholds, requiring detailed schedules, and new disclosures for public filings. To complicate matters, many organizations are being asked to do more with less as headcount numbers are reduced in response to economic pressures. This complexity adds layers of chaos impact the end-to-end process and adversely impacts the time it takes to deliver the final financial statements.  

    There are two overlapping strategies that can help to remove the complexity of your closing process and are applicable to all types of companies and industries.

    1. Implement Best Practices: Consider using recommended best practices to remove the complexity from the closing processes. Implementing best practices can address current process challenges and facilitate a good foundation for financial close automation.
    2. Financial Close Automation:  Automated solutions can significantly simply your financial close process. As an example, you can automate your closing checklist and assign tasks and approvals through workflow which drives a streamlined reporting process.

    10 Best Practices to Simplify Your Financial Close

    The following 10 best practices can help simplify your financial close, provide timely and accurate results, and reduce the cost of the process. Each best practice is grouped by the strategies noted above.  

    10 Best Practices to Simply Your Financial Close

    Supporting Strategy

    1. Document  Your Closing Process and Cross-Train Your Accounting Staff

    Involve the whole organization in understanding the goals and schedule for the close by using well-communicated checklists and project plans. Ensure that roles and responsibilities are documented and well-communicated to all the stakeholders involved in the closing process. Use the documentation to cross-train staff members.

    Implement Best Practices

    1. Develop Partnerships across Departments to Resolve Recurring Cross-Functional Issues and Obstacles to Close

    Following each close, an “Obstacles to Close” or “Post Mortem” report is distributed across the organization. This process provides visibility of cross-functional issues and identifies areas for process improvement.  By constantly looking at ways to improve the financial close, the process can become less cumbersome and easier to manage. 

    Implement Best Practices

    1. Review Unused Accounts in the General Ledger and Minimize Accounting Data

    Minimize accounting data in the core general ledger by limiting code segments to sub-ledgers. This is a somewhat overlooked opportunity to improve the close process, since keeping the general ledger relatively simple accelerates data roll-ups, as well as pushes problem resolution to the business functions that are closest to specific transactions.

    Implement Best Practices

    1. Complete Standard Allocations, Adjusting Entries, Accruals and Estimates in Advance of Close

    Use a standard allocation system with a defined tolerance or true up when something is out of the established tolerance. Create the adjusting entries to recognize prepaid expenses, accrue outstanding invoices, relieve accruals that have been paid, and recognize depreciation and other amortizations.

    Financial Close Automation

    1. Minimize  and Automate Journal Entries During the Closing Process

    Reduce a manual journal entry process. If some journal entries need to be created manually use an upload process with built in checks and balances.  Consider the use of recurring entries and estimates  that can streamline the closing process.

    Financial Close Automation

    1. The Reporting Process: Use Trial Balance Reports as the Foundation for the Close and the Preparation of Accurate Financial Statements

    Use a system generated adjusted trial balance report to review the final balances in the ledger. Verify that the balances are accurate, checking the account activity if needed. Use standard templates for recurring reports. Report writers can streamline and make reports consistent and substantially reduce data entry and the need for reconciliations. 

    Financial Close Automation

    1. Establish a Closing Date as a Critical System Control

    Establish a closing date by which all transactions must be posted. Communicate the closing date to everyone who has access to modify the ledger. A closing date can be implemented as a critical system control and supports the management of your fiscal period close process and the integrity of closed fiscal periods.

    Implement Best Practices  and Financial Close Automation

    1. Manage the Financial Close like a Project

    Implement a schedule for posting closing entries with duties assigned to specific individuals. Ensure that everyone knows the deadlines and what is needed to meet the deadline.

    Implement Best Practices  and Financial Close Automation

    1. Move to a Monthly Soft Close Process

    Transition from a monthly hard close to soft monthly closes and quarterly hard closes. This change allows companies to reduce investigation levels and rely on accruals and estimates during soft closes.  A soft close is best facilitated with automated reconciliation processes and reporting.

    Implement Best Practices  and Financial Close Automation

    1. Develop and Monitor Performance Metrics

    Gathering metrics and publishing the results can help to detect and prevent fraud, identify process improvements and support automation opportunities.  

    Implement Best Practices  and Financial Close Automation


    The financial close process is one of the most fundamental indicators of the efficiency of your fiscal infrastructure, and is the critical foundation that must be in place before your finance and accounting team can even begin to optimize its role as a true consultative business partner and trusted advisor, assisting in achieving strategic goals and creating shareholder value. Addressing the layers of chaos with our recommended best practices is a key step in the journey to becoming a trusted business partner. Automating the close provides the tools to drive results and support the value of the finance and accounting function.

    If you'd like to improve your financial close, please contact me at


  • Barry Greenhut
    Risk Management @ OpenWorld 2019 - Recap and presentations5.0
    Topic posted September 27, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Risk Management @ OpenWorld 2019 - Recap and presentations
  • Christine Doxey
    Seven Best Practices to Reduce Risk in Your Supplier...4.8
    Topic posted August 13, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Reporting Compliance, Financial Transactions, Fraud, GRC, Risk Management, Tip in Human Capital Management > Risk Management public
    Seven Best Practices to Reduce Risk in Your Supplier Onboarding Process
    In my last post, we discussed the development of a roadmap for your internal controls program. Now we’ll drill down to the Supplier Onboarding Process within the Procure-to-Pay (P2P) process.

    Leading organizations recognize the importance of comprehensive supplier qualification processes but struggle to communicate qualification requirements to potential suppliers, and have difficulties creating a baseline for evaluating supplier risk levels.  Ardent Partners reports that 51% of the respondents in “The CPO’s Top Goals for Investing in Technology” survey report improving compliance as a goal.  The Hackett Group includes customizing supplier onboarding, identifying fraud and addressing internal policy non-compliance as the best practice tactics for a world class P2P organization.

    It’s a well-known global enterprises manage thousands of invoices, purchase requisitions, and purchase orders within the Procure-to-Pay (P2P) process.  Organizations may have disconnected purchasing and accounts payable processes and may depend upon third-party software and cumbersome spreadsheets. This results in countless hours of reconciliation resulting in payment errors, compliance and control issues.

    To support tax and regulatory compliance requirements, there are several best practices to consider when onboarding your suppliers. Here are seven best practices to consider which include the following details: Summary of Action, Benefits, and Suggested Audit Trail.

    1. TIN Matching

    Summary of Action:TIN Matching utilizes the functionality provided by the IRS.  You can convert your supplier master file into the proper format required by the IRS to get actionable results.

    • Ensures 1099 accuracy.
    • Eliminates B-Notices
    • Provides fraud prevention since the matching process ensures suppliers are “legitimate.”
    • The TIN Matching process can identify duplicate suppliers and can be a catalyst for cleaning up your supplier master file.

    Suggested Audit Trail:

    • TIN Matching Summary Report (Source: IRS)
    • TIN Matches (Source: IRS)
    • Non-Matching TIN Numbers (Source: IRS)
    • TIN Numbers Not Submitted
    1. W-8 and W-9 Document Acquisition

    Summary of Action:   The W-8 form is required for all foreign suppliers. There are many variations of the W-8 forms that include the W-8 BEN, W-8 BEN-E, W-8 ECI, W-8 EXP, and W-8 IMY.  The W-8 is an IRS form that grants a foreigner an exemption from certain U.S. information return reporting and backup withholding regulations.

    • Provides an audit trail for your supplier’s TIN information.
    • Provides proof of exemption from backup withholding.
    • Back-up documentation for an erroneous B-Notice.

    Suggested Audit Trail:

    • A file containing scanned copies of all W-8 and W-9 documents acquired.
    • All scanned copies will be linked to your supplier name and number.
    1. Compliance Screening and Reporting:

    Summary of Action:   Compliance screening is a key component of supplier validation. It’s also important to complete the due diligence process to ensure that an issue is acted upon. The due diligence process includes researching Better Business Bureau, State of Incorporation data, and other research based on specific supplier information.

    • Office of Foreign Asset Control (OFAC)
    • Bureau of Industry and Security (BIS)
    • Office of Inspector General (OIG) - For Healthcare Suppliers
    • Specially Designated Nationals (SDNs)


    • Ensures compliance to OFAC and other regulatory requirements.
    • Avoids penalties due to non-compliance.

    Suggested Audit Trail:

    • Compliance Screening Reports
    • Supplier Master Screening Results Summary Report
    • Detail Per Record Match Screening Results
    • Due Diligence Process Results
    1. Supplier Master Data Review 

    Summary of Action:  To keep your supplier master in control, I recommend that your supplier master is scrubbed at least every year to alleviate duplicate suppliers, suppliers that haven’t been used in 18 months, suppliers with missing information, and suppliers that have duplicate records. 


    • Provides enhanced internal controls for your vendor master.
    • Identifies duplicate and potentially fraudulent vendors.
    • Helps to prevent duplicate payments.

    Suggested Audit Trail:

    • Duplicate Supplier Names
    • Suppliers with Duplicate Street Addresses
    • Suppliers with Duplicate PO Boxes
    • Suppliers With Duplicate Phone or FAX Numbers
    • Suppliers With Duplicate TINs                      
    1. Supplier Master Reporting and Analytics

    Summary of Action: This best practice includes the analysis of accounts payable transactions by dollar distribution, and the stratification of spending levels. It’s a great way to look into your accounts payable data to determine if there opportunities to consolidate suppliers, change invoicing methods, identify spending anomalies, or implement a P-Card program for low spend purchases.


    • Identifies transaction volumes and values of payments.
    • Highlights opportunities for invoice automation, summary billing, and the implementation of P-Cards.

    Recommended Audit Trail:

    • Top 30 Suppliers with Invoice Amounts of $0 - $150
      • Top 30 Suppliers with Invoice Amounts of $0 - $50
      • Top 30 Suppliers with Invoice Amounts of $50 - $100
      • Top 30 Suppliers with Invoice Amounts of $100 - $150
      • Invoice Payment Dollar Distribution
      • Accounts Payable Year to Year Analysis
      • Accounts Payable Transactions by Month
      • Top 50 Suppliers by Transaction
      • Top 50 Suppliers by Dollars

    6. ACH Account Validation

    Summary of Action:  The ACH account validation process is the most efficient if ACH account information is validated and maintained in the supplier master file. As a best practice, many companies contact either the supplier or the supplier's bank to validate the banking information. 


    • Prevents payment fraud and ensures that funds are disbursed to the correct supplier bank account.
    • Provides an enhancement to current disbursement controls.

    Recommended Audit Trail:

    • A report that reflect the positive confirmation of ACH numbers.
    • All non-confirmed or accounts with issues should also be reported.
    1. Insurance Certificate Acquisition

    Overview of Action:  Validation of the insurance certificate provided by the supplier. 


    • Validating the insurance certificate when you set up a supplier should be a key step in the onboarding process.

    Recommended Audit Trail:

    • A file containing scanned copies of all insurance certificates should be available for review. 

    In conclusion, these seven best practices support your supplier onboarding process and can help to ensure that the data is accurate in your supplier master. With correct supplier master data, invoicing and payment processes are accurate. This means that financial statements and cash management processes will be correct and there is confidence in your supplier data.

    If you have questions about these best practices or the supplier onboarding process, please post a comment below.

  • Christine Doxey
    Your Roadmap for Implementing an Internal Controls Program5.0
    Topic posted July 16, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Risk Management, Sarbanes Oxley in Human Capital Management > Risk Management public
    Your Roadmap for Implementing an Internal Controls Program
    In my previous posts, I wrote about segregation of duties (SoD), risk based and compensating controls. This post provides the suggested steps for an internal controls roadmap.

    We’ve defined internal controls as a critical component throughout business strategies, operations, and processes.  Operationally effective controls are the linchpin to assure that an organization can reliably achieve objectives while addressing uncertainty and acting with integrity. Where do we start the internal controls journey and how do we implement a strong internal controls program?

    Many organizations take an approach to internal control management that has defined intersections with risk, compliance, and audit processes and use a set of standards.  But typically, all organizations face the following challenges with building and maintaining an internal controls program.

    • Providing an integrated strategy and view of financial and operational controls across the organization.
    • Defining a common language for risk and control.
    • Increasing confidence in ongoing risk coverage throughout all business processes.
    • Establishing Overall Responsibility for a company’s internal controls program to ensure consistency and to avoid duplication of effort.
    • Capturing business changes with updated and changing controls.
    • Combining finance and operational control teams and revamping processes to address a controls weakness.
    • Prioritizing the key controls for a business process that can truly mitigate risk.
    • Managing the human element in controls management.
    • Expanding and reacting to the ongoing regulatory requirements for internal control management.
    • Addressing a lack of resources while being tasked with more internal control responsibilities across controls.
    • Keeping controls aligned with business processes and a changing environment.
    • Implementing a system and technology to manage all controls across the organization.
    • Developing Transparency, reporting, and monitoring
    • Integrating controls into daily workflow particularly when staff transitions occur.

    So how does a company establish a roadmap to build an internal controls program to address these challenges?  Here are some steps to consider when establishing or enhancing your internal controls program.

    1. Define the Organization and Process Context: For most organizations, inefficiencies from an internal controls program fragmentation are so great that huge savings are possible by taking the simple step of eliminating silos and operating on a common context and structure with well-defined responsibilities. Which business process is your focus? Which process has a known control weakness, an identified audit finding or a detected fraudulent activity? The outcome of these efforts will enable an organization to:
    • Establish priorities and focus of coverage. 
    • Coordinate planning across all business units.
    • Eliminate gaps and duplication in coverage.
    • Decrease time spent by business process owners.
    • Increase ability to spot control issues and trends as they develop.
    • Utilize a single strategy and methodology for risk mitigation.
    1. Establish a Common Language for Risks and Controls: Without a standard naming convention or common methodology for determining or classifying risks and controls, business process owners are unable to share information. The benefits of utilizing a common language for risks and controls include:
    • Improved reporting throughout the organization.
    • Audit and control issues are embedded in your program and are promptly assigned and corrected. 
    • Consistent coverage—all risks are considered but there is a focus on the risk of material misstatement.
    • Improved business performance—risks explain performance gaps.
    • Better decision making—decisions are risk based.
    • Less external oversight and audits—controls are standardized using a common methodology.
    1. Implement a Consistent Reliable Methodology: Without a consistent methodology for your internal controls program, the cost of controls can be expenses with incomplete coverage and inaccurate results. Examples of a consistent methodology include:
    • The top-down risk criteria is established with consistent risk identification.
    • The risks are properly accessed by appropriate internal controls.
    • The risks that require a response are identified.
    • The risk responses that require remediation are prioritized.
    1. Focus on Transparency, Reporting and Monitoring: All information on the status of risks and controls should be available for continuous reporting. If implemented effectively, communication between management and the board of directors is in place with a focus on risk mitigation and the achievement of business objectives.  The benefits of a consistent and disciplined reporting structure include:
    • Availability of accurate and consistent reports.
    • Positive knowledge and reporting of risks and controls across the company.
    • Information sharing across business processes.
    • Confidence of the reliability of all risk and control information.
    1. Leverage Technology: By eliminating information silos and redundant data entry, and taking a unique holistic approach to regulatory challenges, technology provides greater efficiency, improves collaboration, and reduces the time and resource costs.  Additional benefits that can be gained by utilizing a defined technology solution for internal controls include:
    • A single universe of all risk and controls data called "The Internal Controls Universe."
    • Elimination of duplicate documentation. 
    • The implementation of a controls self-assessment process.
    • More processes, risks, controls can be assessed and properly prioritized.
    • Increase in management accountability.
    • Consolidated and reliable reporting.
    • The ability to produce metrics and analytics for your internal controls program.

    In conclusion, the success of an internal controls strategy is dependent upon communication, well-defined roles and responsibilities, standards of internal control, technology and reporting. To address the challenges of a viable and ongoing internal controls program, standards of internal control are available.

     If you have questions about these standards or the implementation of an internal controls program, please post a comment below.


  • Barry Greenhut
    Keeping up with Risk Management5.0
    Topic posted April 8, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Keeping up with Risk Management

    Each quarter we update your environments with new and improved functionality. To prepare, check out What's New - it describes significant changes and tells you how to get ready:

    • What's New in 19D: We introduced streamlined home page icons and application configuration pages; improved time zone support, risk models, surveys, and transaction business objects; new pre-built access and transaction models; and much more.
      • A few features are available only under Controlled Availability - they should not be used in production until they become Generally Available: the Business Object Visualization Tool for transaction/audit objects, the REST API for Third-Party Provisioning Tools, Access Certification's Users' Direct Managers Can Review Role Assignments, and Bell Notifications.
      • In addition to the changes described in What's New, we introduced a new search technology on the Manage Jobs page that affects saved searches.
    • What's New in 19C: Learn about upcoming changes including: pre-built Advanced Controls content is now available within a content library inside the product; access analyses automatically exclude results based on procurement agent configuration; transaction data synchronization performance is enhanced by eliminating redundant language related data; Financial Reporting Compliance's assessment completion page has been enhanced; and many more.
    • What's New in 19B: Learn about a new way to get notifications, an important change for folks who use the Language attribute in AFC controls, continuous certification, new pre-built content, and 43 other significant changes.
    • What's New in 19A: We introduced new automation for fine-tuning access analyses, new and improved AFC business objects, and 34 more. In addition, we...
    • What's New in 18C: We provided greater control over who can see and perform FRC assessments, user-defined AAC access points, Access Certification automation, pre-built content for HCM, and over a dozen more.

    To keep up with us, make this page a Favorite (the button's above) - we'll update it each time we publish a new edition of What's New, and you'll get a notification.

  • Barry Greenhut
    Get support for Risk Management4.7
    Topic posted April 8, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Get support for Risk Management

    My Oracle Support offers quick references to accelerate your work:

  • Barry Greenhut
    Design and export your own Risk Management reports24.8
    Topic posted March 6, 2019 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Design and export your own Risk Management reports

    When you subscribe to Risk Management, you get complimentary access to tools that let you design reports, pivot, analyze and export data, and much more.

    We're thrilled to share two new videos by Stephanie Golly, our product manager in charge of this topic. She'll show you how to create and export your own analyses of user access and transactions - an Access Incident Details Extract report (AIDE) and Transaction Incident Details Extract report (TIDE).

    And don't miss Lakshmi Rajamohan's master class in Financial Reporting Compliance reports and dashboards - part of our Hands-On series!

  • Christine Doxey
    Compensating Controls to Mitigate Risk5.0
    Topic posted February 20, 2019 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Compensating Controls to Mitigate Risk
    Learn about compensating controls as an additional risk management tool.


    Segregation of duties promotes the use of sound business practices and supports the achievement of a business process objective.  When designing segregation of duties controls for a business or financial process, most business process owners start with identifying incompatible functions and then define the segregation of duties and systems access controls. However, the segregation of duties control cannot always be achieved in certain situations due to staffing limitations.

    In some cases, an employee will perform all activities within a process. In this scenario, segregation of duties does not exist and risk cannot be identified nor mitigated in a timely manner. As a result, the implementation of additional compensating controls should be considered.

    Definition of Compensating Controls

    A compensating control reduces the vulnerabilities in ineffectively segregated functions.  A compensating control can reduce the risk of errors, omissions, irregularities and deficiencies,  which can improve the overall business process.

    Compensating Controls, CSA and CCM

    However, it should be noted that many companies include compensating controls in their internal controls programs as additional measures to reduce risk. These controls can be embedded in continuous controls monitoring (CCM) and controls self-assessment (CSA) processes.

    Continuous controls monitoring (CCM) refers to the use of automated tools and various technologies to ensure the continuous monitoring of financial transactions and other types of transactional applications to reduce and mitigate risk. A CCM process includes the validation of authorizations, systems access, system configurations and business process settings.

    Examples of Compensating Controls

    1. Skim through detailed transactions report: A manager should consider performing a high level review of detailed report of transactions completed by an employee that performs incompatible duties.  As an example, a manager may simply skim through the report sections that contain high risk transactions or account and may review specific payment types or amounts before the payment is made.
    1. Review sample of transactions:  Using a CSA or CCM process, a manager may select a few sample of transactions, request for the supporting documents and review the documents to ensure that they are complete, appropriate, and accurately processed. In addition to detecting errors, the knowledge of a periodic review could create a disincentive (that is, reduce the opportunity) for the person performing the incompatible duties to process unauthorized or fraudulent transactions. This review identifies transactional anomalies which can be used as a flag to indicate collusion.  As an example, unchanged pricing and using the same suppliers for several years can indicate possible collusion between a buyers and suppliers.
    1. Review system reports: Applications that support business or office operations have embedded reporting capabilities that enable the generation of reports based on pre-determined or user defined criteria. A review of relevant system exception reports can provide good compensating controls for an environment that lacks adequate segregation of duties. As an example, I suggest a review of report of deleted or duplicated transactions, report of changes to data sets and report of transactions exceeding a specific dollar amount on a quarterly basis.
    1. Perform analytical reviews: Another example of compensating control is the comparison of different records with predictable relationships and the analysis of identified unusual trends. For example, a budget vs. actual expenditure comparison or current year vs. prior year subscription fees analysis or comparison of selected asset records to actual physical count of asset might indicate unusual variances or discrepancies that may need to be investigated.  In this review, an analytical review should occur on a monthly basis.  
    1. Reassign reconciliation: If there is an opportunity to reassign one activity from the person performing incompatible function to another employee, a manager may consider re-assigning the reconciliation activity. As an example, reassigning the bank account reconciliation function to someone other than the person receiving cash and depositing it to the bank could improve the quality of internal controls in the cash receipt process. Reconciliations should occur monthly as a standard of internal control.
    1. Increase supervisory oversight: Other forms of activities a manager may perform as compensating control are observation and inquiry. Where appropriate, increasing supervisory reviews through the observation of processes performed in certain functions and making inquiries of employees are good administrative controls that may help to identify and address areas of concerns before a transaction is finalized.
    1. Rotate jobs: Many companies rotate jobs in the finance and accounting department every 1-2 years. This creates an environment of control and can prevent collusion. As example, accounts payable processors should be rotated on a regular basis so that they don’t become too involved with specific suppliers. And as noted above a buyer’s responsibility should be rotated within the purchasing organization.


    Effective compensating controls can reduce the risk for a process that has limited or inadequate segregation of duties and ultimately can provide reasonable assurance to management that the anticipated objective(s) of a process or a department will be achieved.  As a detective risk management technique, compensating controls tend to look at the accuracy of a transaction after it has occurred but can be used as preventive controls within CSA and CCM processes.

  • Christine Doxey
    The Benefits of Segregation of Duties Controls5.0
    Topic posted November 9, 2018 by Christine DoxeyRed Ribbon: 250+ Points, tagged Advanced Controls, Compliance, Financial Transactions, Fraud, GRC, Risk Management, Sarbanes Oxley, Separation of Duties, SOX in Human Capital Management > Risk Management public
    The Benefits of Segregation of Duties Controls
    In my last post, we discussed the concept of implementing internal controls to mitigate risk. Segregation of duties is a fundamental control to consider when managing risk.

    What is Segregation of Duties (SoD)?

    The key principle of segregation of duties is that an individual or small group of individuals should not be in a position to control all components of a transaction or business process. The general duties to be segregated are: planning/initiation, authorization, custody of assets, and recording or reporting of transactions. In addition, control tasks such as review, audit, and reconcile should not be performed by the same individual responsible for recording or reporting the transaction. Adequate segregation of duties controls reduces the likelihood that errors (intentional or unintentional) will remain undetected by implementing separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. 

    Segregation of duties controls provides four primary benefits: 1) the risk of a deliberate fraud is mitigated as the collusion of two or more persons would be required in order to circumvent controls;  2) the risk of legitimate errors is mitigated as the likelihood of detection is increased;  3) the cost of corrective actions is mitigated as errors are generally detected earlier in their lifecycle; and 4) the organization’s reputation for integrity and quality is strengthened through a system of checks and balances.

    Applying SoD Controls to Systems Access

    The principle of segregation of duties is critical as it ensures the separation of different functions such as transaction entry, on-line approval of the transactions, master file initiation, master file maintenance, user access rights, and the review of transactions.  This means that one individual should not have access rights which permit them to enter, approve and review transactions. Assigning different security profiles or roles to various individuals supports the principle of segregation of duties. As an example, this principle can be reinforced by systems access policy and the ongoing review of system access controls as part of your internal controls program.

    Eight Categories of SoD Controls to Consider

    The following categories of duties or responsibilities should be considered when implementing segregation of duties controls and can  be validated by system access roles by asking the question, “Who can do what?” These controls can be used to develop your internal controls self-assessment process and when considering compensating controls to mitigate risk for a specific business process.

    1. Policy, Plans and Goals
      • Formulating policy, plans and goals
      • Approving policy, plans and goals
    2. Developing/analyzing business case justification
      • Transaction SoD Controls
      • Initiating a transaction
      • Authorizing the transaction
      • Recording the transaction
    3. Monitoring or having custody of physical assets
    4. Monitoring and/or reporting on performance results
    5. Reconciling accounts and transactions
    6. Master File Transactions
      • Authorizing master file transactions
      • Processing master file transactions
    7. Providing information systems development, security administration, and other related support
    8. Following-up and resolving issues or discrepancies
  • Barry Greenhut
    Risk Management @ OpenWorld 2018 - Recap and presentations5.0
    Topic posted November 5, 2018 by Barry GreenhutBronze Medal: 1,250+ Points, tagged Advanced Controls, Compliance, ERP, Financial Reporting Compliance, Financial Transactions, Financials, Fraud, Governance, GRC, Public Sector, Risk Management, Sarbanes Oxley, Security, Separation of Duties, SOX in Human Capital Management > Risk Management public
    Risk Management @ OpenWorld 2018 - Recap and presentations

    What a great week! We shared:

    • Case studies from FEMSA (Coca-Cola MX), McDermott, Orange, Saks, Targa, and more ... along with Oracle's own Financial Governance and Source-to-Settle groups.
    • Live Q&A with users; industry experts Deloitte, KPMG, PwC and Doxey; Oracle’s product managers and consulting experts; and the GRC Special Interest Group.
    • 1-on-1 demonstrations
    • Accounting CPE Credits

    Presentations (so many, it takes three posts to share them all!):

    • First of three:
      • Use Data Science to Fight Fraud, Strengthen Security with ERP Advanced Controls
        Presenters: Didier Chabrerie, Reza B'Far, Sid Sinha
      • Audit 100 Percent of Expense/AP payments using Advanced Data analysis in ERP Cloud
        Presenters: Adil Khan, Alex Vaz, Stephen D'Arcy, Aman Desouza
      • Streamline SOX Compliance and Segregation of Duties Using Oracle ERP Cloud
        Presenters: Dider Chabrerie, John O'Connell, Rick Hargarten, Aman Desouza
      • Strengthen Security Using Advanced ERP and HCM Controls
        Presenters: Avinash BharathSingh, Dharma Shanmugam, Yong Sung (Patrick) Kwon, Aman Desouza
    • Second of three:
      • Protect Employee Private Data and Comply with GDPR Within Oracle HCM Cloud
        Presenters: Dane Roberts, Vikram Khare
      • Protect Personal Data and Comply with GDPR Using ERP Advanced Controls
        Presenters: Dane Roberts, Vikram Khare
      • Implement Segregation of Duties Automation Within Weeks Using Oracle ERP Cloud
        Presenters: Barry Greenhut, Muthuvel Arumugam, Sujay Bandyopadhyay
      • Implement SOX Certifications Within Weeks Using Oracle ERP Cloud
        Presenters: Barry Greenhut, Chris Doxey, Swarnali Bag
    • Third of three:
      • Design Secure and Compliant Roles for Oracle ERP and HCM Cloud
        Presenter: Lakshmi Rajamohan
      • Best Practices to Promote Employee Safety and OSHA Compliance Using Oracle HCM Cloud
        Presenters: Amy Aves, Glen Walton
      • GRC Special Interest Group
        Presenters: Chris Doxey, Donna Curtis, Lewis Hopkins