This page provides information about WorkBook’s compliance with Sarbanes–Oxley Act also known as SOX, in accordance to section 404.
In the following we will describe how WorkBook complies with SOX rules and how you find the settings related to completing a SOX audit.
A SOX audit will concentrate on the following topics:
- Transaction documentation
- Documentation on process and workflow
- Reporting to process owners and management
- Access control, segregation of duties, and altering of data
The list below provides options on how WorkBook can be set up in a company. Since there can be differences on how large companies are adopting SOX rules compared to small companies, some options can vary from company to company. It’s possible to lock the setup, so subsidiaries to a group will run with exactly the same setup making the SOX audits much easier.
|Role-based access control||You can control and assign access rights through the Access Rights for Roles module located in the settings menu. Access rights are set on modules, functions/tabs within a module as well as specific reports that can be opened. Roles can be assigned to a specific user as well as user groups.
Only an Admin can create a user.
|Password policies||WorkBook has numerous settings for ensuring password policies.|
|User logon||WorkBook logs each logon attempt and blocks users from trying to login after 3 unsuccessful attempts. The IT Manager role can reset the password.
If a user has not made a login for more than 90 days, the system will close down the user account.
|Employee change log||Change log on employee data changes, creation of new users, deactivating users, role and privileges changes.|
|Client access||Each client can be setup with individual access rights. You can disallow access to each client.|
|User access report||A report that will show access rights for users.|
Debtors (Accounts Receivable)
|User access controls||You can limit who should be able to enter Debtors (Accounts Receivable), as well as being able to limit who can create a new debtor. An option on approving new debtors before they can be used is also possible.|
|Debtor change log||Report on debtor changes|
|Invoice approvals||An invoice has to go through approval workflows|
|Invoice numbers||Invoice numbers are numbered from an un-interruptible sequence (with an option to setup Pre- and Suffix’s).|
|Credit notes||A credit note has to go through approval workflows|
|Credit check on debtors||When creating a new job, the system checks for:
All the above listed settings check towards an amount that can be set for each debtor.
|Approvals||When approving price quotes, an approval workflow can be setup.|
|Price quote approvals – email integration||When a client approves a budget by email, the user can save that email in the job folder. The email is visible on the job.|
Creditors (Accounts Payable)
|Bank payments||Bank payment files are encrypted and cannot be altered|
|Cheque payments||Cheques are numbered from an un-interruptible sequence.
A payment by cheque requires a creditor invoice entry.
Blank cheques cannot be issued.
You cannot re-print a cheque without voiding it first.
|Creditor change log||Report on creditor change log that will show all changes made within a specific period of time. The report includes information about previous data and current data (what was changed).|
|Purchase orders||PO’s cannot be approved unless there is a purchase line in the price quote.
PO’s cannot be approved unless there is an approved price quote.
PO’s cannot be deleted.
A report and online view is available that will show all PO’s (liabilities).
An approved PO cannot be changed without dropping all approvals.The following roles exist in relation to approving the PO:
When filing creditor invoices the PO can be matched.
|Job closing||You cannot close a job if there are any non-approved vouchers.|
|Invoicing jobs||A warning message appears if any purchases have been added after the
You cannot approve a Final invoice if a job contains open purchase orders.
|User access controls||You can limit who should be able to enter the Creditors (Accounts payable)
and Creditor invoice entry, as well as being able to limit who can create a
An option on approving new creditors before they can be used is also
|Creditor numbers||Creditor numbers are numbered from an un-interruptible sequence.|
|Sequences||All ledgers are numbered from an un-interruptible sequence.
All postings are numbered from an un-interruptible sequence.
|Approvals||When approving creditor invoices, the system has 16 built-in roles that can be added to the standard approval workflow. This is the list of roles that can be set:
Besides the role approval workflow, it is also possible to add rules by:
It is not possible to enter creditor invoices if the creditor has been blocked for payments (or blocked as a whole).
|Approvals||It’s possible to add a workflow on approving general journals as well as project postings going to the general ledger.|
|Accounting periods||Each accounting period can be locked individually. The lock can be assigned not only as a whole but within the following areas:
Finance controls in general
|Taxes||Updates to taxes are run on effective dates and history tracked.
Both VAT, Country, Local, City taxes are supported.
|Logging changes||Every time a user changes a time sheet record, the system will log the changes that are made. An approved time sheet record cannot be altered without it being unapproved and pushed through the approval flow again. Only the entry user can approve/un-approve their own time sheet.|
|Time sheet approvals||When a user approves their time sheet, the time sheet will be locked for further editing.
A time sheet can be locked on a record by record/day by day/ week by week basis.
The time sheet approvers can be set by role or by named user.
Time sheets can be rejected. The user will be notified through the system when this happens.
|Absence entry||Only employee manager can add, edit and delete an approved absence entry.|
|Report access||It is possible to set who can access what reports in the system – for example you could have an administrative level, finance level an account manager level and a project manager level.
Only approved reports will show for the individual levels.
Other system variables
|System variables||Other values that options can be set:
Code and business logic
|Code and business logic||No user can access the systems original algorithms, formulas, calculations and formula.
Only WorkBook Software has the ability to change the source code.
Users can only make changes from the front-end system. Each individual field, menu and so on in the system is input validated so only intended data is input.
All code and business logic on servers where the user has no access.
These Stored Procedures are encrypted and can only be opened by and in the office for WorkBook Software A/S.
|Error collection||WorkBook is automatically logging front-end errors to a log table. The user is given the option to send the error message to a centralized support function.|
|Update types||There are two types of updates: version update and patch update.
– Patches impose minimal inconvenience on the user, requiring only a short downtime.
– Version updates are arranged in forehand with the client and requires around 1 hour of downtime. A test database will be updated prior to production system update.
|Release notes||Whenever a new update becomes available, the client is notified. The client can read the release notes that come with the update and then choose to update a test database before updating the production version. Release notes are published on our corporate help site in English.|
|Old versions||You cannot use an old version of WorkBook to open the system. The system will check every time a user starts the system to see if it’s the right version. If not, it will download the right version (matching the database) from the web server.|