In the wake of guidance such as the U.S. Public Company Accounting Oversight Board's Audit Standard No. 5, the American Institute of Certified Public Accountants' (AICPA's) Statement on Auditing Standards No. 99, and the U.S. Securities and Exchange Commission's (SEC's) Guidance Regarding Management's Report on Internal Control Over Financial Reporting, the SEC and the AICPA increased their focus on segregation of duties (SOD). Unfortunately, few auditors, external auditors included, paused to contemplate the spirit of this guidance before plunging into remediation efforts and implementing new SOD policies. The results are overly complex systems of internal control that are difficult to maintain, increased audit fees, and reduced focus on higher risk audit areas. It may be time for organizations that still suffer from these symptoms to simplify their SOD approach.
The purpose of segregating responsibilities is to prevent occupational fraud in the form of asset misappropriation and intentional financial misstatement. SOD can be simplified by staying focused on this purpose and leveraging a practical risk assessment. This means abandoning the "scorched earth" approach (typically supported by automated scripts) often used by IT auditors in the past, and focusing on unmitigated, material fraud risks.
Segregation of Duties Defined
A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying SOD is that no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:
Custody of assets.
Authorization or approval of related transactions affecting those assets.
Recording or reporting of related transactions.
Traditional systems of internal control rely on assigning certain responsibilities to different individuals or segregating incompatible functions. The general premise of SOD is to prevent one person from having both access to assets and responsibility for maintaining the accountability of those assets.
Requirement for SOD Considerations
SOD Control Guidance
To familiarize yourself with the nature of segregation of duty (SOD) controls required, consider the following guidance:
- U.S. Securities and Exchange Commission’s (SEC’s) Guidance Regarding Management’s Report on Internal Control Over Financial Reporting.
- U.S. Public Company Accounting Oversight Board’s Audit Standard No. 5 (AS5).
- Association of Certified Fraud Examiners’ Uniform Fraud Classification System.
- American Institute of Certified Public Accountants’ (AICPA’s) Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit (external audit only).
Ironically, no internal control audit standard or accounting pronouncement prescribes specific SOD requirements. However, maintaining a system of effective internal control does require appropriate separation of responsibilities. If internal control is to be effective, there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities and those who handle assets. In general, the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of, or serves to check on, the work of another. Such arrangements reduce the risk of undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements. SOD serves as a deterrent to fraud and concealment of error because of the need to recruit another individual's cooperation, via collusion, to conceal it.
Recognize That Each Organization Is Different
Pursuant to SEC guidance, management's evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity and whether any such exposure could result in a material misstatement of the financial statements. But keep in mind that the extent of activities required for the evaluation of fraud risks should be commensurate with the size and complexity of a company's operations and financial reporting environment. This same concept applies to internal and external auditors and the nature of their audit procedures over SOD controls. Both management's controls and audit procedures should be based on a practical assessment of fraud risk.
The Role of the IT Auditor
In many organizations, responsibility for testing SOD is relegated to the IT auditor — for better or worse. The reasoning behind this assignment correlates SOD controls to logical system access. While not incorrect, this knee-jerk response overlooks the importance of understanding business risks and existing controls already in place to address those risks. IT auditors traditionally assigned SOD testing (or control design) should rise above nuanced logical access settings and understand the business in a way that facilitates more practical control mechanisms and more efficient audit procedures.
Put Down Your Automated Scripts
SOD can be complicated, especially for businesses that operate on enterprise systems. Large numbers of employees and complex logical access settings can make SOD testing onerous. A number of service providers and external audit firms have attempted to address this issue by developing automated scripts that inspect system settings for typical SOD conflicts. While the scripts do expedite the process for extracting system data, the results are anything but conclusive — requiring extensive evaluation to disposition false-positives and low/no risk findings. Instead of starting with these automated tools, auditors should consider putting the scripts down (at least for now) and focusing on understanding the few critical risks that need to be controlled. Once these risks are understood, scripts can be used on a targeted basis to streamline SOD testing.
Designing the Fraud Risk Assessment
The goal of the fraud risk assessment process is to identify and define SOD fraud risks relevant to financial reporting and then assess only those risks that have the potential to result in material errors to the financial statements. The key steps to performing the SOD fraud risk assessment are:
Understand the fraud classification system and research fraud risks specific to your industry or organization. When developing the audit approach to SOD, review Uniform Occupational Fraud Classification System, published by the Association of Certified Fraud Examiners (ACFE), and other publications specific to your particular industry or organization (e.g., the AICPA's Audit Guide on Auditing Revenue in Certain Industries).
Brainstorm fraud risks that could potentially result in a material misstatement of the financial statements. Define the fraud risks applicable to the organization. Consider organizing key risks using the Uniform Occupational Fraud Classification System.
Map fraud risks to SOD conflicts for key business cycles. Build a library of SOD conflicts for each business process and significant class of transaction. Map fraud risks to each potential conflict.
Prioritize conflicts by considering variables that impact the likelihood and magnitude of potential fraud. Variables can include the nature of financial transactions, the nature of vulnerable assets, the organization's use of information systems, and the degree of compensating controls that could prevent or detect fraud. Compensating controls can be manual, system-based, or organizational in nature.
Identify key SOD fraud risks. The key to simplifying SOD is to reduce the scope of the auditor's assessment by focusing on the critical few risks. Make sure the key SOD fraud risks identified could potentially result in a material financial misstatement — and are not compensated by other control mechanisms.
Clearly document the rationale supporting the auditor's risk assessment. Memorialize the risk assessment with a memo to your file that articulates the risks considered and the critical risks identified. This documentation should clearly describe all the risks that were evaluated and provide sufficient rationale regarding the disposition of low likelihood fraud risks.
Again, the purpose of the SOD risk assessment is to skinny down the mass of potential SOD fraud risks to the critical few risks pertinent to your business and system of internal control. Upfront investment on this exercise is prudent and results in future audit periods efficiencies.