Purdue University - Internal Audit Office

Critical thoughts that should be considered when addressing information technology (IT) risk include identifying the mechanisms that are in place to ensure the IT systems are in-line with business objectives, how risks are mitigated, and what the IT department’s role is in ensuring that the business can continue to operate in the event of interruption.

Data protection compliance requirements vary by industry. Security requirements are typically structured to promote effective information security policies, secure networks, protection of data, vulnerability management, strong access controls, and regular monitoring and testing.

Concepts from The EDP Audit, Control, and Security Newsletter, April-May 2008, VOL. XXXVII, NOS. 4-5 and the Payment Card Industry Data Security Standard

Printers are typically networked devices that are as vulnerable as other networked devices. Remember to secure printers accordingly.

Managing risk is critical to the success of any organization. Organizations need to identify events that impact objectives, assess the risks associated with those events, and develop action plans to manage the risks.

Pursuant to the policy and procedure established by the Board of Trustees, it is the responsibility of the dean, director, chancellor, and head of school, division, department and office for each area to assure that all fees and charges of any kind have been previously approved by the Board of Trustees or the executive vice president and treasurer or his designee. (See Executive Vice President and Treasurer Memo A-18.)

Purdue University has a tradition of ethical conduct spanning its history. As members of the Purdue community, we demonstrate unyielding and uncompromised integrity in support of the highest standards of excellence for the University. As individuals, we all contribute to this Purdue standard of integrity as an exemplary model for all universities.

The above sentences are from the Purdue University Statement of Integrity. The entire document may be viewed at Statement of Integrity

What does continuous monitoring mean? Basically, it is a methodology used by management and audit departments that leverages technologies and processes to perform continuous reviews and analyses of business information.

ITaP Networks and Security announced that October is security awareness month. The following are topics that they will be presenting during October.

Cybercrime and Copyright Infringement - Intellectual property strategies and the

Destination Unknown - A discussion on information technology and the future of higher education

Last month, our focus was on management’s role in continuously monitoring the effectiveness of internal controls throughout the organization. To be effective, an internal control process must be one that assures the right things are being done.

Management is also accountable for assuring the efficiency of operations (IIA, 2007); for reviewing internal controls that assure people and systems are doing things right. Business objectives can only be met by doing the right things right. When effective internal control processes are not being performed efficiently, the overall business objective is still compromised.

Managers and supervisors are responsible for establishing appropriate controls and monitoring their effectiveness to provide reasonable assurance that the goals and objectives of their department are being met.

The U.S. Government Accountability Office (GAO) has revised the Government Auditing Standards, commonly referred to as the Yellow Book. The standards are effective for periods beginning on or after January 1, 2008. The revised Yellow Book can be accessed on the GAO’s Web site: www.gao.gov

Objectives of the Purdue University Information Security Program for the Gramm Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) may be found at: The Purdue University Information Security Program

“Failure to update privileged passwords – accounts that enable users to control and configure applications and data – expose organizations to serious security problems.1” Unique passwords should be assigned to each privileged account.

1The Institute of Internal Auditors, December 2006, “Unmanaged Privileged Passwords Pose Security Risks”

IT often uses remote tools to assist in legitimate troubleshooting of computer hardware or software issues. These features add risks for security and confidentiality when support personnel view your screen in real-time.

Use the following guidelines when authorizing remote view or control of your workstation:

-Do not accept remote view or control requests that you have not initiated. (If you did not place the call for assistance, then do not give access to anyone).

-If it is necessary to allow remote access, then only grant it to appropriate support personnel.

-Close all applications that are unnecessary to resolving the issue for which you need support.

-Remain at your workstation at all times when remote viewing or controlling is taking place.

-You are responsible for any actions taken while you are logged in, so watch carefully what action is taken on your computer.

-Always ensure that the remote view or control is disconnected/terminated after support personnel have assisted you.

-Be alert for “social engineering” attempts to gain remote access to your computer whether by phone or email. Report any attempts to your supervisor.

-If you are uncomfortable with actions taken during a remote control session, immediately end the session and tell your supervisor who will report the incident according to Purdue’s Incident Response Policy.

The anonymous fraud-reporting program toll free number is 866-818-2620. You may anonymously report information anytime day or night. In addition to the toll free number, you may also report information anonymously at (765) 494-6999.

Best practices provide for a fraud-reporting program as an important part of a healthy business environment. Purdue University has in place controls to provide reasonable assurance that fraudulent, illegal or dishonest activity on the part of University employees, officers, or business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists within the University, as it does in any organization. Therefore, consistent with best business practices, Purdue University has implemented a fraud-reporting program to ensure that the University provides a mechanism for reporting improper or inappropriate acts.

The Internal Audit Office is responsible for the administration of the Purdue University fraud-reporting program. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for anonymous reporting is available at the website or you may leave an anonymous message by calling the dedicated fraud reporting program telephone number: (765) 494-6999.

Statement on Auditing Standards (SAS) 112 states that a control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.1

1Statement on Auditing Standards (SAS) 112, Communicating Internal Control Related Matters Identified in an Audit

Data is a valuable organizational asset and requires appropriate levels of security. The University continues to educate on improving the security of data via an initiative called SecurePurdue. For details on how you can help to provide a secure data environment go to

Computing assets and associated risks relative to these assets must be identified in order to mitigate departmental or institutional risks. In a decentralized computing environment, each area must identify hardware, software, systems, services, facilities, or related technology assets. Risks related to these assets must then be identified which may include lack of system administration training, desktop access controls, operational policies, strong passwords, data protection, internal or external physical security, secured text transmissions, and natural disaster planning. Once assets and risks of each of these assets have been identified, appropriate solutions to mitigate the risks must be implemented.

Using System Audits to Strengthen IT Security by Randy Marchany, Virginia Tech University

Everyone is responsible for ensuring that a culture of integrity is maintained at the University. We must never take any action that would be inappropriate or would violate laws or our policies. When confronted with new, unclear, or important situations, we need to apply the 5 point test to answer “Would it be right?”

Electronic mail (e-mail), a primary communications mechanism, provides increasing risks for higher education. E-mail usage has grown tremendously and yet institutional expectations for managing e-mail usage have not kept pace.

Per this policy, e-mail stored on a University e-mail system will generally be preserved for no longer than 30 days after deletion. E-mail residing on the mail servers is retained indefinitely as are any e-mail items archived to files. Staff should not retain departmental information in this manner. Instead, e-mail containing information necessary to the University’s operation should be retained either electronically or on paper in departmental account folders.

Business risks exist in all areas including operations, revenue, expenses, regulations, control environments, and information technology. Some of the primary areas where internal controls may not be functioning as intended include physical controls, separation of duties, authorization, compliance, and data (integrity, reporting, and monitoring). In order to assess business risks and to determine if controls are effective, you need to understand the goals of the operation and compare the goals to the process.

To identify the controls required to protect data, it is first necessary to understand the types of data that the institution has. Over the years, Purdue University has developed data classification standards.

The University has been diligently working to secure data. We each have a responsibility to ensure that data are protected. Please go to the SecurePurdue website to learn more about what you can do.

In September 2004, The Committee of Sponsoring Organizations (COSO) released the Enterprise Risk Management-Integrated Framework. This framework is designed to include effective internal controls and effective risk management.

For additional information on this framework, please go to COSO’s website at http://www.coso.org.

Whenever you step away from your personal computer, you should ensure that it is locked. On Windows-based machines, most people accomplish this by pressing the Ctrl, Alt, and Delete keys and then clicking the “Lock Computer” button (or pressing enter). An even quicker way is to press the “Windows” key and the “L” key simultaneously. (The “Windows” key is the key with the Windows icon on it.)

The University’s security guidelines call for you to lock the workstation whenever it will be left unattended.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued the Internal Control-Integrated Framework. This framework has served as the blueprint for establishing internal controls that promote efficiency, minimize risks, and help ensure the reliability of financial statements, and comply with laws and regulations.1

Best practices provide for a fraud reporting program as an important part of a healthy business environment. Purdue has established a Fraud Reporting Program to provide a mechanism for individuals to report improper or inappropriate activities not identified by existing controls.

There may be times when employees, students or other University contacts suspect or become aware of questionable acts concerning the University. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for Anonymous Reporting is available on the website. A telephone number is also available for anonymously reporting suspected fraud or other wrongdoings. The dedicated Fraud Reporting Program Telephone Number is (765) 494-6999.

Did you know Purdue has a website devoted to information and resources that will help you improve both the information security of the University and your own personal information?

Security is not something you have or don't have, it is something you do. Network security is a never-ending race between those who discover exploits and those who block them. That is why it is pointless to maintain an authoritative list of current vulnerabilities. The practical approach is to secure your server with all new vulnerabilities/patches today, then update your server each week (or day!) as the new vulnerabilities/patches arrive.

Source of information: SANS Institute, Securing Internet Information Server, 2005.

. Security processes include prevention, detection, and recovery. These processes

Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) contains the following key concepts:

. Internal control is geared to the achievement of the organization's objectives.

Effective controls allow organizations to manage operational and financial integrity while complying with laws and regulations, which increases confidence in business performance. Controls are the essential outcome of policies, procedures, and guidelines and are defined from policy statements. Each person is accountable for ensuring effective controls. Ultimately, control or compliance violations, whether malicious or accidental, come down to people. The effectiveness of the control environment is dependent on each person understanding that they are accountable for certifications and reviewing and monitoring information, and that approaching compliance is an ongoing process.

Source of Information: Seven Habits of Highly Effective Compliance Programs , Michael Rasmussen, July 12, 2005

Get rid of sensitive or restricted data where possible. If it is not collected, it can't be compromised. When extracting data from its original secured environment via Brio or other reporting tools, do not save data to local hard drives or other unprotected storage areas.

E-mails with a person's name on them can be considered a public record. Everyone has the right to make a public records request for University documents.

Information technology application controls are the automated and manual controls around a computer system or application.

Information technology controls (application and general controls) are part of the overall organizational control structure and work in combination with other control procedures to manage business risks.

Control risk is a function of the effectiveness of the design and operation of internal control structure policies or procedures in achieving the entity's broad internal control structure objectives relevant to an audit of the entity's financial statements. Some control risk will always exist because of the inherent limitations of any internal control structure. 1

Monitoring is a critical activity in creating a strong control environment (see August 2004 tip); however, equally as important is investigating unexpected activity detected during monitoring. Good monitoring procedures identify unusual activity, but it is adequate follow-up procedures that verify whether the unusual activity was appropriate. Good follow-up procedures include verification from external sources, corroboration from multiple individuals involved in the activity, and substantiation from other valid sources of data.

Create a strong password that you can remember. Never use consecutive numbers or letters on your keyboard and never use a word that can be found in a dictionary. Hackers use complex tools that allow them to guess this type of password. A strong password is at least eight characters, includes a combination of letters, numbers, and symbols, and is easy for you to remember but difficult for others to guess. By using a strong passphrase, you can establish a strong password that you can remember.

An internal control that is often overlooked, and the importance often underestimated, is understanding why certain tasks are performed in an operation. Understanding why a task is performed is almost as important to the internal controls as actually performing the task itself. If an employee does not understand why they are performing a step, errors may occur that are not detected. For example, if an employee is assigned the task of matching documents without understanding the ultimate purpose of the step is to reconcile activity to general ledger, the employee may not realize that the steps of matching documents does not detect activity that incorrectly posted to general ledger and does not detect activity that never posted at all. Once the purpose of the task is understood, controls are enhanced and the effectiveness of employee's work is increased.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released an Enterprise Risk Management - Integrated Framework. To view the executive summary go to the following website:

Audit or assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusion regarding a process, system, or other subject matter. The Director of Audits determines the nature and scope of the audit or assurance engagement. There are generally three parties involved in assurance services: (1) the person or group directly involved with the process, system, or other subject matter (the process owner), (2) the person or group making the assessment (the internal auditor), and (3) the person or group using the assessment (the user).

Source of information: The IIA Research Foundation, The Professional Practices Framework, January 2004

Ongoing monitoring is a crucial management activity. There are two approaches to ongoing monitoring: ongoing activities or separate evaluations. Ongoing monitoring is part of the normal, recurring operating activities. Because it is performed on a real-time basis, it is more effective than separate evaluations. Separate evaluations take place after the fact and problems are not always identified quickly. Examples of ongoing monitoring activities include regular management and supervisory activities, variance analysis, comparisons, reconciliations and other routine activities. Separate evaluations vary in scope and frequency depending on risks and related controls in managing the risks. Examples of separate evaluations may include self-assessments, and the work that internal auditors perform as part of their regular duties.

Source of information: COSO, The Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Framework

You have likely heard considerable information about identity theft but did you know that identity theft can happen if someone compromises your password? If your password is compromised, an unauthorized user has the same system rights that you have. It is your responsibility to protect system information by using a strong password.

Create a strong password that you can remember. Never use consecutive numbers or letters on your keyboard and never use a word that can be found in a dictionary. Hackers use complex tools that allow them to guess this type of password. A strong password is at least eight characters, includes a combination of letters, numbers, and symbols and is easy for you to remember but difficult for others to guess. By using a strong passphrase, you can establish a strong password that you can remember.

Always keep your passwords a secret and never provide your password to anyone! Watch out for scams such as phishing. This is a practice of sending bogus emails that appear to come from trusted sources. You are asked to respond by entering your login name and password (your password has just been compromised)! Before responding to something that appears unusual to you, check with your supervisor.

Well-conceived and properly enforced internal controls include identifying specific information technology (IT) events that should be logged as audit entries. A logging process is required in order to recreate pertinent system events and actions taken by system users and administrators. A monitoring process is required in order to identify questionable data access activities, investigate breaches, respond to potential weaknesses, and assess the security program.

Simply logging the events is not sufficient; the logs must be reviewed periodically. The following should be considered when reviewing event logs.

Follow-up on suspicious events such as intrusion attempts, authorized accesses at unusual times, and unusual changes to infrastructure devices.
Identify, investigate, report, and respond to inappropriate activity.
Ensure that audit requirements and activities do not unduly disrupt critical business processes.
Agree to and control the scope of the events to check.
Identify the individual performing event analyses as one independent from those setting audit trail rules. Ensure they are available and that they record who, what, when, where, and why sensitive information is released. Rules-of-evidence integrity must be maintained.
Document all event capturing and analysis procedures, requirements, and responsibilities, including when to involve inforensics specialists.
Develop a process to ensure that users comply with access control procedures, including strong password creation and protections.
Audit all user activity where risk levels warrant.
Employ event analysis support tools and/or e-intelligent methods of correlating log data to detect suspicious activity and reduce volume.

Risk is the uncertainty of an event occurring that could have an impact on the achievement of departmental objectives. Risk is realized when:

What are information technology control objectives? Information technology control objectives are typically presented in three major categories:

At the company level, controls set the tone for the entity and include systems planning, enterprise policies, governance, codes of conduct, and fraud prevention. At the general controls level, controls are embedded in common services and include systems maintenance, disaster recovery, physical and logical security, data management, and incident response. At the application level, controls are embedded in business process applications and are designed to achieve completeness, accuracy, validity and recording assertions and include authorizations, approvals, tolerance levels, reconciliations, and input edits.

*Institute of Internal Auditors, February 10, 2004, Are you Ready for IT Control Identification and Testing

The mission of the Internal Audit Office is to provide independent, objective assurance and advisory services designed to add value and assist all levels of administration in achieving University objectives by striving to provide a positive impact on the efficiency and effectiveness of the operations. The Internal Audit Office helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Please contact our office for assistance in evaluating changes in your internal control environment, new risks as a result of process or personnel changes, etc.

The ease of deploying wireless technologies in today's environment comes as a mixed blessing. Installation and setup of a wireless environment is a relatively easy task, however, securing the wireless technology is another challenge altogether. The user is the common ingredient in both wireless and wired environments, and also the weakest link in both areas. Installing and securing wireless technologies are two very different processes. A user installing wireless devices must understand the importance of security and know how to configure the device to protect the organization's network and data. Sixty to ninety percent of WLANs (Wireless Local Area Networks) are deployed without the most basic of security mechanisms (changing default names, enabling encryption, optimizing placement of the Access Point, etc.). The challenge is not plugging in devices and making them work. The real challenge is understanding the security position that the organization is being placed in by the configuration, knowing the difference between secure and insecure, and knowing who to contact (or knowing how) to change the configuration to protect your organization.

The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Integrated Control-Integrated Framework

There are five steps, or components, in the internal control framework, all of which are management's responsibility. The five steps are:

The control environment contains informal, and often intangible, soft controls such as ethics, integrity, philosophy, and commitment to competence, as well as formal controls like assignment of roles and responsibilities.
Risk assessment is management's identification and analysis of risks to the achievement of its objectives.
Control activities are the mechanisms management establishes to ensure directives are carried out.
Information and communication refers to employees getting the information they need to do their jobs and communication relates to the free flow of information in the organization.
Monitoring involves day-to-day oversight by managers, periodic reviews by auditors, and the processes management uses to address and correct known deficiencies.

Even though Sarbanes-Oxley is not directly applicable to colleges and universities, it is important for colleges and universities to assess policies and procedures with the conceptual framework of Sarbanes-Oxley in mind. It is important to review internal procedures and controls as well as monitor compliance with requirements.

Internal controls may be preventive, detective, or corrective. A preventive control is designed to prevent undesirable outcomes before they happen, a detective control is designed to identify the undesirable outcome when it happens, and corrective controls are designed to reverse the undesirable outcome or ensure that it does not recur.

Detective controls include reviews and comparisons as well as reconciliations. These controls are critical to ensuring the accuracy of the general ledger data. For example, subsidiary systems must be reconciled with general ledger data to ensure the accuracy of general ledger data.

Monitoring is a critical internal control. Ongoing monitoring includes regular management and supervisory activities. Examples of ongoing monitoring include:

Review of operating and financial reports to identify inaccuracies or exceptions;
Oversight of reconciliation processes and procedures to ensure accuracy and proper separation of duties;
Review of information indicating that problems may exist;
Oversight of control functions and identification of deficiencies;
Comparison of recorded data to physical assets; and
Routine assessment of internal controls.

COSO provides an excellent framework for evaluating your internal control environment.

COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

The National Commission was jointly sponsored by the five major financial professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

Internal control is a process. It is a means to an end, not an end in itself.
Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Reference COSO website or contact the Internal Audit Office for additional information.

Controls Self Assessment is a tool or strategy used to provide management an opportunity to evaluate its own internal control environment through process maps and internal control questionnaires. Management can assess the overall performance of the operation, compliance with policies and procedures, evaluate business controls, and ensure effective business risk management. Example questionnaires or checklists can be located at the following sites:

If you are in need of additional checklists or desire assistance from the Internal Audit Office in developing your controls self-assessment strategy, please contact iadirector@purdue.edu or call 494-7588.

It is a strategy-focused approach to performance management that includes non-financial and financial performance measures that are derived from the organization's vision and strategy. The balanced scorecard represents a strategic performance management and measurement system.¹

¹A Balanced Scorecard Framework for Internal Auditing Departments, The Institute of Internal Auditor's Research Foundation

Recent legislation enacted by the United States Government (The Sarbanes-Oxley Act of 2002), which generally applies to all publicly traded companies, reinforces management's responsibility for establishing and maintaining a system of internal controls.

Monitoring is a process that allows for the assessment of the quality of the department's performance over time. Key components of monitoring include:

Ongoing monitoring is critical to ensuring proper evaluations and immediate changes, when necessary, to the department or operation.

Controls give organizations the ability to achieve effective and efficient operations, to produce reliable financial reports, and to comply with applicable laws and regulations. Controls are generally categorized into three major categories: preventive, detective, and corrective.

Preventive controls prevent undesirable outcomes before they occur. They are more cost-effective than detective controls. Examples of preventive controls include:

Detective controls detect that an error, omission, or malicious act has occurred and report the occurrence. They measure the effectiveness of the preventive controls. Some errors cannot be prevented, so they must be detected when they occur. Examples of detective controls include:

Corrective controls take over when improper outcomes occur and are detected. They are designed to identify the cause of a problem and to correct errors arising out of a problem. Examples of corrective controls include:

In our August tip, we discussed the impact of SAS 94 on information technology controls. Controls associated with computer operations can be grouped into two broad categories general controls and application controls.

General controls commonly include controls over data center operations, system software acquisition and maintenance, access restrictions, security, and application system development and maintenance.

Application controls include computerized steps within the application software. They are related to manual procedures that control the processing of various types of transactions. Together, these controls serve to ensure completeness, accuracy, and validity of all information in the system. This information is identified, captured, processed, and reported formally and informally. It is important to note that the quality of information influences the quality of decisions.

In April 2001, the American Institute of Public Accountants (AICPA) issued a statement on auditing standards (SAS) No. 94 titled, The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. This standard provides guidance on the effect of information technology on internal control and on the auditor's understanding of internal control and assessment of control risk. This standard notes that an organization's information technology use may affect any of the five internal control components, which are:

It is the University's responsibility to comply with the standards and the external auditors' responsibility to validate via their opinion that we are materially compliant with the standards. As you can see, effective information technology controls are critical to the University. If you would like more information, please contact our department.

Only you should know your password. If anyone requests your password, even if they identify themselves as authorized to know this information, advise them that you are not permitted to provide your password and immediately advise your supervisor of this request.

Passwords are maintained by systems in a manner that makes them look jumbled (it's called encryption). Once you type in your password to any computer system, it should be encrypted in such a way that no one can undo that encryption. That is because no one needs to know what your password is besides you.

Remember, YOU ARE RESPONSIBLE FOR THE PROTECTION OF YOUR PASSWORD NEVER PROVIDE IT TO ANYONE!

One approach to establishing a strong internal control environment is to first review your operation and determine your business risks. Business risks are identified in six major categories. Within each business risk category, associated risks exist. There are several questions that can assist you in evaluating whether the business risks have been minimized. These include but are not limited to:

Revenues
Are we in compliance with revenue policies and procedures?
Do we have a current rate approval?
Are duties properly separated
Are reconciliations completed timely and effectively?
Operations
Have new strategies or initiatives been evaluated for changes in the control environment?
Are we operating efficiently and effectively?
Have we experienced personnel changes and are new personnel familiar with policies and procedures?
Information Technology
Have we evaluated controls associated with new technologies?
Do we have procedures to ensure continuity and disaster recovery?
Is the technology infrastructure good?
Have we made any system changes that have not been evaluated for proper controls?
Is the data secure?
Regulatory
Are we in compliance with federal, state, and other regulatory requirements?
Control Environment
Do we properly safeguard assets?
Are duties properly separated?
Are internal controls functioning as intended?
Are we in compliance with policies and procedures?
Does oversight and monitoring exist?

Expenses
Are resources properly used?
Are approval and reconciliation procedures appropriate?
Are duties properly separated?
Does oversight and monitoring exist?
Are we in compliance with expense policies and procedures?

One extremely important internal control is to ensure that duties are properly separated. Duties must be divided among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for authorizing transactions, recording them, handling the related asset, and monitoring the activity should be separated. Consider the following when assessing your internal controls and if you recognize that your operation is handling transactions in the manner described, implement changes immediately.

An employee submits his/her timecard to the supervisor; the supervisor approves (signs) the timecard and returns it to the employee.
A payroll clerk submits his/her timecard to the supervisor for signature; the supervisor approves (signs) and returns it to the payroll clerk for processing.
A disbursement clerk authorizes expenditures, records the expenditure, and monitors the ledger activity.
One employee collects income (cash, checks, etc), verifies the source of income to the supporting documentation, prepares the required reports, and retains the reports.
One employee writes checks, signs checks, and reconciles the bank account.
No independent monitoring or reviews of income or expense occur within the operation.
One individual makes program changes to the production program and no independent review of the testing or expected results is completed.
Reconciliation and monitoring procedures rest with the individual responsible for processing transactions.
Checks are signed by the authorized signer and then returned for mailing to the individual responsible for preparing the bank reconciliation or maintaining the ledger. Checks are presigned (signed in blank) and given to the individual responsible for the bank reconciliation or maintaining the ledger.

Please contact us for more examples or if you are uncertain whether duties are properly eparated within your operation.

What is internal control?
Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives including the reliability of data and reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations
Why are internal controls important to you and the University?
All staff have a fiduciary responsibility to ensure data integrity
Data integrity is critical for all computing systems
Data must be protected in accordance with external regulations and University policies and procedures
A report generated with unreliable data can lead to poor management decisions
Good decisions and future directions are not possible without good information (data)
Good control and security implementation within and around a system allows for protection of data (one of the University's most important assets)

The Fair Labor Standards Act (FLSA) establishes minimum wage, overtime, and record-keeping standards for employees who are not exempt from its provisions. As a supervisor, you must know the law and University policies and procedures. Supervisors are responsible for proper monitoring of time and for ensuring that time is properly reported by their staff.

Know the overtime policy and procedures as stated in the Business Procedures Manual:

The overtime policy and its regulations apply to the employment of all regular and temporary staff members (including student employees) who work in excess of 40 hours weekly or eight hours daily, except for those who perform work classified as exempt under the Fair Labor Standards Acts;
Department heads or their designated representatives authorize overtime when there are increased workloads, emergencies, or work that requires employees with certain skills, training, or experience. To prevent last minute scheduling, supervisors should inform their employees as soon as possible that they are needed for overtime work.
Overtime not requested but permitted or condoned by a supervisor must be counted as "worked overtime"; and
The University has certain classifications that are monthly paid non- exempt staff. Monthly paid employees who are eligible for the payment of overtime are to be compensated at time and a half for overtime work.

Know employee classifications and if your staff members are eligible for overtime!

Further questions or clarification can be obtained from Human Resource Services-ask them.

Although every audit project is unique, the audit process is similar for most engagements and usually consists of three stages: Preliminary Review, Field Work, and Closure. Through these stages, Internal Audit wants to determine ways to minimize risks and increase efficiencies within your area taking a University system-wide approach.

After the decision has been made to audit your area, we gather information about your processes and procedures. We then review and evaluate the existing internal control structure and identify the audit objectives. Finally, we plan the remaining audit steps necessary to achieve the objectives.

The fieldwork involves gathering data and identifying opportunities for continuous process improvement. It is during this phase that we determine whether the controls identified during the preliminary review are operating in the manner you described.

A written report is issued showing the results of the audit steps performed. It will include advice and requests for action as needed based on the results.

A step to establishing a strong internal control environment is to review processes and determine what risk elements are contained within the process. Identifying risk elements leads directly to determining control points that can be implemented to help mitigate these risks. Risk elements within processes can include:

Legitimate system users should be authenticated before they are allowed to use the system, and they should be allowed access only to the data they are authorized to use and then only to perform specific, authorized functions such as reading, copying, and adding to and detecting data. It is also important to protect data from those outside the organization.

A favorite electronic espionage tactic is to gain access to a building and plug into an Ethernet jack in the wall and talk to the system. By configuring they system to respond only to hardware that it recognizes, this can be prevented.

To restrict logical access, a system must differentiate between authorized and unauthorized users utilizing what the user knows or possesses, where the user is accessing the system, or by some personal characteristic. Perhaps the most common approach is by what a person knows. For example, the computer could ask users a series of personal questions, such as mother's maiden name. Or users could be asked to enter a personal identification number.

Each University department can utilize internal controls to assist the organization in the achievement of the following objectives:

Implement segregation of duties where duties are divided among different people. No one person should have control over all aspects of any financial transaction.
Make sure a person delegated approval authority authorizes transactions.
Ensure records are routinely reviewed and reconciled by someone other than the preparer.
Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
Provide employees with appropriate training to ensure they have the knowledge necessary to carry out their job duties. Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide continuity of activities in the event of prolonged employee absences or turnover.

Both the physical ability to use computer equipment (referred to as physical access) and the ability to gain access to company data (called logical access) should be restricted.

Placing computer equipment in locked rooms and restricting access to authorized personnel only.
Having only one or two entrances to the computer room. The entrances should be securely locked and watched carefully by security guards and closed-circuit television monitoring systems.
Requiring proper employee identification, such as a security badge, for passage through an access point. Modern security badges incorporate photos and magnetic, electric, or optical codes that can be read only by special readers. With dvancedidentification techniques, each employee's entry and exit may be automatically recorded in a log that is maintained on the computer and periodically reviewed by supervisory personnel.
Requiring that visitors sign a log as they enter and leave the site. They should be briefed on company security policies, assigned visitor's badges, and escorted to their destination.
Using a security alarm system to detect unauthorized access during off-hours.
Restricting access to private secured telephone lines or to authorized terminals or personal computers.
Installing locks on personal computers and other computer devices.

Evaluating your business office processes is an important step in ensuring strong internal controls. When you evaluate your processes you should look for:

Procedures that were not implemented as intended;
Proper separation of duties;
Internal control points that do not exist anymore (reasons could include staff turnover, changes in processes, new technologies, etc.); and
Unnecessary control points that if eliminated or changed, would allow you to realize efficiencies.

As opposed to yesterday's in-house computer application system, an E-Commerce application is open to public exposure. It is an extremely complex two-way network. Pushing information out invites outsiders in, and web server systems can be used as launching points for attacks.

Fundamentally, Internet / Web security is a set of procedures, practices, and technologies for protecting web servers, web users, and their surrounding organizations. E-Commerce applications must be protected from 6 major threats.

Hacking;
intrusion with intent to harm
Denial of service;
intent to prevent availability
Viruses / worms;
intent to destroy or 'harass'
Disclosure;
intent to share information not intended to be shared
Sabotage;
intent to damage or not to damage for a fee
Mimicking;
intent to copy with intent to embarrass or defraud

An audit trail is the evidence of actions performed upon data from original documents to final disposition. It is a concrete log of activities and events, either hardcopy or in the form of a computer file, and exists as one document or file or as a collection of documents. The existence of a reliable, easy-to-follow audit trail is considered one indication of good internal control in an organization.

Audit trails are useful for maintaining security and integrity of data and for recovering lost transactions. The purpose of maintaining an audit trail is to ensure the possibility of tracing errors to their source in order to investigate their cause, and to trace the effects of any identified errors on other reports and information items.

It is essential that computer application systems include an audit trail component. An electronic audit trail is a record showing who has accessed a computer system and what operations he or she has performed during a given period of time. An effective electronic audit trail cannot be deleted or altered in any way.

2003

2002

2001