Purdue University - Internal Audit Office

Separation of duties is a basic internal control framework. If well designed, with a risk based focus, it can enhance controls while allowing for efficiencies in processes.

Establishing appropriate compliance and control metrics is critical when managing risk related to outsourced operations. Due diligence is required in order to properly assess whether the institution desires to be a business partner with a specific outside entity.

After entering into an outsourced partnership, contractual and financial metrics need to

Risk assessment is a key component of information technology disaster recovery planning. In a large organization, it is often challenging to determine which applications are critical and who relies on which applications. The risk assessment process must include an analysis of what the cost is when the systems are down (both current and future costs).

For information on the Office of Management and Budget (OMB) Circular A-133 new compliance supplement go to: OMB Circulars A-133 Compliance

Risk events must be considered in conjunction with controls that have been developed to ensure that objectives are met. In established areas where systems and processes exist, a residual risk approach works well. This approach begins by identifying controls already in place to achieve the business objective. Control gaps may then be identified. In this environment, the largest risk is that the existing controls are not being executed.

When considering new strategic initiatives or new business segments, the identification of inherent risks may better serve the organization. In this approach, risk events are listed along with a risk rating probability. Based on this analysis, the organization determines the appropriate design of controls.

To address the business risks associated with a pandemic, processes and procedures should exist to ensure continuity of essential operations during an extended period of high illness rates in the workforce. Plans need to be made well in advance – by the time staff are becoming ill, it may be too late.

Critical business processes should be protected by training more personnel to take over essential roles. Simple changes in the work environment such as having fewer face-to-face meetings, rigorous hygiene, and frequent cleaning of common area surfaces may help to mitigate the risks.

There are many reasons why data are at risk and why companies must do more to protect valuable data assets.

• Information is transmitted and archived in sophisticated systems with links to the

• Data are stored on many types of electronic devices.
• Technology is continually changing.

Understanding the overall risks of each business unit is critical. By understanding the risk, effective and efficient processes can be developed to assist in controlling the risk. Take a moment to identify the risks and then verify that processes and procedures are effective in mitigating the risk.

Management must understand the primary vulnerabilities to the organization’s business model and establish appropriate risk expectations. These then are incorporated into business practices.

The Federal Trade Commission and other federal financial institutions issued rules on identity theft “red flags”. Certain entities that hold consumer account information, for which there is a reasonably foreseeable risk of identity theft, must develop and implement a

written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.

Protection of data is certainly the biggest security driver. Awareness of the types of data and the appropriate mechanism for protecting various data is critical for any organization. Data classification and handling information may be viewed by clicking here.

Destruction practices for either physical or electronic media is intended to prevent data disclosure. USB drives, compact flash, and other such media may not be reliably wiped

of data. If disposal is the ultimate goal, physical destruction is recommended. Consult

Reputational risk is the potential that negative publicity regarding an institution's practices and policies, whether true or not, may damage the institution’s image or its good name. The National Association of College and University Business Officers (NACUBO) published an article titled Assessing Reputational Risk, by Frank Kurre, April 2007. This article may be viewed at http://www.nacubo.org/x8958.xml

At various organizational levels, risk mitigation mechanisms are typically in place to cover specific activities and operations.

There are three major benefits of enterprise risk management which include improved business performance, increased organizational effectiveness, and risk reporting.1

1Chapman, Robert J. (2006) Simple Tools and Techniques for Enterprise Risk Management, West Sussex, England, John Wiley & Sons Ltd.

Purdue University has controls in place to provide reasonable assurance that fraudulent, illegal or dishonest activity on the part of University employees, officers, or business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists. Please report any suspected fraudulent activity or other wrongdoings by contacting the Internal Audit Office at (765) 494-6194. To anonymously report, call (765) 494-6999, toll free (866) 818-2620. For more information, please visit www.purdue.edu/fraud

Critical thoughts that should be considered when addressing information technology (IT) risk include identifying the mechanisms that are in place to ensure the IT systems are in-line with business objectives, how risks are mitigated, and what the IT department’s role is in ensuring that the business can continue to operate in the event of interruption.

Data protection compliance requirements vary by industry. Security requirements are typically structured to promote effective information security policies, secure networks, protection of data, vulnerability management, strong access controls, and regular monitoring and testing.

Concepts from The EDP Audit, Control, and Security Newsletter, April-May 2008, VOL. XXXVII, NOS. 4-5 and the Payment Card Industry Data Security Standard

Printers are typically networked devices that are as vulnerable as other networked devices. Remember to secure printers accordingly.

Managing risk is critical to the success of any organization. Organizations need to identify events that impact objectives, assess the risks associated with those events, and develop action plans to manage the risks.

Pursuant to the policy and procedure established by the Board of Trustees, it is the responsibility of the dean, director, chancellor, and head of school, division, department and office for each area to assure that all fees and charges of any kind have been previously approved by the Board of Trustees or the executive vice president and treasurer or his designee. (See Executive Vice President and Treasurer Memo A-18.)

Purdue University has a tradition of ethical conduct spanning its history. As members of the Purdue community, we demonstrate unyielding and uncompromised integrity in support of the highest standards of excellence for the University. As individuals, we all contribute to this Purdue standard of integrity as an exemplary model for all universities.

What does continuous monitoring mean? Basically, it is a methodology used by management and audit departments that leverages technologies and processes to perform continuous reviews and analyses of business information.

ITaP Networks and Security announced that October is security awareness month. The following are topics that they will be presenting during October.

Cybercrime and Copyright Infringement - Intellectual property strategies and the

Destination Unknown - A discussion on information technology and the future of higher education

Last month, our focus was on management’s role in continuously monitoring the effectiveness of internal controls throughout the organization. To be effective, an internal control process must be one that assures the right things are being done.

Management is also accountable for assuring the efficiency of operations (IIA, 2007); for reviewing internal controls that assure people and systems are doing things right. Business objectives can only be met by doing the right things right. When effective internal control processes are not being performed efficiently, the overall business objective is still compromised.

Managers and supervisors are responsible for establishing appropriate controls and monitoring their effectiveness to provide reasonable assurance that the goals and objectives of their department are being met.

The U.S. Government Accountability Office (GAO) has revised the Government Auditing Standards, commonly referred to as the Yellow Book. The standards are effective for periods beginning on or after January 1, 2008. The revised Yellow Book can be accessed on the GAO’s Web site: www.gao.gov

Objectives of the Purdue University Information Security Program for the Gramm Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) may be found at: The Purdue University Information Security Program

“Failure to update privileged passwords – accounts that enable users to control and configure applications and data – expose organizations to serious security problems.1” Unique passwords should be assigned to each privileged account.

1The Institute of Internal Auditors, December 2006, “Unmanaged Privileged Passwords Pose Security Risks”

IT often uses remote tools to assist in legitimate troubleshooting of computer hardware or software issues. These features add risks for security and confidentiality when support personnel view your screen in real-time.

Use the following guidelines when authorizing remote view or control of your workstation:

-Do not accept remote view or control requests that you have not initiated. (If you did not place the call for assistance, then do not give access to anyone).

-If it is necessary to allow remote access, then only grant it to appropriate support personnel.

-Close all applications that are unnecessary to resolving the issue for which you need support.

-Remain at your workstation at all times when remote viewing or controlling is taking place.

-You are responsible for any actions taken while you are logged in, so watch carefully what action is taken on your computer.

-Always ensure that the remote view or control is disconnected/terminated after support personnel have assisted you.

-Be alert for “social engineering” attempts to gain remote access to your computer whether by phone or email. Report any attempts to your supervisor.

-If you are uncomfortable with actions taken during a remote control session, immediately end the session and tell your supervisor who will report the incident according to Purdue’s Incident Response Policy.

The anonymous fraud-reporting program toll free number is 866-818-2620. You may anonymously report information anytime day or night. In addition to the toll free number, you may also report information anonymously at (765) 494-6999.

Best practices provide for a fraud-reporting program as an important part of a healthy business environment. Purdue University has in place controls to provide reasonable assurance that fraudulent, illegal or dishonest activity on the part of University employees, officers, or business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists within the University, as it does in any organization. Therefore, consistent with best business practices, Purdue University has implemented a fraud-reporting program to ensure that the University provides a mechanism for reporting improper or inappropriate acts.

The Internal Audit Office is responsible for the administration of the Purdue University fraud-reporting program. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for anonymous reporting is available at the website or you may leave an anonymous message by calling the dedicated fraud reporting program telephone number: (765) 494-6999.

Statement on Auditing Standards (SAS) 112 states that a control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.1

1Statement on Auditing Standards (SAS) 112, Communicating Internal Control Related Matters Identified in an Audit

Data is a valuable organizational asset and requires appropriate levels of security. The University continues to educate on improving the security of data via an initiative called SecurePurdue. For details on how you can help to provide a secure data environment go to

Computing assets and associated risks relative to these assets must be identified in order to mitigate departmental or institutional risks. In a decentralized computing environment, each area must identify hardware, software, systems, services, facilities, or related technology assets. Risks related to these assets must then be identified which may include lack of system administration training, desktop access controls, operational policies, strong passwords, data protection, internal or external physical security, secured text transmissions, and natural disaster planning. Once assets and risks of each of these assets have been identified, appropriate solutions to mitigate the risks must be implemented.

Using System Audits to Strengthen IT Security by Randy Marchany, Virginia Tech University

Everyone is responsible for ensuring that a culture of integrity is maintained at the University. We must never take any action that would be inappropriate or would violate laws or our policies. When confronted with new, unclear, or important situations, we need to apply the 5 point test to answer “Would it be right?”

Electronic mail (e-mail), a primary communications mechanism, provides increasing risks for higher education. E-mail usage has grown tremendously and yet institutional expectations for managing e-mail usage have not kept pace.

Per this policy, e-mail stored on a University e-mail system will generally be preserved for no longer than 30 days after deletion. E-mail residing on the mail servers is retained indefinitely as are any e-mail items archived to files. Staff should not retain departmental information in this manner. Instead, e-mail containing information necessary to the University’s operation should be retained either electronically or on paper in departmental account folders.

Business risks exist in all areas including operations, revenue, expenses, regulations, control environments, and information technology. Some of the primary areas where internal controls may not be functioning as intended include physical controls, separation of duties, authorization, compliance, and data (integrity, reporting, and monitoring). In order to assess business risks and to determine if controls are effective, you need to understand the goals of the operation and compare the goals to the process.

To identify the controls required to protect data, it is first necessary to understand the types of data that the institution has. Over the years, Purdue University has developed data classification standards.

The University has been diligently working to secure data. We each have a responsibility to ensure that data are protected. Please go to the SecurePurdue website to learn more about what you can do.

In September 2004, The Committee of Sponsoring Organizations (COSO) released the Enterprise Risk Management-Integrated Framework. This framework is designed to include effective internal controls and effective risk management.

For additional information on this framework, please go to COSO’s website at http://www.coso.org.

Whenever you step away from your personal computer, you should ensure that it is locked. On Windows-based machines, most people accomplish this by pressing the Ctrl, Alt, and Delete keys and then clicking the “Lock Computer” button (or pressing enter). An even quicker way is to press the “Windows” key and the “L” key simultaneously. (The “Windows” key is the key with the Windows icon on it.)

The University’s security guidelines call for you to lock the workstation whenever it will be left unattended.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued the Internal Control-Integrated Framework. This framework has served as the blueprint for establishing internal controls that promote efficiency, minimize risks, and help ensure the reliability of financial statements, and comply with laws and regulations.1

Best practices provide for a fraud reporting program as an important part of a healthy business environment. Purdue has established a Fraud Reporting Program to provide a mechanism for individuals to report improper or inappropriate activities not identified by existing controls.

There may be times when employees, students or other University contacts suspect or become aware of questionable acts concerning the University. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for Anonymous Reporting is available on the website. A telephone number is also available for anonymously reporting suspected fraud or other wrongdoings. The dedicated Fraud Reporting Program Telephone Number is (765) 494-6999.

Did you know Purdue has a website devoted to information and resources that will help you improve both the information security of the University and your own personal information?

Security is not something you have or don't have, it is something you do. Network security is a never-ending race between those who discover exploits and those who block them. That is why it is pointless to maintain an authoritative list of current vulnerabilities. The practical approach is to secure your server with all new vulnerabilities/patches today, then update your server each week (or day!) as the new vulnerabilities/patches arrive.

Source of information: SANS Institute, Securing Internet Information Server, 2005.

. Security processes include prevention, detection, and recovery. These processes

Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) contains the following key concepts:

. Internal control is geared to the achievement of the organization's objectives.

Effective controls allow organizations to manage operational and financial integrity while complying with laws and regulations, which increases confidence in business performance. Controls are the essential outcome of policies, procedures, and guidelines and are defined from policy statements. Each person is accountable for ensuring effective controls. Ultimately, control or compliance violations, whether malicious or accidental, come down to people. The effectiveness of the control environment is dependent on each person understanding that they are accountable for certifications and reviewing and monitoring information, and that approaching compliance is an ongoing process.

Source of Information: Seven Habits of Highly Effective Compliance Programs , Michael Rasmussen, July 12, 2005

Get rid of sensitive or restricted data where possible. If it is not collected, it can't be compromised. When extracting data from its original secured environment via Brio or other reporting tools, do not save data to local hard drives or other unprotected storage areas.

E-mails with a person's name on them can be considered a public record. Everyone has the right to make a public records request for University documents.

Information technology application controls are the automated and manual controls around a computer system or application.

Information technology controls (application and general controls) are part of the overall organizational control structure and work in combination with other control procedures to manage business risks.

Control risk is a function of the effectiveness of the design and operation of internal control structure policies or procedures in achieving the entity's broad internal control structure objectives relevant to an audit of the entity's financial statements. Some control risk will always exist because of the inherent limitations of any internal control structure. 1

Monitoring is a critical activity in creating a strong control environment (see August 2004 tip); however, equally as important is investigating unexpected activity detected during monitoring. Good monitoring procedures identify unusual activity, but it is adequate follow-up procedures that verify whether the unusual activity was appropriate. Good follow-up procedures include verification from external sources, corroboration from multiple individuals involved in the activity, and substantiation from other valid sources of data.

Create a strong password that you can remember. Never use consecutive numbers or letters on your keyboard and never use a word that can be found in a dictionary. Hackers use complex tools that allow them to guess this type of password. A strong password is at least eight characters, includes a combination of letters, numbers, and symbols, and is easy for you to remember but difficult for others to guess. By using a strong passphrase, you can establish a strong password that you can remember.

An internal control that is often overlooked, and the importance often underestimated, is understanding why certain tasks are performed in an operation. Understanding why a task is performed is almost as important to the internal controls as actually performing the task itself. If an employee does not understand why they are performing a step, errors may occur that are not detected. For example, if an employee is assigned the task of matching documents without understanding the ultimate purpose of the step is to reconcile activity to general ledger, the employee may not realize that the steps of matching documents does not detect activity that incorrectly posted to general ledger and does not detect activity that never posted at all. Once the purpose of the task is understood, controls are enhanced and the effectiveness of employee's work is increased.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released an Enterprise Risk Management - Integrated Framework. To view the executive summary go to the following website:

Audit or assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusion regarding a process, system, or other subject matter. The Director of Audits determines the nature and scope of the audit or assurance engagement. There are generally three parties involved in assurance services: (1) the person or group directly involved with the process, system, or other subject matter (the process owner), (2) the person or group making the assessment (the internal auditor), and (3) the person or group using the assessment (the user).

Source of information: The IIA Research Foundation, The Professional Practices Framework, January 2004

Ongoing monitoring is a crucial management activity. There are two approaches to ongoing monitoring: ongoing activities or separate evaluations. Ongoing monitoring is part of the normal, recurring operating activities. Because it is performed on a real-time basis, it is more effective than separate evaluations. Separate evaluations take place after the fact and problems are not always identified quickly. Examples of ongoing monitoring activities include regular management and supervisory activities, variance analysis, comparisons, reconciliations and other routine activities. Separate evaluations vary in scope and frequency depending on risks and related controls in managing the risks. Examples of separate evaluations may include self-assessments, and the work that internal auditors perform as part of their regular duties.

Source of information: COSO, The Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Framework

You have likely heard considerable information about identity theft but did you know that identity theft can happen if someone compromises your password? If your password is compromised, an unauthorized user has the same system rights that you have. It is your responsibility to protect system information by using a strong password.

Create a strong password that you can remember. Never use consecutive numbers or letters on your keyboard and never use a word that can be found in a dictionary. Hackers use complex tools that allow them to guess this type of password. A strong password is at least eight characters, includes a combination of letters, numbers, and symbols and is easy for you to remember but difficult for others to guess. By using a strong passphrase, you can establish a strong password that you can remember.

Always keep your passwords a secret and never provide your password to anyone! Watch out for scams such as phishing. This is a practice of sending bogus emails that appear to come from trusted sources. You are asked to respond by entering your login name and password (your password has just been compromised)! Before responding to something that appears unusual to you, check with your supervisor.

Well-conceived and properly enforced internal controls include identifying specific information technology (IT) events that should be logged as audit entries. A logging process is required in order to recreate pertinent system events and actions taken by system users and administrators. A monitoring process is required in order to identify questionable data access activities, investigate breaches, respond to potential weaknesses, and assess the security program.

Simply logging the events is not sufficient; the logs must be reviewed periodically. The following should be considered when reviewing event logs.

Follow-up on suspicious events such as intrusion attempts, authorized accesses at unusual times, and unusual changes to infrastructure devices.
Identify, investigate, report, and respond to inappropriate activity.
Ensure that audit requirements and activities do not unduly disrupt critical business processes.
Agree to and control the scope of the events to check.
Identify the individual performing event analyses as one independent from those setting audit trail rules. Ensure they are available and that they record who, what, when, where, and why sensitive information is released. Rules-of-evidence integrity must be maintained.
Document all event capturing and analysis procedures, requirements, and responsibilities, including when to involve inforensics specialists.
Develop a process to ensure that users comply with access control procedures, including strong password creation and protections.
Audit all user activity where risk levels warrant.
Employ event analysis support tools and/or e-intelligent methods of correlating log data to detect suspicious activity and reduce volume.

Risk is the uncertainty of an event occurring that could have an impact on the achievement of departmental objectives. Risk is realized when:

What are information technology control objectives? Information technology control objectives are typically presented in three major categories:

At the company level, controls set the tone for the entity and include systems planning, enterprise policies, governance, codes of conduct, and fraud prevention. At the general controls level, controls are embedded in common services and include systems maintenance, disaster recovery, physical and logical security, data management, and incident response. At the application level, controls are embedded in business process applications and are designed to achieve completeness, accuracy, validity and recording assertions and include authorizations, approvals, tolerance levels, reconciliations, and input edits.

*Institute of Internal Auditors, February 10, 2004, Are you Ready for IT Control Identification and Testing

The mission of the Internal Audit Office is to provide independent, objective assurance and advisory services designed to add value and assist all levels of administration in achieving University objectives by striving to provide a positive impact on the efficiency and effectiveness of the operations. The Internal Audit Office helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Please contact our office for assistance in evaluating changes in your internal control environment, new risks as a result of process or personnel changes, etc.

The ease of deploying wireless technologies in today's environment comes as a mixed blessing. Installation and setup of a wireless environment is a relatively easy task, however, securing the wireless technology is another challenge altogether. The user is the common ingredient in both wireless and wired environments, and also the weakest link in both areas. Installing and securing wireless technologies are two very different processes. A user installing wireless devices must understand the importance of security and know how to configure the device to protect the organization's network and data. Sixty to ninety percent of WLANs (Wireless Local Area Networks) are deployed without the most basic of security mechanisms (changing default names, enabling encryption, optimizing placement of the Access Point, etc.). The challenge is not plugging in devices and making them work. The real challenge is understanding the security position that the organization is being placed in by the configuration, knowing the difference between secure and insecure, and knowing who to contact (or knowing how) to change the configuration to protect your organization.

The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Integrated Control-Integrated Framework

There are five steps, or components, in the internal control framework, all of which are management's responsibility. The five steps are:

The control environment contains informal, and often intangible, soft controls such as ethics, integrity, philosophy, and commitment to competence, as well as formal controls like assignment of roles and responsibilities.
Risk assessment is management's identification and analysis of risks to the achievement of its objectives.
Control activities are the mechanisms management establishes to ensure directives are carried out.
Information and communication refers to employees getting the information they need to do their jobs and communication relates to the free flow of information in the organization.
Monitoring involves day-to-day oversight by managers, periodic reviews by auditors, and the processes management uses to address and correct known deficiencies.

Even though Sarbanes-Oxley is not directly applicable to colleges and universities, it is important for colleges and universities to assess policies and procedures with the conceptual framework of Sarbanes-Oxley in mind. It is important to review internal procedures and controls as well as monitor compliance with requirements.

Internal controls may be preventive, detective, or corrective. A preventive control is designed to prevent undesirable outcomes before they happen, a detective control is designed to identify the undesirable outcome when it happens, and corrective controls are designed to reverse the undesirable outcome or ensure that it does not recur.

Detective controls include reviews and comparisons as well as reconciliations. These controls are critical to ensuring the accuracy of the general ledger data. For example, subsidiary systems must be reconciled with general ledger data to ensure the accuracy of general ledger data.

Monitoring is a critical internal control. Ongoing monitoring includes regular management and supervisory activities. Examples of ongoing monitoring include:

Review of operating and financial reports to identify inaccuracies or exceptions;
Oversight of reconciliation processes and procedures to ensure accuracy and proper separation of duties;
Review of information indicating that problems may exist;
Oversight of control functions and identification of deficiencies;
Comparison of recorded data to physical assets; and
Routine assessment of internal controls.

COSO provides an excellent framework for evaluating your internal control environment.

COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was jointly sponsored by the five major financial professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

Internal control is a process. It is a means to an end, not an end in itself.
Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Reference COSO website or contact the Internal Audit Office for additional information.

Controls Self Assessment is a tool or strategy used to provide management an opportunity to evaluate its own internal control environment through process maps and internal control questionnaires. Management can assess the overall performance of the operation, compliance with policies and procedures, evaluate business controls, and ensure effective business risk management.

If you desire assistance from the Internal Audit Office in developing your controls self-assessment strategy, please contact iadirector@purdue.edu or call 494-7588.

It is a strategy-focused approach to performance management that includes non-financial and financial performance measures that are derived from the organization's vision and strategy. The balanced scorecard represents a strategic performance management and measurement system.¹

¹A Balanced Scorecard Framework for Internal Auditing Departments, The Institute of Internal Auditor's Research Foundation

Recent legislation enacted by the United States Government (The Sarbanes-Oxley Act of 2002), which generally applies to all publicly traded companies, reinforces management's responsibility for establishing and maintaining a system of internal controls.

Monitoring is a process that allows for the assessment of the quality of the department's performance over time. Key components of monitoring include:

Ongoing monitoring is critical to ensuring proper evaluations and immediate changes, when necessary, to the department or operation.

Controls give organizations the ability to achieve effective and efficient operations, to produce reliable financial reports, and to comply with applicable laws and regulations. Controls are generally categorized into three major categories: preventive, detective, and corrective.

Preventive controls prevent undesirable outcomes before they occur. They are more cost-effective than detective controls. Examples of preventive controls include:

Detective controls detect that an error, omission, or malicious act has occurred and report the occurrence. They measure the effectiveness of the preventive controls. Some errors cannot be prevented, so they must be detected when they occur. Examples of detective controls include:

Corrective controls take over when improper outcomes occur and are detected. They are designed to identify the cause of a problem and to correct errors arising out of a problem. Examples of corrective controls include:

In our August tip, we discussed the impact of SAS 94 on information technology controls. Controls associated with computer operations can be grouped into two broad categories general controls and application controls.

General controls commonly include controls over data center operations, system software acquisition and maintenance, access restrictions, security, and application system development and maintenance.

Application controls include computerized steps within the application software. They are related to manual procedures that control the processing of various types of transactions. Together, these controls serve to ensure completeness, accuracy, and validity of all information in the system. This information is identified, captured, processed, and reported formally and informally. It is important to note that the quality of information influences the quality of decisions.

In April 2001, the American Institute of Public Accountants (AICPA) issued a statement on auditing standards (SAS) No. 94 titled, The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. This standard provides guidance on the effect of information technology on internal control and on the auditor's understanding of internal control and assessment of control risk. This standard notes that an organization's information technology use may affect any of the five internal control components, which are:

It is the University's responsibility to comply with the standards and the external auditors' responsibility to validate via their opinion that we are materially compliant with the standards. As you can see, effective information technology controls are critical to the University. If you would like more information, please contact our department.

Only you should know your password. If anyone requests your password, even if they identify themselves as authorized to know this information, advise them that you are not permitted to provide your password and immediately advise your supervisor of this request.

Passwords are maintained by systems in a manner that makes them look jumbled (it's called encryption). Once you type in your password to any computer system, it should be encrypted in such a way that no one can undo that encryption. That is because no one needs to know what your password is besides you.

Remember, YOU ARE RESPONSIBLE FOR THE PROTECTION OF YOUR PASSWORD NEVER PROVIDE IT TO ANYONE!

One approach to establishing a strong internal control environment is to first review your operation and determine your business risks. Business risks are identified in six major categories. Within each business risk category, associated risks exist. There are several questions that can assist you in evaluating whether the business risks have been minimized. These include but are not limited to:

Revenues
Are we in compliance with revenue policies and procedures?
Do we have a current rate approval?
Are duties properly separated
Are reconciliations completed timely and effectively?
Operations
Have new strategies or initiatives been evaluated for changes in the control environment?
Are we operating efficiently and effectively?
Have we experienced personnel changes and are new personnel familiar with policies and procedures?
Information Technology
Have we evaluated controls associated with new technologies?
Do we have procedures to ensure continuity and disaster recovery?
Is the technology infrastructure good?
Have we made any system changes that have not been evaluated for proper controls?
Is the data secure?
Regulatory
Are we in compliance with federal, state, and other regulatory requirements?
Control Environment
Do we properly safeguard assets?
Are duties properly separated?
Are internal controls functioning as intended?
Are we in compliance with policies and procedures?
Does oversight and monitoring exist?

Expenses
Are resources properly used?
Are approval and reconciliation procedures appropriate?
Are duties properly separated?
Does oversight and monitoring exist?
Are we in compliance with expense policies and procedures?

One extremely important internal control is to ensure that duties are properly separated. Duties must be divided among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for authorizing transactions, recording them, handling the related asset, and monitoring the activity should be separated. Consider the following when assessing your internal controls and if you recognize that your operation is handling transactions in the manner described, implement changes immediately.

An employee submits his/her timecard to the supervisor; the supervisor approves (signs) the timecard and returns it to the employee.
A payroll clerk submits his/her timecard to the supervisor for signature; the supervisor approves (signs) and returns it to the payroll clerk for processing.
A disbursement clerk authorizes expenditures, records the expenditure, and monitors the ledger activity.
One employee collects income (cash, checks, etc), verifies the source of income to the supporting documentation, prepares the required reports, and retains the reports.
One employee writes checks, signs checks, and reconciles the bank account.
No independent monitoring or reviews of income or expense occur within the operation.
One individual makes program changes to the production program and no independent review of the testing or expected results is completed.
Reconciliation and monitoring procedures rest with the individual responsible for processing transactions.
Checks are signed by the authorized signer and then returned for mailing to the individual responsible for preparing the bank reconciliation or maintaining the ledger. Checks are presigned (signed in blank) and given to the individual responsible for the bank reconciliation or maintaining the ledger.

Please contact us for more examples or if you are uncertain whether duties are properly eparated within your operation.

What is internal control?
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives including the reliability of data and reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations
Why are internal controls important to you and the University?
All staff have a fiduciary responsibility to ensure data integrity
Data integrity is critical for all computing systems
Data must be protected in accordance with external regulations and University policies and procedures
A report generated with unreliable data can lead to poor management decisions
Good decisions and future directions are not possible without good information (data)
Good control and security implementation within and around a system allows for protection of data (one of the University's most important assets)

The Fair Labor Standards Act (FLSA) establishes minimum wage, overtime, and record-keeping standards for employees who are not exempt from its provisions. As a supervisor, you must know the law and University policies and procedures. Supervisors are responsible for proper monitoring of time and for ensuring that time is properly reported by their staff.

Know the overtime policy and procedures as stated in the Business Procedures Manual:

The overtime policy and its regulations apply to the employment of all regular and temporary staff members (including student employees) who work in excess of 40 hours weekly or eight hours daily, except for those who perform work classified as exempt under the Fair Labor Standards Acts;
Department heads or their designated representatives authorize overtime when there are increased workloads, emergencies, or work that requires employees with certain skills, training, or experience. To prevent last minute scheduling, supervisors should inform their employees as soon as possible that they are needed for overtime work.
Overtime not requested but permitted or condoned by a supervisor must be counted as "worked overtime"; and
The University has certain classifications that are monthly paid non- exempt staff. Monthly paid employees who are eligible for the payment of overtime are to be compensated at time and a half for overtime work.

Know employee classifications and if your staff members are eligible for overtime!

Further questions or clarification can be obtained from Human Resource Services-ask them.

Although every audit project is unique, the audit process is similar for most engagements and usually consists of three stages: Preliminary Review, Field Work, and Closure. Through these stages, Internal Audit wants to determine ways to minimize risks and increase efficiencies within your area taking a University system-wide approach.

After the decision has been made to audit your area, we gather information about your processes and procedures. We then review and evaluate the existing internal control structure and identify the audit objectives. Finally, we plan the remaining audit steps necessary to achieve the objectives.

The fieldwork involves gathering data and identifying opportunities for continuous process improvement. It is during this phase that we determine whether the controls identified during the preliminary review are operating in the manner you described.

A written report is issued showing the results of the audit steps performed. It will include advice and requests for action as needed based on the results.

A step to establishing a strong internal control environment is to review processes and determine what risk elements are contained within the process. Identifying risk elements leads directly to determining control points that can be implemented to help mitigate these risks. Risk elements within processes can include:

Legitimate system users should be authenticated before they are allowed to use the system, and they should be allowed access only to the data they are authorized to use and then only to perform specific, authorized functions such as reading, copying, and adding to and detecting data. It is also important to protect data from those outside the organization.

A favorite electronic espionage tactic is to gain access to a building and plug into an Ethernet jack in the wall and talk to the system. By configuring they system to respond only to hardware that it recognizes, this can be prevented.

To restrict logical access, a system must differentiate between authorized and unauthorized users utilizing what the user knows or possesses, where the user is accessing the system, or by some personal characteristic. Perhaps the most common approach is by what a person knows. For example, the computer could ask users a series of personal questions, such as mother's maiden name. Or users could be asked to enter a personal identification number.

Each University department can utilize internal controls to assist the organization in the achievement of the following objectives:

Implement segregation of duties where duties are divided among different people. No one person should have control over all aspects of any financial transaction.
Make sure a person delegated approval authority authorizes transactions.
Ensure records are routinely reviewed and reconciled by someone other than the preparer.
Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
Provide employees with appropriate training to ensure they have the knowledge necessary to carry out their job duties. Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide continuity of activities in the event of prolonged employee absences or turnover.

Both the physical ability to use computer equipment (referred to as physical access) and the ability to gain access to company data (called logical access) should be restricted.

Placing computer equipment in locked rooms and restricting access to authorized personnel only.
Having only one or two entrances to the computer room. The entrances should be securely locked and watched carefully by security guards and closed-circuit television monitoring systems.
Requiring proper employee identification, such as a security badge, for passage through an access point. Modern security badges incorporate photos and magnetic, electric, or optical codes that can be read only by special readers. With dvancedidentification techniques, each employee's entry and exit may be automatically recorded in a log that is maintained on the computer and periodically reviewed by supervisory personnel.
Requiring that visitors sign a log as they enter and leave the site. They should be briefed on company security policies, assigned visitor's badges, and escorted to their destination.
Using a security alarm system to detect unauthorized access during off-hours.
Restricting access to private secured telephone lines or to authorized terminals or personal computers.
Installing locks on personal computers and other computer devices.

Evaluating your business office processes is an important step in ensuring strong internal controls. When you evaluate your processes you should look for:

Procedures that were not implemented as intended;
Proper separation of duties;
Internal control points that do not exist anymore (reasons could include staff turnover, changes in processes, new technologies, etc.); and
Unnecessary control points that if eliminated or changed, would allow you to realize efficiencies.

As opposed to yesterday's in-house computer application system, an E-Commerce application is open to public exposure. It is an extremely complex two-way network. Pushing information out invites outsiders in, and web server systems can be used as launching points for attacks.

Fundamentally, Internet / Web security is a set of procedures, practices, and technologies for protecting web servers, web users, and their surrounding organizations. E-Commerce applications must be protected from 6 major threats.

Hacking;
intrusion with intent to harm
Denial of service;
intent to prevent availability
Viruses / worms;
intent to destroy or 'harass'
Disclosure;
intent to share information not intended to be shared
Sabotage;
intent to damage or not to damage for a fee
Mimicking;
intent to copy with intent to embarrass or defraud

An audit trail is the evidence of actions performed upon data from original documents to final disposition. It is a concrete log of activities and events, either hardcopy or in the form of a computer file, and exists as one document or file or as a collection of documents. The existence of a reliable, easy-to-follow audit trail is considered one indication of good internal control in an organization.

Audit trails are useful for maintaining security and integrity of data and for recovering lost transactions. The purpose of maintaining an audit trail is to ensure the possibility of tracing errors to their source in order to investigate their cause, and to trace the effects of any identified errors on other reports and information items.

It is essential that computer application systems include an audit trail component. An electronic audit trail is a record showing who has accessed a computer system and what operations he or she has performed during a given period of time. An effective electronic audit trail cannot be deleted or altered in any way.

Business policies, procedures, and practices are critical in ensuring the overall security of servers. From this foundation, additional components include:

Business risks for operations typically include revenues, regulations, operations, control environment, information technology, and expenses. It is important to know your business risks and the associated risk elements within each business risk.

Revenues
- Compliance with policies and procedures
- Recording in accordance with the fund purpose
Regulations
- Legal liability
- Federal, state, and other regulatory requirements
Operations
- Efficiencies and effectiveness
- Communications and complex interactions
Control Environment
- Safeguard access
- Compliance with policies and procedures
- Oversight and monitoring
Information Technology
- New technologies and infrastructure
- Safeguarding data and data integrity
Expenses
- Proper use of resources and relationships with outside entities
- Compliance with policies and procedures

What is internal control? Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives including reliability of data andreporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

All staff have a fiduciary responsibility to ensure data integrity. Data integrity is critical for all computing systems and must be protected in accordance with external regulations and internal policies and procedures. A report generated with unreliable data can lead to poor management decisions. Good decisions and future directions are not possible without good information (data). Good control and security implementation within and around a system allows for protection of data (one of the organization's most important assets).

There are certain specifications that should always be considered and clearly defined when designing or purchasing a system. These include:

Data Integrity - Performance measure based on the rate of undetected errors/preservation of programs or data for their intended purpose (i.e., audit trails, access control);
Authentication - The act of verifying the identity of a user and the user's eligibility to access computerized information. Designed to protect against fraudulent logon activity (i.e., access control);
Non-Repudiation - The user cannot later deny performing a specific transaction (i.e., audit trails);
Confidentiality - Protection against unauthorized access to data (i.e., access control, authorization procedures); and
Availability - The system is available during normal operational hours (i.e., server security).

Web servers are vulnerable to attack and make attractive targets since they may contain files with sensitive financial and proprietary information and effectively bridge an organization's internal and external networks.

A properly secured web server offers only two TCP/IP services to the outside world: HTTP on port 80 and HTTP with SSL on port 443. Your web server is one of the most likely computers to be compromised by an outside attacker. It is visible and available so don't allow any sensitive financial and proprietary information to reside on this server!

Effective communication is an important component of good internal controls. Statistics show that, based on visual design, a person decides in 10 seconds if they want to read a document, and 65% only read the summary of a business report. Clear, concise communication will increase readability and help eliminate misunderstandings.

Steps to Effective Written Communication

Focus on the reader. Describe your audience, define your purpose and message, and organize your thoughts;
Write to express, not to impress. Draft your report and summarize in one sentence what you want to say. Be objective, avoiding negative language and eliminating repetitions. Use "plain English," active voice, and shorter paragraphs; and
Proof your work. After taking a break, do a final review of the document.

A known fact in today's business environment is "change." Operational changes, business process changes, and system changes are but a few of the changes we experience on a daily basis. It is important to remember that the internal control environment changes when other business processes change. For that reason, the evaluation of the internal control environment is an on-going process versus a static process.

For more information on assessing internal controls in your business operation, please contact us at 47588.

Security administration begins with management's commitment. Management must understand and evaluate security risks. Written policies clearly stating standards and procedures should be developed and enforced. Security administration functions include:

Maintaining access rules to files and resources;
Maintaining security and confidentiality over the issuance and proper maintenance of authorized user identifications and passwords;
Monitoring security violations and taking corrective action to ensure that appropriate security is provided; and
Periodically reviewing, evaluating, and updating the security policy.

LANs facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices, if properly implemented, provide security for these programs and data; however, most LAN software default settings provide only a low level of security. The LAN security provisions available depend on the software product, product version, and implementation. Commonly available network security administration capabilities include:

Sensitive data in a LAN environment should be password protected, encrypted, or stored in an area with higher file security than the common user access allows.

Financial statement presentation requires specific management assertions. Assertions are management's representations that are contained in financial statement components. They are classified according to the following categories:

Existence or Occurrence: Do the assets or liabilities exist?
Completeness: Are all transactions and accounts that should be presented in the financial statement included?
Rights and Obligations: Does the entity have the right to the asset and are the liabilities an obligation of the entity?
Valuation or Allocation: Have assets, liabilities, equity, revenue, and expenses been included at appropriate amounts? And
Presentation and Disclosure: Are components properly classified and disclosed?

While user IDs control system access, passwords are the most common form of user authentication. Basic control elements that are critical to ensuring proper access and accountability include:

Adhering to University policy not to share your password with someone else;
Protecting your password from unintentional release;
Memorizing your password (do not write it down);
Making your password more difficult to guess by adding numbers and special characters; and
Creating a password that is unknown by others (do not use the names of children, friends, pets, date of birth, telephone number, dictionary words, etc.).

Remember, careful use of your password protects both you and the University's systems.

Statements on Auditing Standards (SAS) Number 78, requires auditors to obtain an understanding of internal controls. The control environment sets the tone of an organization and includes integrity and ethical values, commitment to competence, board of directors or audit committee participation, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices.

Since electronic mail is gradually replacing conventional paper mail, it is important to know the security risks involved. E-mail messages are fairly easy to intercept and scan for key words. This can be done routinely, automatically, and undetectably on a large scale. Unless an e-mail message is encrypted prior to being sent, it will travel through potentially hundreds of servers and be accessible on all of them.

In addition to protecting sensitive information on your workstations and network, you should also protect sensitive information that goes outside the control of your organization. Examples of sensitive data include credit card information, student information, and some personnel information.

Know the overtime policy and procedures as stated in the Business Procedures Manual:

The overtime policy and its regulations apply to the employment of all regular and temporary staff members (including student employees) who work in excess of 40 hours weekly or eight hours daily, except for those who perform work classified as exempt under the Fair Labor Standards Acts;
Department heads or their designated representatives authorize overtime when there are increased workloads, emergencies, or work that requires employees with certain skills, training, or experience. To prevent last minute scheduling, supervisors should inform their employees as soon as possible that they are needed for overtime work. Overtime not requested but permitted or condoned by a supervisor must be counted as "worked overtime"; and
The University has certain classifications that are monthly paid non-exempt staff. Monthly paid employees who are eligible for the payment of overtime are to be compensated at time and a half for overtime work.

Know employee classifications and if your staff members are eligible for overtime!

Further questions or clarification can be obtained from Personnel Services-ask them.

With the growing number of new web sites comes potential conflict with established web sites regarding domain names and trademarks. Infringements or unauthorized use of a domain name or trademark can result in legal recourse. It is important to understand the definitions and their differences.

A unique name that identifies an internet site;
A name by which a company or organization is known on the internet;
Often established on a first-come, first-served basis;
Registration of a domain name does not have trademark status;
Wise to obtain a trademark registration immediately upon registering a domain name; and
Responsibility of the company to determine that their domain name is not infringing upon the rights of a third party.

Any word, name, symbol, device, or any combination thereof that identifies the source of goods or services, whether or not they are registered;
Conduct searches before use and registration of a trademark as a domain name to ensure that an infringement has not occurred;
Registration does not mean ownership; and
Trademark metatags are an infringement.

As use of the Internet for business purposes increases, so does the need for establishing proper identification and authentication of the parties involved. The use of digital signatures may provide the assurances we need.

A digital signature is an electronic signature formed using two related keysa public key and a secret or private keyand is frequently regarded as the electronic equivalent of handwritten signatures. The objectives of digital signatures are to allow the recipient to prove the identity of the sender and assure the integrity of the data being transferred.

Proving the integrity and origin of the data and ensuring that they can be verified by a third party (non-repudiation);
Establishing an infrastructure that supports legal considerations;
Recognizing that legal jurisdictions may not acknowledge the technique of another, e.g., Indiana may differ from Illinois; and
Verifying reliability of the certification authority (the third party).

If employees are to accept controls willingly, they should understand what the controls are seeking to do and their responsibility in relation to the controls. When discussing responsibility, it is important to communicate the objective as well as the action required to obtain the objective. When lack of communication occurs, the following problems can develop:

Educate personnel and then ask employees for feedback. When training and feedback are embraced by the organization, a team environment is created and employees are vested in the success of the control environment.

Two essential components of control are execution of control procedures at the operating level and clear direction from top management. Despite knowledge of control procedures, employees at any level can effectively destroy a potentially adequate control system. Factors that can adversely affect control and segregation of duties include:

A periodic review of company controls is crucial, giving consideration to the above factors. Engage in discussion with personnel at the operating level as well as top management to receive feedback on your current policies.

Duties are incompatible if one person can perpetuate and conceal errors and irregularities while performing day-to-day activities. If the same person is the originator and reviewer of a document or transaction, no real protection against errors exists. Consider the following controls in authorization, custody, and accounting to ensure segregation of duties:

Assign specific responsibilities within the revenue, income-producing, or review cycle to different individuals;
Involve an independent third party as a check;
Cross-train individuals who perform no incompatible duties to cover for vacation periods; and
Conduct periodic checks for circumvention of existing controls.

Even with an efficient checks and balance system in place, adequate control systems can be destroyed. Next month we will discuss factors that can adversely affect control and segregation of duties.

Implementation of effective internal controls is the responsibility of the department and is shared throughout the University. Controls are designed to protect the University against losses caused by outsiders or caused by internal embezzlement, inefficiencies, ornegligence and carelessness. Controls are designed to protect innocent people. Controls typically fall into the following five categories:

The review of an internal control environment is on going in nature. As processes and eople change, the control environment also changes. Be aware when changes have ccurred and reevaluate the internal control environment. The Internal Audit Office would be happy to assist you in this review process.

It is possible to break network security using dial-in modems. Without dial-in controls, a caller can dial in and try passwords until they gain access. Once in, they can hide destructive pieces of software, pass to other networks, and steal data. To minimize the risk of unauthorized dial-in access:

Remote users should never store their passwords in plain text login scripts;
Portable PCs should be protected by physical keys and/or BIOS based passwords in case dial-in scripts or sensitive data may be stolen;
Dial-back modems should be used to call back only authorized remote users; and
One-time password generator devices should create a unique password for eachlogin to the system.

As with physical security vulnerabilities, environmental vulnerabilities to data centers could result in serious losses to an organization. Environmental controls reduce the risk of disruption of business activity. Items to control and monitor include air quality, electrical power, and ground and atmospheric conditions. Examples of common environmental controls include:

Water detectors - in the computer room, should be placed under raised floors and near drain holes even if the computer room is on high ground.Hand-held fire extinguishers - should be strategic locations throughout the facility and inspected annually.
Smoke detectors - should be above and below the ceiling tiles throughout the facility. Detectors should produce an audible alarm as well as be linked to a monitored station.
Fire suppression systems - designed to automatically activate immediately afte detection of high heat typically generated by fire. Like smoke detectors, the system should produce an audible alarm and be linked to a central station that is regularly monitored.
Uninterruptible Power Supply (UPS) system - continues to provide electrical powerto the computer from a certain length of time in the event of a power failure. Most UPS systems also "cleanse" the power to ensure wattage to the computer remains consistent.
Prohibit eating, drinking, and smoking within the Information Processing Facility.

Physical security vulnerabilities to data centers could result in financial loss, legal repercussions, loss of credibility, or loss of competitive edge. Physical access controls are designed to protect the organization from unauthorized access. These controls should limit access to only those individuals authorized by management. Examples of some of the more common access controls are:

Bolting door locks -- These locks require the traditional metal key to gain entry. The key should be stamped "do not duplicate."
Combination door locks (cipher locks) -- This system uses a numeric keypad or dial to gain entry. The combination should be changed on a regular basis or whenever an employee with access is transferred, fired, or subject to disciplinary actions. This reduces the risk of the combination being known by unauthorized people.
Electronic door locks -- This system uses a magnetic or embedded chip based plastic card key or token entered into a sensor reader to gain access. A special code internally stored in the card or token is read by the sensor device that then activates the door locking mechanism.
Biometric door locks -- An individual's unique body features, such as voice, retina, fingerprint, or signature, activate these locks. This system is used in instances when extremely sensitive facilities must be protected, such as in the military.

Other methods include photo IDs, video cameras, security guards, escorted/controlled visitor access, dead man doors (two doors that only allow entry by one person at a time), terminal locks, and alarm systems.

There are several ways you can be legally liable for content of your web pages. The University or you personally could be held liable if: Your web page:

You could also be liable for misuse of information gathered via your web page or cookies (sent or received by your web page).

As presented in the November 1998 tip, workstation security can pose a large risk to data security. Any time a user leaves a workstation while it is logged into an application or just a network, it offers an opportunity for someone else to use that workstation and account to alter or view Purdue University data. Supervisory staff should take a role of "security officer" in their areas by the following:

Make sure all users are aware of their security responsibilities;
Randomly check workstations when no user is present to ensure that the workstation was either automatically locked (via a screen saver with password) or manually locked by the user; and
If the workstation is not locked, then any open applications should be noted to evaluate the risk of someone tampering with the data and the user should be reminded of their security duties.

The year 2000 is a problem affecting all University academic, research and administrative units. Efforts should be made to identify systems and processes that fall under the classification of "high priority". High priority systems and processes are those which if they failed could cause:

If you have issues or concerns that you feel need further review or discussion, please contact the Internal Audit Office.

Assess the control environment by asking the following questions regarding segregation of duties:

Is the person making purchases different than the person who is approving the purchases?
Has the person approving the purchases been granted comptroller authority?
Is the person performing the reconciliation different than the person who is purchasing and approving the purchases?
Is the review and approval of the reconciliation, supporting documentation, and ntramural approval performed independently of the procurement function?

Have we identified all computer software and hardware and date sensitive embedded systems that may not be Year 2K compliant?
Have we taken action to "fix" these systems either by replacement or code changes?
Have we developed written contingency or backup plans in the event that "fixes" do not work as planned or we do not identify the date sensitive embedded systems?

Some employers estimate that as much s $40 billion is misappropriated annually by employees from their employers.¹ Unfortunately, nonprofit organizations are not immune toemployee defalcation.

Developing strong internal control procedures is essential to deterring internal theft. One of the most important controls is ensuring that no single individual has absolute control without proper or adequate oversight. Circumstances or events that may cause the rganization or operation to be vulnerable include:

Good internal controls are essential over cash, accounts receivable, inventory, purchasing functions, and payroll and personal expenses. Remember, the important elements of internal controls include information, communication, and monitoring of the internal control systems.

Workstation security can pose a large threat to data security. Even if all possible precautions are taken in choosing and protecting a password, an account can still be ulnerable if the user remains logged in while away from their computer. Someone could use that computer to change University data, and the transactions would list the account owner as the responsible party. They could also use that computer to look up sensitive information that would normally be unavailable to them. To avoid this problem:

While the user ID controls system access, passwords are the most common form of user authentication used in information technology. There are basic control elements that are critical to ensuring proper access and accountability.

It is against University policy to share your password with someone else;Protect your password from unintentional release;
Never write your password down, and never display it where it is accessible to others;
Never use a password that is information known by others, i.e., the names of children, friends, pets, date of birth, telephone number, dictionary words, etc.

Remember, careful use of your password protects both you and the University's systems.

Control (Defined)
The policies, procedures, and practices designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Control Evaluator
Evaluate the following five factors in terms of operational, financial, and compliance implications.

Control Environment: The core of any business is people and their attributes. Attributes nclude integrity, ethical values, and competence and the environment in which they

Risk Assessment: Objectives of operations must be reviewed and mechanisms must beestablished to identify, analyze, and manage the related risks.

Control Activities: Control policies and procedures must be established and executed to

Information & Communication: Information and communication systems enable the capture and exchange of information needed to conduct, manage, and control its operations.

2003

2002

2001

2000

1999

1998