Company, Inc.

Audit of Internal Controls

FY20XX

Segregation of Duties Audit Plan

Table of Contents

Table of Contents 1

Definition of Segregation of Duties 2

Requirement for Segregation of Duty Considerations 2

Business and Systems Overview 2

Risk Assessment 3

Scope of Assessment 3

Test Plan 3

Appendix A – SOD Risk Analysis 3

Definition of Segregation of Duties

A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties (SOD) is that no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:

▪ Custody of assets, ▪ Authorization or approval of related transactions affecting those assets, and ▪ Recording or reporting of related transactions.
Traditional systems of internal control have relied on assigning certain responsibilities to different individuals, or segregating incompatible functions. Such segregation of duties is intended to prevent one person from having both access to assets and responsibility for maintaining the accountability of such assets.

Requirement for Segregation of Duty Considerations

The purpose of segregating responsibilities is to prevent occupational fraud in the form of asset misappropriation and intentional financial misstatement. If internal control is to be effective, there needs to be an adequate division of responsibilities among those who perform accounting procedures or control activities and those who handle assets. In general, the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of, or serves as a check on, the work of another. Such arrangements reduce the risk of undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements. Segregation of duties serves as a deterrent to fraud and concealment of error because of the need to recruit another individual's co-operation, via collusion, to conceal it.

While no internal control audit standard or accounting pronouncement prescribes specific segregation of duty requirements, maintaining a system of effective internal control does require appropriate separation of responsibilities. To determine the nature of segregation of duty controls required, we considered the following guidance:

▪ SEC Guidance Regarding Management’s Report on Internal Control Over Financial Reporting ▪ PCAOB Audit Standard 5 (AS5) ▪ ACFE Uniform Fraud Classification System
Pursuant to SEC guidance, management’s evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity, and whether any such exposure could result in a material misstatement of the financial statements. However, the extent of activities required for the evaluation of fraud risks should be commensurate with the size and complexity of a company’s operations and financial reporting environment.

The Corporate Audit Department considered the adequacy of segregation of duties in determining if the Company’s control activities are effective in achieving the objectives of internal control and based the nature of related audit procedures on an assessment of fraud risk.

Business and Systems Overview

[Over view of business and information systems]

Significant processes containing key duties affecting either custody of assets, authorization or approval of related transactions affecting those assets, and recording/reporting of related transactions are noted in the table below.

|Company |Significant process |Related Financial System |
| |