Whether an organization has decided to leverage technology to perform review and approval controls or it just makes sense because more employees are working remotely, control owners should take these considerations into account when switching to electronic media for review and approval controls.
Digital Signatures: Digital signatures allow two parties to validate the authenticity of electronically transmitted information and documents. When added to a document, a digital signature provides some assurance of the document sender’s identity. Whether electronic evidence is email, a digital signature software, or other medium, the same requirements as those for manual approval or review need to be met.
Precision: With any review, management needs support to show the review was performed with appropriate precision and to determine the completeness and accuracy of the data being reviewed. With a manual review, evidence of the precision (that each relevant transaction was reviewed) may be review marks, handwritten notes, or other symbols, initials, and signatures.
With electronic review and approvals, the evidence may be limited to a digital signature. One possibility for supporting the precision of the review would be to include with the approval/digital signature the reviewer’s statement of what was reviewed, how it was reviewed, procedures to validate the source, completeness, and accuracy of reports, and the reviewer’s conclusion. Another option would be to include a required comment box for the reviewer to describe what was performed, what actions were required, what transactions were investigated or validated, and how actions or adjustments were addressed. In general, support should include any and all follow-up communications, review notes, and assumptions used during review regardless of the medium in which the review was performed.
Authentication: Likely represented through user access controls (i.e. passwords, user reviews, privileged access restrictions, segregation of duties assessments), it is important that the individual who provided the electronic approval “is who they say they are.” It is imperative that the controls over authentication to the software used for digital signatures are appropriately configured and that access to an account is limited to only the individual for whom the account is intended. Additional automated control procedures may be required to support that no other users can use an alias to approve a transaction, perform a review as someone different or set up an inappropriate delegate for approval tasks.
Audit Trail: With digital signatures, evidence of the order in which review steps were performed should be evidenced through a systematic audit trail. It should:
- Support that the review was performed after preparation
- Support the individual who performed the review (which may include the IP address or some other identifier)
- Provide evidence of timeliness
With all audit trails or logging activities, it is also important to evaluate that the log cannot be altered or modified in any manner. Further, as automation is used, further checks may be required through the audit trail or through the configuration of workflows to validate that the reviewer is not also the preparer or, in the case of user access reviews, not reviewing their own access.
Weaver can assist you in determining how to optimize your review controls in an evolving digital environment. Contact us with questions or concerns about how your organization can improve the reliability of review controls and bring value to the SOX process.
With little notice or time for preparation, remote work arrangements and/or downsizing have placed greater demands on the…