Steps 1 and 2 relate to the identification of fraud risks that could potentially result in material misstatements. These risks should not be specific to SOD. Instead, the auditor’s fraud risk library should capture the pertinent risks that could result in financial misstatement caused by asset misappropriation and intentional financial misstatement. Risks should be high-level in nature. A list of risks for a manufacturing organization may include (risks will vary by industry and company):

Fraudulent Financial Reporting

Timing differences/fictitious revenues: Risk of asset and/or revenue overstatements in the form of timing differences and/or fictitious revenues.
Channel stuffing: Risk of artificially inflated sales and accounts receivable due to deliberately sending distributors more product than they are able to sell.
Asset overstatement of liability understatement: Incorrect accounting treatment, specifically improper or unsupported journal entries, resulting from management override of internal controls and accounting procedures.

Misappropriation of Assets

Cash larceny: Risk of loss due to cash larceny assessed and considered specific to cash received through the mail (as opposed to wires or automated clearing house payments to a lockbox).
Cash skimming: Risk of loss due to cash skimming assessed and considered specific to accounts receivable write-off schemes or lapping schemes for cash received through the mail.
Billing schemes: Risk of loss due to submitting fraudulent invoices through shell companies, marking up invoices, or redirecting invoice payments through non-accomplice vendor schemes, or making personal purchases.
Check tampering schemes: Risk of loss due to fraudulent cash disbursements from check tampering schemes, including forged maker, forged endorsements, altered payee, authorized maker, and concealed checks.
Fraudulent payroll schemes: Risk of loss due to fraudulent cash disbursements from payroll schemes, including ghost employee and falsified wages.
Stock-based compensation: Risk of loss due to inappropriate grants or execution of company stock-based awards, including backdating and unauthorized issuance.
Other financial statement risks: Other financial statement risks, including concealed liabilities and expenses, improper disclosures, improper asset valuations, and improper intangible asset valuation (non-patent and goodwill).
Expense reimbursement schemes: Risk of loss due to fraudulent cash disbursements from expense reimbursement schemes considered but determined to be out of scope since individual and aggregate occurrences would likely not be material.
Theft of inventory and other non-cash assets: Risk of loss due to theft of inventory and all other assets.
Workers’ compensation schemes and employee medical insurance schemes: Risk of loss due to false claims.
Information theft: Inappropriate use of company information, including intellectual property, personnel data, and company financial information.

Corruption
SOD controls do not meaningfully mitigate corruption risks related to conflicts of interest, bribery, illegal gratuities, or economic extortion. Corruption risks are often addressed by a company’s entity-level controls, including codes of conduct/ethics, whistleblower hotlines, and those charged with corporate governance such as the board of directors.

MAP BUSINESS PROCESS SOD CONFLICTS TO FRAUD RISKS

The next step in the risk assessment process is to map possible business process SOD conflicts to the pertinent fraud risks and subjectively prioritize the conflicts to determine the critical few risks that need to be specifically assessed. This exercise is the heart of the SOD risk assessment and is the most time consuming. The “SOD Conflict to Risk Assessment Template” below may facilitate this process.

Process	Sub-process	Potential SOD conflict	Fraud Risk Ref.	SOD Risk Rating (H, M, L)	Other Compensating Control Activities

SOD Conflict to Risk Assessment Template

IDENTITY KEY SOD FRAUD RISKS

Using the results of the SOD risk assessment, cull the critical few SOD fraud risks that are not sufficiently mitigated by other control activities. Using the prioritization scale, these may be the higher-rated SOD conflicts. Document the critical SOD risks and the key control activities that are in place to address these risks. This list ultimately represents the organization’s simplified SOD control framework (see the “Key SOD Conflict Risk Template” below).

Ref.	Fraud Risk Ref.	Required Segregation	Related Control Activity	Information System
1
2
3

Key SOD Conflict Risk Template

DOCUMENT THE RISK ASSESSMENT

Audit documentation should stand on its own and reflect the rationale used to develop your conclusions. As such, memorializing your SOD risk assessment is an important last step in the risk assessment process. Format is less important than content — the documentation can be completed using whatever tool is available to your organization. The point is to record the rationale used to identify, prioritize, and disposition SOD fraud risks so that your team, your external auditor, or your regulator can clearly understand how key risks are identified and controlled.

This template in MS Word format may help auditors frame their risk assessment and document their supporting rationale.

IMPORTANCE OF IT GENERAL CONTROLS

SOD controls operate on a continuous basis and are often accomplished by the proper assignment of system responsibilities enabled by appropriate access rights and restrictions. Therefore, IT general controls (ITGCs) should be in place to support system access procedures. Applicable ITGCs should be evaluated for all financially significant information systems. Effective SOD is frequently undermined by weak ITGCs.

REAPING THE BENEFITS

Implementing the SOD risk assessment process may be time consuming upfront, but the investment pays off year-over-year in the form of reduced audit costs (internal and external) and an increased ability to focus more time on higher risk audit areas. For IT auditors in a traditional IT-focused position, this approach will also expand their understanding of the broader risks and controls in their organization. The key to a successful implementation of the SOD risk assessment is limiting the auditor’s focus to SOD risks that could potentially result in a material financial misstatement and are not mitigated by other control activities. So, put aside the “scorched earth” SOD assessment approach and consider adopting a targeted, risk-based approach.

Nick Stone, CISA, is the corporate audit manager for Cree Inc., based in Durham, N.C.

To comment on this article, e-mail the author at nick.stone@theiia.org.

SoD
This may be of some help.
Posted By: Linda Cheng
2012-10-10 12:40 PM

in another language
hi, i am beginning to work with sox in this moment, i would like to know if you have this information in spanish, i am from venezuela. Thanks for your help.
Posted By: davia
2012-10-02 2:35 PM

COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>