April 2009

Simplifying Segregation of Duties (continued)


Steps 1 and 2 relate to the identification of fraud risks that could potentially result in material misstatements. These risks should not be specific to SOD. Instead, the auditor’s fraud risk library should capture the pertinent risks that could result in financial misstatement caused by asset misappropriation and intentional financial misstatement. Risks should be high-level in nature. A list of risks for a manufacturing organization may include (risks will vary by industry and company):

Fraudulent Financial Reporting

  • Timing differences/fictitious revenues: Risk of asset and/or revenue overstatements in the form of timing differences and/or fictitious revenues.
  • Channel stuffing: Risk of artificially inflated sales and accounts receivable due to deliberately sending distributors more product than they are able to sell.   
  • Asset overstatement of liability understatement: Incorrect accounting treatment, specifically improper or unsupported journal entries, resulting from management override of internal controls and accounting procedures.

Misappropriation of Assets

  • Cash larceny: Risk of loss due to cash larceny assessed and considered specific to cash received through the mail (as opposed to wires or automated clearing house payments to a lockbox).
  • Cash skimming: Risk of loss due to cash skimming assessed and considered specific to accounts receivable write-off schemes or lapping schemes for cash received through the mail.
  • Billing schemes: Risk of loss due to submitting fraudulent invoices through shell companies, marking up invoices, or redirecting invoice payments through non-accomplice vendor schemes, or making personal purchases.
  • Check tampering schemes: Risk of loss due to fraudulent cash disbursements from check tampering schemes, including forged maker, forged endorsements, altered payee, authorized maker, and concealed checks.
  • Fraudulent payroll schemes: Risk of loss due to fraudulent cash disbursements from payroll schemes, including ghost employee and falsified wages. 
  • Stock-based compensation: Risk of loss due to inappropriate grants or execution of company stock-based awards, including backdating and unauthorized issuance.
  • Other financial statement risks: Other financial statement risks, including concealed liabilities and expenses, improper disclosures, improper asset valuations, and improper intangible asset valuation (non-patent and goodwill).
  • Expense reimbursement schemes: Risk of loss due to fraudulent cash disbursements from expense reimbursement schemes considered but determined to be out of scope since individual and aggregate occurrences would likely not be material.
  • Theft of inventory and other non-cash assets: Risk of loss due to theft of inventory and all other assets. 
  • Workers’ compensation schemes and employee medical insurance schemes: Risk of loss due to false claims.
  • Information theft: Inappropriate use of company information, including intellectual property, personnel data, and company financial information.

SOD controls do not meaningfully mitigate corruption risks related to conflicts of interest, bribery, illegal gratuities, or economic extortion. Corruption risks are often addressed by a company’s entity-level controls, including codes of conduct/ethics, whistleblower hotlines, and those charged with corporate governance such as the board of directors.


The next step in the risk assessment process is to map possible business process SOD conflicts to the pertinent fraud risks and subjectively prioritize the conflicts to determine the critical few risks that need to be specifically assessed. This exercise is the heart of the SOD risk assessment and is the most time consuming. The “SOD Conflict to Risk Assessment Template” below may facilitate this process.

Potential SOD conflict
Fraud Risk Ref.
SOD Risk Rating (H, M, L)
Other Compensating Control Activities

SOD Conflict to Risk Assessment Template


Using the results of the SOD risk assessment, cull the critical few SOD fraud risks that are not sufficiently mitigated by other control activities. Using the prioritization scale, these may be the higher-rated SOD conflicts. Document the critical SOD risks and the key control activities that are in place to address these risks. This list ultimately represents the organization’s simplified SOD control framework (see the “Key SOD Conflict Risk Template” below).

Fraud Risk Ref.
Required Segregation
Related Control Activity
Information System

 Key SOD Conflict Risk Template

Audit documentation should stand on its own and reflect the rationale used to develop your conclusions. As such, memorializing your SOD risk assessment is an important last step in the risk assessment process. Format is less important than content — the documentation can be completed using whatever tool is available to your organization. The point is to record the rationale used to identify, prioritize, and disposition SOD fraud risks so that your team, your external auditor, or your regulator can clearly understand how key risks are identified and controlled.

This template in MS Word format may help auditors frame their risk assessment and document their supporting rationale.


SOD controls operate on a continuous basis and are often accomplished by the proper assignment of system responsibilities enabled by appropriate access rights and restrictions. Therefore, IT general controls (ITGCs) should be in place to support system access procedures. Applicable ITGCs should be evaluated for all financially significant information systems. Effective SOD is frequently undermined by weak ITGCs.


Implementing the SOD risk assessment process may be time consuming upfront, but the investment pays off year-over-year in the form of reduced audit costs (internal and external) and an increased ability to focus more time on higher risk audit areas. For IT auditors in a traditional IT-focused position, this approach will also expand their understanding of the broader risks and controls in their organization. The key to a successful implementation of the SOD risk assessment is limiting the auditor’s focus to SOD risks that could potentially result in a material financial misstatement and are not mitigated by other control activities. So, put aside the “scorched earth” SOD assessment approach and consider adopting a targeted, risk-based approach.

Nick Stone, CISA, is the corporate audit manager for Cree Inc., based in Durham, N.C.

To comment on this article, e-mail the author at nick.stone@theiia.org.

The article is clear as it addresses three prudential and fundamental concepts of separation duties which are authorization, recording and custody. However, a simplified SOD matrix should be designed so that jnr. auditors are guided in evaluating SOD
Posted By: kudakwashe
2013-09-09 5:29 AM
This may be of some help.
Posted By: Linda Cheng
2012-10-10 12:40 PM
in another language
hi, i am beginning to work with sox in this moment, i would like to know if you have this information in spanish, i am from venezuela. Thanks for your help.
Posted By: davia
2012-10-02 2:35 PM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO