Client: Network communication and measurement technology company
Requirement: Risk Advisory
Lead Partner: Rob Kastenschmidt
TImely advise from a long-term partner
RSM has been providing staff augmentation to the client’s Internal Audit group for several years. Our role has been to perform the annual SOX ITGC control testing and provide general oversight to IT auditing areas of concern as requested by the VP of Internal Audit.
At 3pm on the day our client was preparing to file the 2015-2016 10K financial report, they were informed by the external auditors that the report would not be filed as expected due to a Segregation of Duty (SOD) control failure.
The external audit firm noted that as a result of the failure they would be required to expand their scope of their work to perform a full SOD assessment for all areas addressed in the financial controls at all locations that are significant. The additional cost to the client was estimated to be $400,000.
Our client’s Internal Audit team had known about this SOD issue for several years and relied on other compensating controls to address the risk. In the previous years this had been sufficient for the external auditors to gain comfort in this area. In order to address the SOD issue in the future, our client was in the middle of implementing an Oracle GRC tool to automatically detect and report on SOD violations as they were generated.
The client requested assistance from the RSM engagement manager to determine how to ensure the external auditors felt comfortable with the SOD issue.
Speed was key, and so was quality of work
RSM developed a plan for the client which included identifying potential areas of conflict utilizing the Oracle GRC reports and mapping them to all the manual and automated controls tested in by Internal Audit. It was thought that the report could be used to minimize the areas that the external audit firm would need to evaluate.
RSM presented the plan and we were provided approval by the client to action the same. All Business Process Owners and Internal Audit team members were advised to consider our data collection process their highest priority.
RSM performed the following:
- Using the Oracle GRC tool that was in the process of being implemented, RSM generated preliminary SOD violation report for the “Standard” Oracle conflicts.
- Obtained a listing of all the financial controls agreed to by the external auditors.
- Developed a matrix style report to use for mapping the information.
- Assigned Internal Audit team members to financial business cycles and submitted requests to review the test procedures performed and capture each test attribute that addresses potential SOD violations.
- Reviewed all ITGC activities (logical access testing and change management testing) where SOD violations could be identified and mapped them to the appropriate business controls.
- Mapped automated controls activities identified within Oracle used to support SOD controls. The client utilized Oracle Workflow in several processes which requires approvals to automatically move through a pre-defined approval process.
After the mapping activity was complete, RSM evaluated the results and identified a few gaps where there still were risks. For these areas, we generated a form (waiver) for the business process owners to capture any additional items that would detect or prevent an SOD conflict.
Resolving the issue
RSM provided a final report to the VP of Internal Audit and presented the data to the external auditors along with the data collected during the engagement.
After extensive review of the documentation and several meetings, the external audit firm concluded that the information gathered and supporting evidence files were sufficient to close the issue.