Sarbanes–Oxley Act / SOX

  • Created:
  • / Last updated:
  • / Author: Nick Stenroos-Dam

Sarbanes–Oxley Act

This page provides information about WorkBook’s compliance with Sarbanes–Oxley Act also known as SOX, in accordance to section 404.
In the following we will describe how WorkBook complies with SOX rules and how you find the settings related to completing a SOX audit.

A SOX audit will concentrate on the following topics:

  • Transaction documentation
  • Documentation on process and workflow
  • Reporting to process owners and management
  • Access control, segregation of duties, and altering of data

The list below provides options on how WorkBook can be set up in a company. Since there can be differences on how large companies are adopting SOX rules compared to small companies, some options can vary from company to company. It’s possible to lock the setup, so subsidiaries to a group will run with exactly the same setup making the SOX audits much easier.

User access

Role-based access control You can control and assign access rights through the Access Rights for Roles module located in the settings menu. Access rights are set on modules, functions/tabs within a module as well as specific reports that can be opened. Roles can be assigned to a specific user as well as user groups.

Only an Admin can create a user.
Password policies WorkBook has numerous settings for ensuring password policies.
User logon WorkBook logs each logon attempt and blocks users from trying to login after 3 unsuccessful attempts. The IT Manager role can reset the password.
If a user has not made a login for more than 90 days, the system will close down the user account.
Employee change log Change log on employee data changes, creation of new users, deactivating users, role and privileges changes.
Client access Each client can be setup with individual access rights. You can disallow access to each client.
User access report A report that will show access rights for users.

Debtors (Accounts Receivable)

User access controls You can limit who should be able to enter Debtors (Accounts Receivable), as well as being able to limit who can create a new debtor. An option on approving new debtors before they can be used is also possible.
Debtor change log Report on debtor changes
Invoice approvals An invoice has to go through approval workflows
Invoice numbers Invoice numbers are numbered from an un-interruptible sequence (with an option to setup Pre- and Suffix’s).
Credit notes A credit note has to go through approval workflows
Credit check on debtors When creating a new job, the system checks for:

  • total amount of overdue invoices
  • total amount of non-paid invoices
  • total amount of non-paid invoices + WIP cost price amount
  • total amount of non-paid invoices + WIP cost price amount
  • total amount of non-paid invoices + WIP sales price amount

All the above listed settings check towards an amount that can be set for each debtor.

Price quote

Approvals When approving price quotes, an approval workflow can be setup.
Price quote approvals – email integration When a client approves a budget by email, the user can save that email in the job folder. The email is visible on the job.

Creditors (Accounts Payable)

Bank payments Bank payment files are encrypted and cannot be altered
Cheque payments Cheques are numbered from an un-interruptible sequence.
A payment by cheque requires a creditor invoice entry.
Blank cheques cannot be issued.
You cannot re-print a cheque without voiding it first.
Creditor change log Report on creditor change log that will show all changes made within a specific period of time. The report includes information about previous data and current data (what was changed).
Purchase orders PO’s cannot be approved unless there is a purchase line in the price quote.
PO’s cannot be approved unless there is an approved price quote.
PO’s cannot be deleted.
A report and online view is available that will show all PO’s (liabilities).
An approved PO cannot be changed without dropping all approvals.The following roles exist in relation to approving the PO:

  • Purchase order responsible
  • Project Manager on job
  • Account Manager on job
  • Sales responsible
  • Production Manager
  • Account Manager on customer
  • Amount approver (in general)
  • Manually added approvers

When filing creditor invoices the PO can be matched.
When paying creditor invoices the system logs the process.
Purchase orders are numbered from an un-interruptible sequence.
Job closing You cannot close a job if there are any non-approved vouchers.
Invoicing jobs A warning message appears if any purchases have been added after the
invoice date.
You cannot approve a Final invoice if a job contains open purchase orders.
User access controls You can limit who should be able to enter the Creditors (Accounts payable)
and Creditor invoice entry, as well as being able to limit who can create a
new creditor.
An option on approving new creditors before they can be used is also
possible.
Creditor numbers Creditor numbers are numbered from an un-interruptible sequence.
Sequences All ledgers are numbered from an un-interruptible sequence.
All postings are numbered from an un-interruptible sequence.
Approvals When approving creditor invoices, the system has 16 built-in roles that can be added to the standard approval workflow. This is the list of roles that can be set:

  • Purchase order responsible
  • Project Manager on job
  • Account Manager on job
  • Sales responsible
  • Production Manager
  • Account Manager on customer
  • Amount approver (in general)
  • Creditor invoice – Credit note (header): select employee
  • Creditor invoice – Credit note (line): select employee
  • Expense entry (select employee)
  • Mileage entry (select employee)
  • Internal jobs (operation costs) – (select employee)
  • Non-billable customer jobs (select employee)
  • All vouchers
  • All job vouchers (select employee)
  • All operation costs vouchers (select employee)

Besides the role approval workflow, it is also possible to add rules by:

  • Creditor (add specific employee if any invoices that are entered from a specific creditor)
  • Authority amount (amount limit is set on each employee so additional employee(s) will be added if the creditor invoice exceeds that amount

It is not possible to enter creditor invoices if the creditor has been blocked for payments (or blocked as a whole).

General ledger

Approvals It’s possible to add a workflow on approving general journals as well as project postings going to the general ledger.
Accounting periods Each accounting period can be locked individually. The lock can be assigned not only as a whole but within the following areas:
accountingperiods

Finance controls in general

Taxes Updates to taxes are run on effective dates and history tracked.
Both VAT, Country, Local, City taxes are supported.

Time sheets

Logging changes Every time a user changes a time sheet record, the system will log the changes that are made. An approved time sheet record cannot be altered without it being unapproved and pushed through the approval flow again. Only the entry user can approve/un-approve their own time sheet.
Time sheet approvals When a user approves their time sheet, the time sheet will be locked for further editing.
A time sheet can be locked on a record by record/day by day/ week by week basis.
The time sheet approvers can be set by role or by named user.
Time sheets can be rejected. The user will be notified through the system when this happens.
Absence entry Only employee manager can add, edit and delete an approved absence entry.

Reports

Report access It is possible to set who can access what reports in the system – for example you could have an administrative level, finance level an account manager level and a project manager level.
Only approved reports will show for the individual levels.

Other system variables

System variables Other values that options can be set:

  • Allow/disallow to move jobs between clients
  • Allow/disallow to change default price list on job
  • Allow/disallow to reopen jobs
  • Allow/disallow to change if job is billable
  • Allow/disallow non-billable jobs on billable clients
  • Allow/disallow user to approve and finalize invoices on jobs after job close date
  • Allow/disallow to move material entries on jobs
  • Allow/disallow to move hours between jobs

Code and business logic

Code and business logic No user can access the systems original algorithms, formulas, calculations and formula.
Only WorkBook Software has the ability to change the source code.
Users can only make changes from the front-end system. Each individual field, menu and so on in the system is input validated so only intended data is input.
All code and business logic on servers where the user has no access.
These Stored Procedures are encrypted and can only be opened by and in the office for WorkBook Software A/S.

Errors

Error collection WorkBook is automatically logging front-end errors to a log table. The user is given the option to send the error message to a centralized support function.

Updates

Update types There are two types of updates: version update and patch update.
– Patches impose minimal inconvenience on the user, requiring only a short downtime.
– Version updates are arranged in forehand with the client and requires around 1 hour of downtime. A test database will be updated prior to production system update.
Release notes Whenever a new update becomes available, the client is notified. The client can read the release notes that come with the update and then choose to update a test database before updating the production version. Release notes are published on our corporate help site in English.
Old versions You cannot use an old version of WorkBook to open the system. The system will check every time a user starts the system to see if it’s the right version. If not, it will download the right version (matching the database) from the web server.

 

Was this article helpful? Useful Useless 1/1 found this article helpful.
Tagged: