One of our clients in Ohio, has decided to comply with Sarbanes Oxley voluntarily. I am working with John, who is the SOX Project Manager representing the client. Having identified the critical processes within his organization, John is now identifying process owners. Initially, John was not very clear on the concept of a process owner and what a process owner is supposed to do. He had the misconception that anybody executing the process is the process owner. To set things right, I explained to John that a process owner is

"an individual or a group of individual who are responsible to take decisions regarding a process. Such decisions could be designing the process, monitoring the process etc."

In fact, one very simple way to identify process owners is ask the following questions.

1. Who decides how the process is going to work?
2. Who is responsible for designing the process?
3. Who would build the process from scratch?
4. Who would actually execute the process?
5. And finally, who will monitor the process?

Answering the above questions will definetly help in deciding who the process owner is. A process owner normally decides, designs and monitors the process. There may be case where one is not able to identify any single person as the process owner. This is completely fine, since there can be two or more than two process owners for a process. But remember, the saying goes "Too many process owners, spoil the process!". Once Process owners are identified, the SOX project manager should explain the process owners their roles and responsibilities. Process owners would ideally be responsible for creating process documentation, designing controls within the process, collecting evidence of controls in place and asssessing the control effectiveness of controls within the process.

Related Posts

Continuous Auditing of Controls
Ten Step Plan for Fraud Risk Management
Evaluating Control Exceptions for Sarbanes Oxley
Reporting Lines for the Chief Audit Executive