As public servants, it is our responsibility to use taxpayers’ dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons to place controls in various points in these processes that may appear bureaucratic, but are necessary to ensure objectives are met and there is accountability to the citizens. This article does not address all possible circumstances that need to be considered when establishing internal controls or assessing risk. Each entity is responsible for reviewing its business practices and processes to determine where risks exist and where and how controls can be established to mitigate them.
Examples of the results of appropriate controls are as follows:
- Segregation of duties is maintained to the extent staffing constraints allow between the functions for information systems. Specifically, the use, data entry, computer operation, network management, system administration, systems development and maintenance, change management, security administration, and security audit are all properly segregated.
- Unauthorized personnel are prevented from accessing computer resources.
- Authentication and access mechanisms are in place (e.g. regular password changes).
- Operational security is periodically reviewed.
- Internal controls are established and periodically reviewed,
- Data is accurate, complete, and valid.
- Output is routinely reconciled to relevant internal system control totals.
- Audit trails are provided to facilitate the tracing of transaction processing.
- The logical and physical security of the organization’s information assets is protected.
Technology Control Objectives:
- Proper design and use of information system documents and records is maintained.
- Access to and use of the information system, assets and records are reasonable and restricted to authorized individuals.
- Segregation of duties exists in functions related to the information systems.
- Transactions and activities related to the information systems are properly authorized.
- Performance of information system functions is independently verified.
Segregation of Duties:
Segregation of duties is one of the most important features of an internal control plan. The fundamental premise of segregated duties is that an individual or small group of individuals should not be in a position to initiate, approve, undertake, and review the same action. These are called incompatible duties when performed by the same individual.
Examples of incompatible duties include situations where the same individual (or small group of people) is responsible for:
- Managing both the operation of and record keeping for the same activity.
- Managing custodial activities and record keeping for the same assets.
- Authorizing transactions and managing the custody or disposal of the related assets or records.
Stated differently, there are four kinds of functional responsibilities that should be performed by different work units or, at a minimum, by different persons within the same unit:
- Custody of assets involved: This duty refers to the actual physical possession or effective physical control over/safekeeping of property.
- Recording transactions: This duty refers to the accounting or record keeping function, which in most organizations, is accomplished by entering data into a computer system.
- Authorization to execute transactions: This duty belongs to persons with authority and responsibility to initiate and execute transactions.
- Periodic reviews and reconciliation of existing assets to recorded amounts: This duty refers to making comparisons at regular intervals and taking action to resolve differences.
The advantage derived from proper segregation of duties is twofold:
- Fraud is more difficult to commit because it would require collusion of two or more persons and most people hesitate to seek the help of others to conduct wrongful acts.
- By handling different aspects of the transaction, innocent errors are more likely to be found and flagged for correction.