Embed Size (px)
Citation preview
I
Internal Auditor PRINT CLOSE
April 2009
Simplifying Segregation of Duties
A targeted approach not only saves money, but also allows auditors to focus on more high-risk
areas.
Nick Stone
Corporate Audit Manager
Cree Inc.
n the wake of guidance such as the U.S. Public Company Accounting Oversight Board’s Audit Standard
No. 5, the American Institute of Certified Public Accountants’ (AICPA’s) Statement on Auditing Standards
No. 99, and the U.S. Securities and Exchange Commission’s (SEC’s) Guidance Regarding Management’s
Report on Internal Control Over Financial Reporting, the SEC and the AICPA increased their focus on
segregation of duties (SOD). Unfortunately, few auditors, external auditors included, paused to contemplate
the spirit of this guidance before plunging into remediation efforts and implementing new SOD policies. The
results are overly complex systems of internal control that are difficult to maintain, increased audit fees, and
reduced focus on higher risk audit areas. It may be time for organizations that still suffer from these
symptoms to simplify their SOD approach.
The purpose of segregating responsibilities is to prevent occupational fraud in the form of asset
misappropriation and intentional financial misstatement. SOD can be simplified by staying focused on this
purpose and leveraging a practical risk assessment. This means abandoning the “scorched earth”
approach (typically supported by automated scripts) often used by IT auditors in the past, and focusing on
unmitigated, material fraud risks.
SEGREGATION OF DUTIES DEFINED
A fundamental element of internal control is the segregation of certain key duties. The basic idea
underlying SOD is that no employee or group of employees should be in a position both to perpetrate and
to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties
to be segregated are:
Custody of assets.
Authorization or approval of related transactions affecting those assets.
Recording or reporting of related transactions.
Traditional systems of internal control rely on assigning certain responsibilities to different individuals or
SOD Control Guidance
To familiarize yourself with the nature of
segregation of duty (SOD) controls required,
consider the following guidance:
U.S. Securities and Exchange
Commission’s (SEC’s) Guidance
Regarding Management’s Report on
Internal Control Over Financial
Reporting.
U.S. Public Company Accounting
Oversight Board’s Audit Standard No. 5
(AS5).
Association of Certified Fraud
Examiners’ Uniform Fraud Classification
System.
American Institute of Certified Public
Accountants’ (AICPA’s) Statement on
Auditing Standards No. 99:
Consideration of Fraud in a Financial
Statement Audit (external audit only).
segregating incompatible functions. The general premise of SOD is to prevent one person from having both
access to assets and responsibility for maintaining the accountability of those assets.
REQUIREMENT FOR SOD CONSIDERATIONS
Ironically, no internal control audit standard or
accounting pronouncement prescribes specific
SOD requirements. However, maintaining a system
of effective internal control does require
appropriate separation of responsibilities. If internal
control is to be effective, there needs to be an
adequate division of responsibilities among those
who perform accounting procedures or control
activities and those who handle assets. In general,
the flow of transaction processing and related
activities should be designed so that the work of
one individual is either independent of, or serves to
check on, the work of another. Such arrangements
reduce the risk of undetected error and limit
opportunities to misappropriate assets or conceal
intentional misstatements in the financial
statements. SOD serves as a deterrent to fraud
and concealment of error because of the need to
recruit another individual's cooperation, via
collusion, to conceal it.
RECOGNIZE THAT EACH ORGANIZATION IS
DIFFERENT
Pursuant to SEC guidance, management’s
evaluation of the risk of misstatement should
include consideration of the vulnerability of the entity to fraudulent activity and whether any such exposure
could result in a material misstatement of the financial statements. But keep in mind that the extent of
activities required for the evaluation of fraud risks should be commensurate with the size and complexity of
a company’s operations and financial reporting environment. This same concept applies to internal and
external auditors and the nature of their audit procedures over SOD controls. Both management’s controls
and audit procedures should be based on a practical assessment of fraud risk.
THE ROLE OF THE IT AUDITOR
In many organizations, responsibility for testing SOD is relegated to the IT auditor — for better or
worse. The reasoning behind this assignment correlates SOD controls to logical system access. While not
incorrect, this knee-jerk response overlooks the importance of understanding business risks and existing
controls already in place to address those risks. IT auditors traditionally assigned SOD testing (or control
design) should rise above nuanced logical access settings and understand the business in a way that
facilitates more practical control mechanisms and more efficient audit procedures.
PUT DOWN YOUR AUTOMATED SCRIPTS
SOD can be complicated, especially for businesses that operate on enterprise systems. Large numbers of
employees and complex logical access settings can make SOD testing onerous. A number of service
providers and external audit firms have attempted to address this issue by developing automated scripts
that inspect system settings for typical SOD conflicts. While the scripts do expedite the process for
extracting system data, the results are anything but conclusive — requiring extensive evaluation to
disposition false-positives and low/no risk findings. Instead of starting with these automated tools, auditors
should consider putting the scripts down (at least for now) and focusing on understanding the few critical
risks that need to be controlled. Once these risks are understood, scripts can be used on a targeted basis
to streamline SOD testing.
DESIGNING THE FRAUD RISK ASSESSMENT
The goal of the fraud risk assessment process is to identify and define SOD fraud risks relevant to financial
reporting and then assess only those risks that have the potential to result in material errors to the financial
statements. The key steps to performing the SOD fraud risk assessment are:
1. Understand the fraud classification system and research fraud risks specific to your industry or
organization. When developing the audit approach to SOD, review Uniform Occupational Fraud
Classification System, published by the Association of Certified Fraud Examiners (ACFE), and other
publications specific to your particular industry or organization (e.g., the AICPA’s Audit Guide on
Auditing Revenue in Certain Industries).
2. Brainstorm fraud risks that could potentially result in a material misstatement of the financial
statements. Define the fraud risks applicable to the organization. Consider organizing key risks using
the Uniform Occupational Fraud Classification System.
3. Map fraud risks to SOD conflicts for key business cycles. Build a library of SOD conflicts for each
business process and significant class of transaction. Map fraud risks to each potential conflict.
4. Prioritize conflicts by considering variables that impact the likelihood and magnitude of potential
fraud. Variables can include the nature of financial transactions, the nature of vulnerable assets, the
organization’s use of information systems, and the degree of compensating controls that could
prevent or detect fraud. Compensating controls can be manual, system-based, or organizational in
nature.
5. Identify key SOD fraud risks. The key to simplifying SOD is to reduce the scope of the auditor’s
assessment by focusing on the critical few risks. Make sure the key SOD fraud risks identified could
potentially result in a material financial misstatement — and are not compensated by other control
mechanisms.
6. Clearly document the rationale supporting the auditor’s risk assessment. Memorialize the risk
assessment with a memo to your file that articulates the risks considered and the critical risks
identified. This documentation should clearly describe all the risks that were evaluated and provide
sufficient rationale regarding the disposition of low likelihood fraud risks.
Again, the purpose of the SOD risk assessment is to skinny down the mass of potential SOD fraud risks to
the critical few risks pertinent to your business and system of internal control. Upfront investment on this
exercise is prudent and results in future audit periods efficiencies.
NEXT PAGE.....
Internal Auditor
247 Maitland Ave, Altamonte Springs Florida, 32701
Tel. 123
www.internalauditoronline.org
