Purdue University Mark

Purdue University

Internal Audit Office

Your Name
Friend's Email Address

Tip of the Month



November 2016


“Data trends can provide insights into the risks facing an organization.”

Source: Internal Auditor, October 2016, Big Data and Internal Auditors

October 2016

“Cybersecurity is an environment that is about staying ahead of the adversary, protecting assets more quickly than the threat vectors can exploit them, outpacing attackers and applying counterintelligence.”

Source: ISACA Journal, Volume 5, 2016, Balancing the Cybersecurity Battlefield


September 2016

Contract Management

"Organizations should have procedures in place to monitor vendor contracts." Contract management responsibilities should be clearly defined with expectations that any noncompliance with contract terms be escalated for corrective action.

Source: Internal Auditor, August 2016, Tough Consequences


August 2016

“Data analytics is an analytical process by which insights are generated from operational, financial, and other forms of electronic data internal or external to the organization that communicates exceptions and outliers.”

Source: Internal Auditor, August 2016, Analytics-Driven Audits

July 2016

“To generate value, organizations must achieve or exceed performance goals communicated to stakeholders. To retain value, they must understand, monitor, and proactively manage significant risks to the achievement of key objectives.”

Source: Internal Auditor, June 2016, Integrating Key Risk and Performance Indicators

June 2016

Encryption can provide protection from unauthorized access and reduce the likelihood of data theft. However, many organizations are not prepared for the risks of end-user-managed encryption.

Source: ISACA Journal, Volume 3, 2016, Encryption in the Hands of End Users

May 2016

“Carefully designed and monitored preventive measures are crucial in the fight against fraud.” Monitoring controls provide oversight and a mechanism to determine if the control environment is operating as intended.

Source: Internal Auditor, April 2016, Fraud Prevention


April 2016

“People are the critical element in the journey toward improved security.” It is critical to raise cybersecurity awareness at all levels in the organization.

Source: ISACA Journal, Volume 2, 2016, Quick Fixes for Improving Cyberdefenses

March 2016

Cybersecurity risk is a newer issue for virtually every organization. The security of electronic data is of utmost concern. According to the 2016 PWC Global State of Information Security Survey, from 2014 to 2015, 38% more cybersecurity incidents were detected, a 22% rise in cybersecurity breaches were attributed to business partners, and 59% of organizations used big data analytics to help manage cybersecurity.

Source: Internal Auditor, February 2016, 21st Century Milestones.


February 2016

Systems architecture should be documented and provide information about how applications exchange data with other applications. Documentation should minimally include purpose, high-level functionality, components, data flows, and data stores

January 2016

Striking the optimal design of enterprise risk management is essential and unique for each and every organization. Individuals must have the following capabilities:

  • Architect/Builder: Identify how risks are owned and managed
  • Facilitator/Coach: Embed risk thinking throughout the organization
  • Systems Thinker/Aggregator: Consider the organization’s risk profile
  • Communicator/Influencer: Communicate clearly in order to inform major risk decisions

Source: Internal Auditor, December 2015, The Four Hats of Risk Management




November and December 2015

The Institute of Internal Auditors (IIA) articulated a model for a rigorous and efficient approach to discuss risk and control in The Three Lines of Defense in Effective Risk Management and Control, a position paper dated January 2013. This model clarifies essential roles and duties.

  • The First Line of Defense: Operational Management
  • The Second Line of Defense: Risk Management and Compliance Functions
  • The Third Line of Defense: Internal Audit

Source: IIA Position Paper, The Three Lines of Defense in Effective Risk Management and Control, January 2013


October 2015

How do we calculate the costs of cybersecurity incidents and threats? “The total cost is the sum of the direct losses, indirect losses, and defense costs.” Direct losses include money, time, and stress for the victims. Indirect losses include missed business opportunities and lack of consumer trust. Defense costs include additional security products and services, fraud detection, and law enforcement.

Source: ISACA Journal, Volume 5, 2015, The Underground Threat


September 2015

Everyone in the organization must be trained to take appropriate actions to protect customers’ data. Customer data is defined as any data that contains personally identifiable information about a customer.

Source: Internal Auditor, August 2015, Protecting Customer Data


August 2015

“Organizations’ biggest weakness is measuring, assessing, and mitigating cyberrisk, which makes it difficult to prioritize security activity.”     

Source: Internal Auditor, August 2015, The Maturity Threat


July 2015

In periods of transformation, which many companies are going through, it is critical to ensure strategic alignment throughout the organization. Flexibility, adaptability, and evolving processes are important elements for success during transformative periods.

Source: Internal Auditor, June 2015, Strategic Alignment


June 2015

“Cyberattacks threaten the integrity or the very existence of information and have the potential to bring a business to a halt.” Solutions for cybersecurity threats must be flexible with the realization that not all solutions are, or should be, the same.

Source: ISACA Journal, Volume 2, 2015, Cyberwhatsit


May 2015

Today, more than ever before, businesses must recognize the potential for breaches based on actions that business partners or employees take. Thus monitoring and incident response protocols are critical.

Source: IIA, Cyberrisk on the Agenda, 2015


April 2015

Both opportunities and risks exist with Internet-connected devices. “Many of the Internet-enabled intelligent devices embedded in modern homes and organizations have little security built into them, making them vulnerable to attacks that could disrupt normal use or operations…”

Source: ISACA Journal, Volume 2, 2015, Internet of Things Offers Great Opportunities and Much Risk


March 2015

Understanding social media risks is key to helping protect organizations. “Yet, according to the findings of Deloitte & Touche LLP’s 2014 Social Media Survey of internal audit professionals and other executives involved in managing social media risks, many companies are either struggling to catch up, or even more disconcerting, have yet to begin.”

Source: Internal Auditor, February 2015, Putting the Squeeze on Social Media


February 2015

The COSO, Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-Integrated Framework (2013) provides an updated framework to assist organizations with the design and implementation of internal controls. This framework retained the five components of internal control, expanded to include 17 relevant principles, which must be present, functioning, and integrated for an effective control environment.

Control Environment

  1. Demonstrates commitment to integrity and ethical values
  2. Exercises oversight responsibility
  3. Establishes structure, authority, and responsibility
  4. Demonstrates commitment to competence
  5. Enforces accountability

Risk Assessment

  1. Specifies suitable objectives
  2. Identifies and analyzes risk
  3. Assesses fraud risk
  4. Identifies and analyzes significant change

Control Activities

  1. Selects and develops control activities
  2. Selects and develops general controls over technology
  3. Deploys through policies and procedures

Information and Communication

  1. Uses relevant information
  2. Communicates internally
  3. Communicates externally

Monitoring Activities

  1. Conducts ongoing and/or separate evaluations
  2. Evaluates and communicates deficiencies

Source: COSO.org


January 2015

Data security technology on its own is not enough to ensure an optimized balance of access and security. A data security methodology that can be utilized to help optimize data security processes and minimize impact on business operations consists of:

  • Data classification
  • Discovery of where sensitive data is located
  • Applying security methods that best fit risk, data type, and use case
  • Enforcing data security policy based on principle of least privilege
  • Monitoring access


ISACA Journal, Volume 6, 2014, Bridging the Gap Between Access and Security in Big Data


Top of Page



December 2014

To ensure that communications and information are not compromised, use encryption.


ISACA Journal, Volume 5, 2014, The Price of Mobility Secure Development of Enterprise Mobility Applications


November 2014

Study says most organizations don’t deploy enough authentication technology.


Internal Auditor, October 2014, Email Integrity Falls Short


October 2014

Information technology (IT) risk is the business risk associated with the use and influence of IT within an enterprise.


ISACA Journal, Volume 5, 2014, Assessing and Managing IT Operational and Service Delivery Risk


September 2014

For security reasons, identification of non-functioning controls must be determined as quickly as possible. Notifications must occur if logging is turned off or vulnerability assessments are not being generated. Immediate escalation is also critical.


SC Magazine, September 2014, “When is a control not a control?”


August 2014

“All the benefits of information technology have a negative component that must be dealt with effectively.” This is the reality of cyberattacks, with the recognition that all systems are under active attack.


ISACA Journal, Volume 4, 2014, Bear Acceptance

July 2014

Information technology risks must be appropriately understood, managed, and controlled.


Internal Auditor, June 2014, Back to the Basics, IT Audit 101

June 2014

"By utilizing the powers of big data, organizations can significantly enhance their business processes and proactively act on risk." Risks that must be considered include the ability to appropriately capture, analyze, and secure the data.


ISACA Journal, Volume 3, 2014, Big Data


May 2014

Staff development is important in organizations and mentoring relationships can improve the quality of staff across the organization. There are five “(5) mentoring basics:

1. Find the right match

2. Establish goals

3. Meet face-to-face

4. Promote honesty and trust

5. Mentor across departments”


Internal Auditor, April 2014, Mentoring that Matters

April 2014

"Systems or devices that are not well deployed could quickly transform the benefits for which they were acquired into potential risk factors."


ISACA Journal, Volume 2, 2014, IT Strategic and Operational Controls


March 2014

Leveraging data analytics is important for any organization. Institutional objectives are better addressed by identifying the data that exists, analyzing key performance indicators, and utilizing this information accordingly.


Internal Auditor, February 2014, Bridging the Analytics GAP


February 2014

There are many benefits of continuous monitoring. Quality issues can be promptly addressed, in addition to potential training needs. If you monitor, you are more likely to identify and correct internal control problems and produce accurate and reliable information for decision-making.


Journal of Accountancy, February 2014, What Gets Monitored Gets Detected

January 2014

In today’s rapidly changing environment, leaders must be able to identify the implications of the next wave of technological, societal, industrial, and environmental changes that impact their organizations.


Internal Auditor, December 2013, Demystifying Black Swans


Top of Page




December 2013

Data analytics are extremely important in all organizations. It is critical to validate data prior to using such information in decision making processes.


ISACA, Volume 6, 2013, What Every IT Auditor Should Know About Data Analytics


Top of Page


November 2013

The most significant change in the updated COSO Internal Control Integrated Framework is the articulation of the 17 principles that fit into the control component. To view these principles, go to





COSO Internal Control-Integrated Framework, Executive Summary, Pages 6 and 7

Top of Page

October 2013

“The faster pace of business is making traditional, line-item budgets less useful. Companies need the agility that comes from a rolling forecast.”

Source: Journal of Accountancy, October 2013, Beyond Budgeting

Top of Page

September 2013

An organization’s information governance structure should establish the requirements for defining, creating, storing, accessing, using, and transmitting critical data.

Source: Internal Auditor, August 2013, Auditing Governance of Critical Information

Top of Page

August 2013

Protection of personal information is a risk management issue for all organizations. Make sure that you are aware of the multitude of privacy regulations.

Source: Journal of Accountancy, September 2012, What’s Your Privacy IQ?

Top of Page


July 2013

COSO, Committee of Sponsoring Organizations of the Treadway Commission, has issued the 2013 Internal Control-Integrated Framework (Framework). “The 2013 Framework is expected to help organizations design and implement internal control in light of many changes in business and operating environments since the issuance of the original framework.”


Source: COSO, http://www.coso.org/, 2013 Internal Control-Integrated Framework Released, May 14, 2013


Top of Page

June 2013

What does intrusion management include?

  • Intrusion detection and response
  • Service level agreements
  • Governance
  • Regulatory and compliance issues
  • Financial, technical, security, and architectural issues

Source: ISACA Journal, Volume 3, 2013, IT Security Responsibilities Change When Moving to the Cloud

Top of Page

May 2013

“Good governance, risk management, and internal controls are essential to corporate success and longevity.”


Source: Internal Auditor, April 2013

Top of Page

April 2013

Control Objectives for Information and Related Technology (COBIT) 5 provides a robust and systematic approach to ensuring that policies are used as instruments to implement accepted business strategies.

Source: ISACA Journal, Volume 1, 2013, IT Policy Framework Based on COBIT 5

Top of Page

March 2013

An effective internal control system reduces fraud risks.

Source: Journal of Accountancy, March 2013, What are the Risks?

Top of Page

February 2013

Before an organization takes advantage of “bring your own device” practices, policies and/or guidelines should be developed to ensure the protection of the organization’s data.

Source: Internal Auditor, February 2013, Auditing the BYOD Program

Top of Page

January 2013

Employees should understand that everyone in the organization is responsible for information technology security.

Source: Internal Auditor, December 2012, Evaluating the Employee Security Awareness Program

Top of Page



December 2012

Data analysis techniques should be used to detect anomalies. Outliers in the data may or may not be the result of fraud. Further analysis should be conducted to determine the legitimacy of the transactions. 


Source:  Journal of Accountancy, December 2012, Test Your Knowledge of Data Analysis

Top of Page


November 2012

In today’s environment, stakeholders realize the importance of risk considerations to the success of the organization’s strategic plan. Risks include global economic uncertainty, rapidly changing technology, and increasing regulatory challenges.

Source: Internal Auditor, October 2012, Putting Risk First

Top of Page

October 2012

Risks related to social media include image or reputation and operational effectiveness. These may include sensitive data or information loss, as well as, potential compliance violations.

Source: ISACA Journal, Volume 5, 2012, What Every IT Auditor Should Know About Auditing Social Media

Top of Page

September 2012

Organizations should know how they plan to use or are using social media. Consideration should then be given to governance, policies, procedures, and risks associated with social media.

Source:  Internal Auditor, August 2012, The Social Media Scene

Top of Page

August 2012

Risk levels are defined as:

Higher Education Industry Risks

Those risks that are external   to the institution, uncontrollable, and impacts all of higher education.     

Institutional Risks

Those risks that are typically controllable and relate to the institution’s strategic objectives.

Unit Level Risks

Those risks that are typically controllable and relate to the institution’s processes and procedures.

Source:  The Education Advisory Board

Top of Page

June 2012

“COBIT 5 is the only business framework for the governance and management of enterprise IT.” Go to this site for additional information:  http://www.isaca.org/COBIT/Pages/default.aspx

Source: ISACA website

Top of Page


May 2012

Remain alert to behaviors that may be fraud indicators. These behaviors frequently include, a sense of entitlement, rationalization, instant gratification, and disregard for authority and rules.


Source: Internal Auditor, April 2012, Inside the Fraudster’s Mind

Top of Page


April 2012

There are three basic types of cloud computing services:

Software-as-a-service: a service provider owns, hosts, and manages the software application.

Platform-as-a-service:  the client is able to deploy its created or acquired applications onto the cloud infrastructure.

Infrastructure-as-a-service: provisioning core computing power for deployment of externally hosted applications.

Source: Internal Auditor, August 2011, Auditing the Cloud1

Top of Page

March 2012

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control-Integrated Framework is being updated after nearly 20 years. One of the enhancements is the codification of the framework’s internal control concepts into 17 principles and supporting attributes. Comments may be submitted to coso.org through March 31 and release of the final framework is expected in the fourth quarter of 2012.

Source: Internal Auditor, February 2012, COSO Updates Framework

Top of Page

February 2012

Websites provide viewers with a great deal of information. Ensure that your website is continuously updated to reflect current information.

Top of Page

January 2012

Purdue’s risk categories and risk measurements may be viewed at www.purdue.edu/erm.

Risks are assessed based on likelihood (the possibility that a given event will occur) and impact (the result or effect of an event). Risks are then mitigated via a risk mitigation plan which allows for a systematic reduction in risk exposure.

Top of Page


December 2011

Infections by malicious software may allow a third party to alter, disclose, or delete data. Data integrity metrics must be applied to protect this valuable asset.

Source: ISACA Journal, Volume 6, 2011

Top of Page

November 2011

Use analytical techniques (reporting, analysis, and summarization of data) to gain an understanding of the risks within an area.

Source: Internal Auditor, October 2011, Closing the Analytics Gap

Top of Page

October 2011

Purdue’s enterprise wide risk management program goal is to:

  • ensure the seamless integration of strategic planning
  • recognize early warning risk indicators
  • link decisions with stakeholder values
  • drive sustainable synergies

For more information go to www.purdue.edu/erm

Top of Page

September 2011

“The success or failure of any major business initiative is rooted in establishing a solid strategy.”

Source: Internal Auditor, June 2011, The Whole World’s Talking

Top of Page

August 2011

Federal Awards       


The Office of Management and Budget (OMB) Circular A-133 defines federal awards as federal financial assistance and federal cost-reimbursement contracts that auditees receive directly from federal awarding agencies or indirectly from pass-through entities.

Source: Office of Management and Budget Circulars, http://www.whitehouse.gov/


Top of Page

July 2011

Cloud Computing    


Explore options for cloud computing but with consideration of risks and costs. For information on examining the business case for cloud computing see the article titled Get Your Head Into the Cloud, in NACUBO’s Business Officer.

Source: Business Officer, NACUBO, July/August 2011, Get Your Head Into the Cloud

Top of Page

May/June 2011

Service Organization Control Reports

Service Organization Control reports are internal control reports providing valuable information that users need to assess and address the risks associated with an outsourced service organization. Historically, guidance was contained in Statement on Auditing Standards (SAS) No. 70, Service Organizations, which will be retired effective June 15, 2011. SSAE 16 replaces SAS 70. There are now three Service Organization Control (SOC) reporting options. For additional information, refer to the AICPA, American Institute of CPAs website shown below.

link to AICPA website

Top of Page

April 2011

Information Security Risk Mitigation

“According to the American Institute of Certified Public Accountants’ 2011 Top Technology Initiatives survey, information security management continues to be the most important initiative affecting IT strategy, investment, and implementation in business and industries. “

Source: Internal Auditor, April 2011, The Information Security Control Environment

Top of Page

March 2011

A Sharper Focus

An important goal of the internal audit office is to create an environment in which process owners value our contributions and see us as a partner. The Internal Auditor, February 2011, contains an excellent article, titled “A Sharper Focus”, referencing heightened stakeholder expectations.

Source: Internal Auditor, February 2011, A Sharper Focus

Top of Page

February 2011


If you suspect fraud, report it http://www.purdue.edu/hotline/.  Purdue University remains committed to providing an environment where individuals may report, in a simple anonymous way, suspected fraud, waste, or abuse of University assets, as well as, regulatory noncompliance.

Top of Page

January 2011

Enterprise Risk Management

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a paper titled COSO's 2010 Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO's ERM Framework. This document is available on COSO's (www.coso.org) website.

Top of Page



December 2010

ERM at Purdue

Information about Purdue's Enterprise Risk Management (ERM) model may be viewed at


Top of Page

November 2010

Managing Information Technology Risks

“The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks.”

Source: ISACA Journal, Volume 5, 2010, FISMA 2010: What it Means for IT Security Professionals

Top of Page

October 2010

Replacing Statement on Auditing Standards (SAS) No. 70, Service Organizations

Statement on Auditing Standards (SAS) 70, Service Organizations has been replaced with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE No. 16 is based on International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization.

For additional information, read the summary SSAE No.16.

Top of Page

September 2010

ACFE Fraud Resources

The Association of Certified Fraud Examiners (ACFE) provides a number of fraud resources that you may find helpful. These may be viewed by clicking here

Top of Page

August 2010

Higher Education Risk Categories

Higher education risk categories differ by institution; however, common risk categories include financial matters, health and safety issues, research noncompliance, human resources violations, athletics noncompliance, and harassment or discrimination issues.

Top of Page

July 2010

Risk Assessment

Risk should be assessed as both a probability of occurrence and a magnitude of effect, or the product of the two. So for each risk, the potential magnitude or monetary loss should be identified as well as the likelihood that the event will occur (a percentage).

Source: ISACA Journal, Volume 6, 2009, What Every IT Auditor should Know About IT Risk Assessment

Top of Page

June 2010

Federal Awards Compliance Requirements

There are 13 types of compliance requirements that may apply to a federal program.

  • Activities Allowed or Unallowed
  • Allowable Costs/Cost Principles
  • Cash Management
  • Davis-Bacon Act
  • Eligibility
  • Equipment and Real Property Mgmt.
  • Matching, Level or Effort, Earmarking
  • Period of Availability of Fed. Funds
  • Procure and Suspend and Debar
  • Program Income
  • Reporting
  • Subrecipient Monitoring
  • Special Tests and Provisions

Details for each of these requirements may be found in the OMB-A133 Compliance Supplement.

Top of Page

May 2010

Contracts with Outside Businesses

Contract elements are essential when establishing external business relationships. Make certain that a right-to-audit clause is included. Also, request and evaluate SAS (Statement of Auditing Standards) 70 reports.

Source: Internal Auditor, April 2010, The Complex Sea of Third-Party Risk

Top of Page

April 2010

What is the difference between a risk and a control?

A risk involves the possibility of a threat while a control is implemented to minimize the impact of the threat

Top of Page

March 2010

When information technology duties are not properly segregated, privileged user monitoring becomes critical. For example, database administrators with the duties of system administrator and developer have “super user” capabilities which can result in accidental database errors or intentional abuse. Database activity monitoring is critical for those entities with restricted data to protect as well as those that are subject to regulations related to monitoring against data misuse.

Source: InformationWeek, February 22, 2010, Who’s In Your Database?

Top of Page

February 2010

Risk and Internal Controls – What is the relationship?

A strategy often used when dealing with risk is mitigation. Internal controls are important methods of risk mitigation. Thus, failure of internal controls can result in the failure to mitigate the risk or the creation of new risks.

Top of Page

January 2010

Monitoring Key Performance Indicators

Key performance indicators enable management at every level of the organization to monitor the business. These indicators provide insight into risk levels and allow for determinations that strategies, initiatives, and goals are being met.

Source: Internal Auditor, December 2009, Beyond Continuous Auditing

Top of Page


December 2009

Sustainable Cost Reduction

“Sustainable cost reduction is a systematic approach to eliminating cost through the use of strategically tailored industry leading practices surrounding people and organization, effective use of technology, and efficient and effective processes geared towards specific actions and results.”

Source: Perspectives in Higher Education 2009, PriceWaterHouseCoopers

Top of Page

November 2009

Network Security Firewalls

  • work to block unsolicited entry
  • are critical for any security strategy
  • provide a line of defense
  • must be properly configured
  • must be routinely tested to ensure that they are functioning as intended

Top of Page

October 2009

Separation of duties is a basic internal control framework. If well designed, with a risk based focus, it can enhance controls while allowing for efficiencies in processes.

ISACA Journal, Volume 5, 2009, A Risk-based Approach to Segregation of Duties

Top of Page

September 2009

Establishing appropriate compliance and control metrics is critical when managing risk related to outsourced operations. Due diligence is required in order to properly assess whether the institution desires to be a business partner with a specific outside entity. After entering into an outsourced partnership, contractual and financial metrics need to be managed accordingly.

Top of Page

August 2009

Risk assessment is a key component of information technology disaster recovery planning. In a large organization, it is often challenging to determine which applications are critical and who relies on which applications. The risk assessment process must include an analysis of what the cost is when the systems are down (both current and future costs).

Top of Page

July 2009

For information on the Office of Management and Budget (OMB) Circular A-133 new compliance supplement go to: OMB Circulars A-133 Compliance

Top of Page

June 2009

Understanding Risks

Risk events must be considered in conjunction with controls that have been developed to ensure that objectives are met. In established areas where systems and processes exist, a residual risk approach works well. This approach begins by identifying controls already in place to achieve the business objective. Control gaps may then be identified. In this environment, the largest risk is that the existing controls are not being executed. When considering new strategic initiatives or new business segments, the identification of inherent risks may better serve the organization. In this approach, risk events are listed along with a risk rating probability. Based on this analysis, the organization determines the appropriate design of controls.

Source: Internal Auditor, April 2009, Risk Watch, The Matrix Revisited

Top of Page

May 2009

Business Continuity Planning for a Pandemic

To address the business risks associated with a pandemic, processes and procedures should exist to ensure continuity of essential operations during an extended period of high illness rates in the workforce. Plans need to be made well in advance – by the time staff are becoming ill, it may be too late.

Critical business processes should be protected by training more personnel to take over essential roles. Simple changes in the work environment such as having fewer face-to-face meetings, rigorous hygiene, and frequent cleaning of common area surfaces may help to mitigate the risks.

Click the link to view Purdue's preparedness plan titled, Revised Recommendation for Purdue Pandemic Preparedness

Top of Page

April 2009

Data at Risk

There are many reasons why data are at risk and why companies must do more to protect valuable data assets.

  • Information is transmitted and archived in sophisticated systems with links to the Internet.
  • Companies are slow to deal with technology change.
  • Data are stored on many types of electronic devices.
  • Technology is continually changing.

Source: Internal Auditor, April 2009, Managing Risk in a Hostile World

Top of Page

March 2009

Business Unit Risk

Understanding the overall risks of each business unit is critical. By understanding the risk, effective and efficient processes can be developed to assist in controlling the risk. Take a moment to identify the risks and then verify that processes and procedures are effective in mitigating the risk.

Top of Page

February 2009

Who is managing risks?

Management must understand the primary vulnerabilities to the organization’s business model and establish appropriate risk expectations. These then are incorporated into business practices.

Source: Internal Auditor, December 2008, How Much Armor Is Enough?

Top of Page

January 2009

Identity Theft Red Flags

The Federal Trade Commission and other federal financial institutions issued rules on identity theft “red flags”. Certain entities that hold consumer account information, for which there is a reasonably foreseeable risk of identity theft, must develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.

Source: http://www.ftc.gov/opa/2007/10/redflag.shtm

Top of Page


December 2008

Security of Data

Protection of data is certainly the biggest security driver. Awareness of the types of data and the appropriate mechanism for protecting various data is critical for any organization. Data classification and handling information may be viewed by clicking here.

Top of Page

November 2008

Electronic Media Destruction

Destruction practices for either physical or electronic media is intended to prevent data disclosure. USB drives, compact flash, and other such media may not be reliably wiped of data. If disposal is the ultimate goal, physical destruction is recommended. Consult with security staff to ensure your planned destruction is appropriate.

Top of Page

October 2008

Reputational Risk

Reputational risk is the potential that negative publicity regarding an institution's practices and policies, whether true or not, may damage the institution’s image or its good name. The National Association of College and University Business Officers (NACUBO) published an article titled Assessing Reputational Risk, by Frank Kurre, April 2007. This article may be viewed at http://www.nacubo.org/x8958.xml

Top of Page

September 2008

Risk Mitigation

At various organizational levels, risk mitigation mechanisms are typically in place to cover specific activities and operations.

Internal Auditor, August 2008

Top of Page

August 2008

Enterprise Risk Management

There are three major benefits of enterprise risk management which include improved business performance, increased organizational effectiveness, and risk reporting.

Chapman, Robert J. (2006) Simple Tools and Techniques for Enterprise Risk Management, West Sussex, England, John Wiley & Sons Ltd.

Top of Page

July 2008

How to Report Suspected Fraudulent Activities

Purdue University has controls in place to provide reasonable assurance that fraudulent, illegal or dishonest activity on the part of University employees, officers, or business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists. Please report any suspected fraudulent activity or other wrongdoings by contacting the Internal Audit Office at (765) 494-6194. To anonymously report, call (765) 494-6999, toll free (866) 818-2620. For more information, please visit www.purdue.edu/fraud

Top of Page

June 2008

IT Risk Assessment

Critical thoughts that should be considered when addressing information technology (IT) risk include identifying the mechanisms that are in place to ensure the IT systems are in-line with business objectives, how risks are mitigated, and what the IT department’s role is in ensuring that the business can continue to operate in the event of interruption.

Concepts from Internal Auditor, June 2008, Addressing IT Risk

Top of Page

May 2008

Data Security Requirements

Data protection compliance requirements vary by industry. Security requirements are typically structured to promote effective information security policies, secure networks, protection of data, vulnerability management, strong access controls, and regular monitoring and testing.

Concepts from The EDP Audit, Control, and Security Newsletter, April-May 2008, VOL. XXXVII, NOS. 4-5 and the Payment Card Industry Data Security Standard

Top of Page

April 2008


Printers are typically networked devices that are as vulnerable as other networked devices. Remember to secure printers accordingly.

Top of Page

March 2008

Enterprise Risk Management

Managing risk is critical to the success of any organization. Organizations need to identify events that impact objectives, assess the risks associated with those events, and develop action plans to manage the risks.

Top of Page

February 2008


Pursuant to the policy and procedure established by the Board of Trustees, it is the responsibility of the dean, director, chancellor, and head of school, division, department and office for each area to assure that all fees and charges of any kind have been previously approved by the Board of Trustees or the executive vice president and treasurer or his designee. (See Executive Vice President and Treasurer Memo A-18.)

Additional information may be viewed at PU Business Procedures Manual

Top of Page

January 2008

Statement of Integrity

Purdue University has a tradition of ethical conduct spanning its history. As members of the Purdue community, we demonstrate unyielding and uncompromised integrity in support of the highest standards of excellence for the University. As individuals, we all contribute to this Purdue standard of integrity as an exemplary model for all universities.

The above sentences are from the Purdue University Statement of Integrity. The entire document may be viewed at: http://www.purdue.edu/purdue/about/integrity_statement.html

Top of Page


December 2007

Continuous Monitoring

What does continuous monitoring mean? Basically, it is a methodology used by management and audit departments that leverages technologies and processes to perform continuous reviews and analyses of business information.

Top of Page

No tip posted for November 2007

Top of Page

October 2007

Security Awareness Month

ITaP Networks and Security announced that October is security awareness month. The following are topics that they will be presenting during October.

October 10
Internet Riding Safely - A discussion of ways to safelyuse the internet

October 17
Cybercrime and Copyright Infringement - Intellectual property strategies and the law and cyber forensics

October 24
Future Destinations: Trends in Technology - New trends in the coming year

October 31
Destination Unknown - A discussion on information technology and the future of higher education

To find out more about these upcoming events visit the ITaP website at: ITap

Top of Page

September 2007

Are Your Controls Efficient?

Last month, our focus was on management’s role in continuously monitoring the effectiveness of internal controls throughout the organization. To be effective, an internal control process must be one that assures the right things are being done. Management is also accountable for assuring the efficiency of operations (IIA, 2007); for reviewing internal controls that assure people and systems are doing things right. Business objectives can only be met by doing the right things right. When effective internal control processes are not being performed efficiently, the overall business objective is still compromised.

Reference: The Institute of Internal Auditors (September 2007)

Top of Page

August 2007

Are Your Controls Effective?

Managers and supervisors are responsible for establishing appropriate controls and monitoring their effectiveness to provide reasonable assurance that the goals and objectives of their department are being met.

Do your controls:

  • Prevent or detect deviations early to limit costly errors?
  • Provide reasonable (not absolute) assurance of achieving objectives?
  • Operate effectively when compared to the costs of the potential error?

Or, are your controls:

  • Excessive or redundant?
  • Missing?
  • Ignored?
  • Out of date?
  • Poorly communicated or misunderstood?

Top of Page

July 2007

No tip posted for July

Top of Page

June 2007

GAO Issues Revised Yellow Book1

The U.S. Government Accountability Office (GAO) has revised the Government Auditing Standards, commonly referred to as the Yellow Book. The standards are effective for periods beginning on or after January 1, 2008. The revised Yellow Book can be accessed on the GAO’s Web site: www.gao.gov

Internal Auditor, April 2007

Top of Page

May 2007

Purdue University Information Security Program

Objectives of the Purdue University Information Security Program for the Gramm Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) may be found at: The Purdue University Information Security Program

Top of Page

April 2007

Unmanaged Privileged Passwords

“Failure to update privileged passwords – accounts that enable users to control and configure applications and data – expose organizations to serious security problems.1” Unique passwords should be assigned to each privileged account.

The Institute of Internal Auditors, December 2006, “Unmanaged Privileged Passwords Pose Security Risks”

Top of Page

March 2007

Best Practices for Remote View/Control of Workstations

IT often uses remote tools to assist in legitimate troubleshooting of computer hardware or software issues. These features add risks for security and confidentiality when support personnel view your screen in real-time.

Use the following guidelines when authorizing remote view or control of your workstation:

  • Do not accept remote view or control requests that you have not initiated. (If you did not place the call for assistance, then do not give access to anyone).
  • If it is necessary to allow remote access, then only grant it to appropriate support personnel.
  • Close all applications that are unnecessary to resolving the issue for which you need support.
  • Remain at your workstation at all times when remote viewing or controlling is taking place.
  • You are responsible for any actions taken while you are logged in, so watch carefully what action is taken on your computer.
  • Always ensure that the remote view or control is disconnected/terminated after support personnel have assisted you.
  • Be alert for “social engineering” attempts to gain remote access to your computer whether by phone or email. Report any attempts to your supervisor.
  • If you are uncomfortable with actions taken during a remote control session, immediately end the session and tell your supervisor who will report the incident according to Purdue’s Incident Response Policy.

Top of Page

February 2007

Fraud Reporting Toll Free Number

The anonymous fraud-reporting program toll free number is 866-818-2620. You may anonymously report information anytime day or night. In addition to the toll free number, you may also report information anonymously at (765) 494-6999.

Visit www.purdue.edu/fraud for additional information.

Top of Page

January 2007

Fraud Reporting

Best practices provide for a fraud-reporting program as an important part of a healthy business environment. Purdue University has in place controls to provide reasonable assurance that fraudulent, illegal or dishonest activity on the part of University employees, officers, or business contacts is prevented or detected, but the potential for inappropriate transactions and behavior still exists within the University, as it does in any organization. Therefore, consistent with best business practices, Purdue University has implemented a fraud-reporting program to ensure that the University provides a mechanism for reporting improper or inappropriate acts.

The Internal Audit Office is responsible for the administration of the Purdue University fraud-reporting program. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for anonymous reporting is available at the website or you may leave an anonymous message by calling the dedicated fraud reporting program telephone number: (765) 494-6999.


December 2006

Control Deficiency

Statement on Auditing Standards (SAS) 112 states that a control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Statement on Auditing Standards (SAS) 112, Communicating Internal Control Related Matters Identified in an Audit

Top of Page

November 2006

Data Security

Data is a valuable organizational asset and requires appropriate levels of security. The University continues to educate on improving the security of data via an initiative called SecurePurdue. For details on how you can help to provide a secure data environment go to www.purdue.edu/securePurdue

Top of Page

October 2006

Computing Assets

Computing assets and associated risks relative to these assets must be identified in order to mitigate departmental or institutional risks. In a decentralized computing environment, each area must identify hardware, software, systems, services, facilities, or related technology assets. Risks related to these assets must then be identified which may include lack of system administration training, desktop access controls, operational policies, strong passwords, data protection, internal or external physical security, secured text transmissions, and natural disaster planning. Once assets and risks of each of these assets have been identified, appropriate solutions to mitigate the risks must be implemented.

Concepts are from: Using System Audits to Strengthen IT Security by Randy Marchany, Virginia Tech University

Top of Page

September 2006

Take Responsibility to Prevent Fraud

Everyone is responsible for ensuring that a culture of integrity is maintained at the University. We must never take any action that would be inappropriate or would violate laws or our policies. When confronted with new, unclear, or important situations, we need to apply the 5 point test to answer “Would it be right?”

  • Would I have to hide what I did?
  • Would it deceive anyone?
  • Would it give me an advantage to which I am not entitled?
  • Would I be happy to be on the receiving end?
  • Would it be OK if everyone did this?

Source: Indiana CPA Society Anti-Fraud Conference, August 30, 2006 - Syrus Global

Top of Page

August 2006

Electronic Mail

Electronic mail (e-mail), a primary communications mechanism, provides increasing risks for higher education. E-mail usage has grown tremendously and yet institutional expectations for managing e-mail usage have not kept pace.

Click here for Purdue University’s policy on e-mail.

Per this policy, e-mail stored on a University e-mail system will generally be preserved for no longer than 30 days after deletion. E-mail residing on the mail servers is retained indefinitely as are any e-mail items archived to files. Staff should not retain departmental information in this manner. Instead, e-mail containing information necessary to the University’s operation should be retained either electronically or on paper in departmental account folders.

Top of Page

July 2006

Business Risks

Business risks exist in all areas including operations, revenue, expenses, regulations, control environments, and information technology. Some of the primary areas where internal controls may not be functioning as intended include physical controls, separation of duties, authorization, compliance, and data (integrity, reporting, and monitoring). In order to assess business risks and to determine if controls are effective, you need to understand the goals of the operation and compare the goals to the process.

Top of Page

June 2006

Data Classification Standards

To identify the controls required to protect data, it is first necessary to understand the types of data that the institution has. Over the years, Purdue University has developed data classification standards.

Top of Page

May 2006

Protection of Data

The University has been diligently working to secure data. We each have a responsibility to ensure that data are protected. Please go to the SecurePurdue website to learn more about what you can do. Check it out at: http://www.purdue.edu/securepurdue/

Top of Page

April 2006

Enterprise Risk Management-Integrated Framework

In September 2004, The Committee of Sponsoring Organizations (COSO) released the Enterprise Risk Management-Integrated Framework. This framework is designed to include effective internal controls and effective risk management.

For additional information on this framework, please go to COSO’s website at http://www.coso.org.

Top of Page

March 2006

A Quicker Way to Lock Your Computer

Whenever you step away from your personal computer, you should ensure that it is locked. On Windows-based machines, most people accomplish this by pressing the Ctrl, Alt, and Delete keys and then clicking the “Lock Computer” button (or pressing enter). An even quicker way is to press the “Windows” key and the “L” key simultaneously. (The “Windows” key is the key with the Windows icon on it.)

The University’s security guidelines call for you to lock the workstation whenever it will be left unattended.

Top of Page

February 2006

Internal Control-Integrated Framework

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued the Internal Control-Integrated Framework. This framework has served as the blueprint for establishing internal controls that promote efficiency, minimize risks, and help ensure the reliability of financial statements, and comply with laws and regulations.

An excellent summary article titled 1Putting COSO’s Theory into Practice can be located at the COSO website: http://www.theiia.org/download.cfm?file=42122

Top of Page

January 2006

Fraud Reporting Program

Best practices provide for a fraud reporting program as an important part of a healthy business environment. Purdue has established a Fraud Reporting Program to provide a mechanism for individuals to report improper or inappropriate activities not identified by existing controls.

There may be times when employees, students or other University contacts suspect or become aware of questionable acts concerning the University. For additional information on the program, please visit www.purdue.edu/fraud. A Disclosure Form for Anonymous Reporting is available on the website. A telephone number is also available for anonymously reporting suspected fraud or other wrongdoings. The dedicated Fraud Reporting Program Telephone Number is (765) 494-6999.

Top of Page


December 2005


Did you know Purdue has a website devoted to information and resources that will help you improve both the information security of the University and your own personal information?

Check it out at: http://www.purdue.edu/securepurdue/

Top of Page

November 2005

Best Practice for Network Security

Security is not something you have or don't have, it is something you do. Network security is a never-ending race between those who discover exploits and those who block them. That is why it is pointless to maintain an authoritative list of current vulnerabilities. The practical approach is to secure your server with all new vulnerabilities/patches today, then update your server each week (or day!) as the new vulnerabilities/patches arrive.

Source of information: SANS Institute, Securing Internet Information Server, 2005.

Top of Page

October 2005

Why is securing information systems so challenging?

  • People are responsible for security, and they are fallible.
  • Security processes include prevention, detection, and recovery. These processes rely on people doing the right things.
  • Security technologies sometimes fail (unsuspected bugs, etc.).

Source: Information Systems Control , Volume 4, 2005, IS Security Matters

Top of Page

September 2005

The Internal Control

Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) contains the following key concepts:

  • Internal control is a process and is a means to an end, not an end in itself.
  • Internal control is effected by people.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
  • Internal control is geared to the achievement of the organization's objectives.

Top of Page

August 2005

You are Accountable for Effective Controls

Effective controls allow organizations to manage operational and financial integrity while complying with laws and regulations, which increases confidence in business performance. Controls are the essential outcome of policies, procedures, and guidelines and are defined from policy statements. Each person is accountable for ensuring effective controls. Ultimately, control or compliance violations, whether malicious or accidental, come down to people. The effectiveness of the control environment is dependent on each person understanding that they are accountable for certifications and reviewing and monitoring information, and that approaching compliance is an ongoing process.

Source of Information: Seven Habits of Highly Effective Compliance Programs , Michael Rasmussen, July 12, 2005

Top of Page

July 2005

Protect University Data

Get rid of sensitive or restricted data where possible. If it is not collected, it can't be compromised. When extracting data from its original secured environment via Brio or other reporting tools, do not save data to local hard drives or other unprotected storage areas.

Top of Page

June 2005

E-mails as public records!

E-mails with a person's name on them can be considered a public record. Everyone has the right to make a public records request for University documents.

Source: Leading Edition E-Newsletter for Purdue University Supervisors.

Click here for complete article

Top of Page

May 2005

Due to technical difficulties no tip was posted for the month of May.

Top of Page

April 2005

Due to technical difficulties no tip was posted for the month of April.

Top of Page

March 2005

Information Technology Controls

Information technology application controls are the automated and manual controls around a computer system or application.

Information technology general controls include:

  • Controls over application development and maintenance (the data center, the network, and the security of programs);
  • Controls over data security; and
  • Controls over the efficiency of the information technology function. Information technology controls (application and general controls) are part of the overall organizational control structure and work in combination with other control procedures to manage business risks.

Internal Auditor, August 2004, The More Things Change ...

Top of Page

February 2005

Control Risk

Control risk is a function of the effectiveness of the design and operation of internal control structure policies or procedures in achieving the entity's broad internal control structure objectives relevant to an audit of the entity's financial statements. Some control risk will always exist because of the inherent limitations of any internal control structure.

SAS-47, Statements on Auditing Standards

Top of Page

January 2005

Follow-up Procedures

Monitoring is a critical activity in creating a strong control environment (see August 2004 tip); however, equally as important is investigating unexpected activity detected during monitoring. Good monitoring procedures identify unusual activity, but it is adequate follow-up procedures that verify whether the unusual activity was appropriate. Good follow-up procedures include verification from external sources, corroboration from multiple individuals involved in the activity, and substantiation from other valid sources of data.

Top of Page


December 2004

Bad Passwords Cause Good Security to Fail - Make Your Password Strong!

Create a strong password that you can remember. Never use consecutive numbers or letters on your keyboard and never use a word that can be found in a dictionary. Hackers use complex tools that allow them to guess this type of password. A strong password is at least eight characters, includes a combination of letters, numbers, and symbols, and is easy for you to remember but difficult for others to guess. By using a strong passphrase, you can establish a strong password that you can remember.

Source of information: Microsoft, May 3, 2004, Creating Stronger Passwords

Top of Page

November 2004

Understanding the "whys"

An internal control that is often overlooked, and the importance often underestimated, is understanding why certain tasks are performed in an operation. Understanding why a task is performed is almost as important to the internal controls as actually performing the task itself. If an employee does not understand why they are performing a step, errors may occur that are not detected. For example, if an employee is assigned the task of matching documents without understanding the ultimate purpose of the step is to reconcile activity to general ledger, the employee may not realize that the steps of matching documents does not detect activity that incorrectly posted to general ledger and does not detect activity that never posted at all. Once the purpose of the task is understood, controls are enhanced and the effectiveness of employee's work is increased.

Top of Page

October 2004

Enterprise Risk Management-Integrated Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released an Enterprise Risk Management - Integrated Framework. To view the executive summary go to the following website:


Top of Page

September 2004

Internal Audit Office
Audit or Assurance Services

Audit or assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusion regarding a process, system, or other subject matter. The Director of Audits determines the nature and scope of the audit or assurance engagement. There are generally three parties involved in assurance services: (1) the person or group directly involved with the process, system, or other subject matter (the process owner), (2) the person or group making the assessment (the internal auditor), and (3) the person or group using the assessment (the user).

Source of information: The IIA Research Foundation, The Professional Practices Framework, January 2004

Top of Page

August 2004


Ongoing monitoring is a crucial management activity. There are two approaches to ongoing monitoring: ongoing activities or separate evaluations. Ongoing monitoring is part of the normal, recurring operating activities. Because it is performed on a real-time basis, it is more effective than separate evaluations. Separate evaluations take place after the fact and problems are not always identified quickly. Examples of ongoing monitoring activities include regular management and supervisory activities, variance analysis, comparisons, reconciliations and other routine activities. Separate evaluations vary in scope and frequency depending on risks and related controls in managing the risks. Examples of separate evaluations may include self-assessments, and the work that internal auditors perform as part of their regular duties.

Source of information: COSO, The Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Framework

Top of Page

July 2004


You have likely heard considerable information about identity theft but did you know that identity theft can happen if someone compromises your password? If your password is compromised, an unauthorized user has the same system rights that you have. It is your responsibility to protect system information by using a strong password.

Create a strong password that you can remember. Never use consecutive numbers or letters on your keyboard and never use a word that can be found in a dictionary. Hackers use complex tools that allow them to guess this type of password. A strong password is at least eight characters, includes a combination of letters, numbers, and symbols and is easy for you to remember but difficult for others to guess. By using a strong passphrase, you can establish a strong password that you can remember.

Always keep your passwords a secret and never provide your password to anyone! Watch out for scams such as phishing. This is a practice of sending bogus emails that appear to come from trusted sources. You are asked to respond by entering your login name and password (your password has just been compromised)! Before responding to something that appears unusual to you, check with your supervisor.

Source of information: Microsoft, May 3, 2004, Creating Stronger Passwords

Top of Page

June 2004

Monitoring of Information Technology Event Logs

Well-conceived and properly enforced internal controls include identifying specific information technology (IT) events that should be logged as audit entries. A logging process is required in order to recreate pertinent system events and actions taken by system users and administrators. A monitoring process is required in order to identify questionable data access activities, investigate breaches, respond to potential weaknesses, and assess the security program.

Simply logging the events is not sufficient; the logs must be reviewed periodically. The following should be considered when reviewing event logs.

  • Follow-up on suspicious events such as intrusion attempts, authorized accesses at unusual times, and unusual changes to infrastructure devices.
  • Identify, investigate, report, and respond to inappropriate activity.
  • Ensure that audit requirements and activities do not unduly disrupt critical business processes.
  • Agree to and control the scope of the events to check.
  • Identify the individual performing event analyses as one independent from those setting audit trail rules. Ensure they are available and that they record who, what, when, where, and why sensitive information is released. Rules-of-evidence integrity must be maintained.
  • Document all event capturing and analysis procedures, requirements, and responsibilities, including when to involve inforensics specialists.
  • Develop a process to ensure that users comply with access control procedures, including strong password creation and protections.
  • Audit all user activity where risk levels warrant.
  • Employ event analysis support tools and/or e-intelligent methods of correlating log data to detect suspicious activity and reduce volume.

Top of Page

May 2004

Internal Control Systems

What are the primary objectives of an internal control system?

  • Compliance with laws and regulations.
  • Financial reporting accuracy.
  • Operations efficiency and effectiveness.

What are the essential components of a control system?

  • Control environment,
  • Risk assessment,
  • Control activities,
  • Information and communication, and
  • Monitoring.

For more information, please contact the Internal Audit Office.

Top of Page

April 2004


Risk is the uncertainty of an event occurring that could have an impact on the achievement of departmental objectives. Risk is realized when:

  • Objectives of the business are not achieved.
  • Assets of the business are not safeguarded.
  • There is non-compliance with organization policies and procedures or external regulations.
  • Resources of the department are not utilized in an economic, efficient, or effective manner.

Top of Page

March 2004

Information Technology Control Objectives*

What are information technology control objectives? Information technology control objectives are typically presented in three major categories:

  • Company Level
  • General Controls
  • Application Controls

At the company level, controls set the tone for the entity and include systems planning, enterprise policies, governance, codes of conduct, and fraud prevention. At the general controls level, controls are embedded in common services and include systems maintenance, disaster recovery, physical and logical security, data management, and incident response. At the application level, controls are embedded in business process applications and are designed to achieve completeness, accuracy, validity and recording assertions and include authorizations, approvals, tolerance levels, reconciliations, and input edits.

*Institute of Internal Auditors, February 10, 2004, Are you Ready for IT Control Identification and Testing

Top of Page

January/February 2004

Internal Audit Mission

The mission of the Internal Audit Office is to provide independent, objective assurance and advisory services designed to add value and assist all levels of administration in achieving University objectives by striving to provide a positive impact on the efficiency and effectiveness of the operations. The Internal Audit Office helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Please contact our office for assistance in evaluating changes in your internal control environment, new risks as a result of process or personnel changes, etc.

Top of Page


December 2003

Wireless Vulnerabilities

The ease of deploying wireless technologies in today's environment comes as a mixed blessing. Installation and setup of a wireless environment is a relatively easy task, however, securing the wireless technology is another challenge altogether. The user is the common ingredient in both wireless and wired environments, and also the weakest link in both areas. Installing and securing wireless technologies are two very different processes. A user installing wireless devices must understand the importance of security and know how to configure the device to protect the organization's network and data. Sixty to ninety percent of WLANs (Wireless Local Area Networks) are deployed without the most basic of security mechanisms (changing default names, enabling encryption, optimizing placement of the Access Point, etc.). The challenge is not plugging in devices and making them work. The real challenge is understanding the security position that the organization is being placed in by the configuration, knowing the difference between secure and insecure, and knowing who to contact (or knowing how) to change the configuration to protect your organization.

Top of Page

November 2003

The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Integrated Control-Integrated Framework

There are five steps, or components, in the internal control framework, all of which are management's responsibility. The five steps are:

  • The control environment contains informal, and often intangible, soft controls such as ethics, integrity, philosophy, and commitment to competence, as well as formal controls like assignment of roles and responsibilities.
  • Risk assessment is management's identification and analysis of risks to the achievement of its objectives.
  • Control activities are the mechanisms management establishes to ensure directives are carried out.
  • Information and communication refers to employees getting the information they need to do their jobs and communication relates to the free flow of information in the organization.
  • Monitoring involves day-to-day oversight by managers, periodic reviews by auditors, and the processes management uses to address and correct known deficiencies.

Remember that management is responsible for internal controls!

Top of Page

October 2003


Even though Sarbanes-Oxley is not directly applicable to colleges and universities, it is important for colleges and universities to assess policies and procedures with the conceptual framework of Sarbanes-Oxley in mind. It is important to review internal procedures and controls as well as monitor compliance with requirements.

Top of Page

August 2003


Internal controls may be preventive, detective, or corrective. A preventive control is designed to prevent undesirable outcomes before they happen, a detective control is designed to identify the undesirable outcome when it happens, and corrective controls are designed to reverse the undesirable outcome or ensure that it does not recur.

Detective controls include reviews and comparisons as well as reconciliations. These controls are critical to ensuring the accuracy of the general ledger data. For example, subsidiary systems must be reconciled with general ledger data to ensure the accuracy of general ledger data.

Top of Page

July 2003


Monitoring is a critical internal control. Ongoing monitoring includes regular management and supervisory activities. Examples of ongoing monitoring include:

  • Review of operating and financial reports to identify inaccuracies or exceptions;
  • Oversight of reconciliation processes and procedures to ensure accuracy and proper separation of duties;
  • Review of information indicating that problems may exist;
  • Oversight of control functions and identification of deficiencies;
  • Comparison of recorded data to physical assets; and
  • Routine assessment of internal controls.

Top of Page

June 2003

COSO provides an excellent framework for evaluating your internal control environment.

What is COSO?

COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

Who sponsored the National Commission?

The National Commission was jointly sponsored by the five major financial professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, The Institute of Internal Auditors, and the National Association of Accountants (now the Institute of Management Accountants). The Commission was wholly independent of each of the sponsoring organizations, and contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

What is the COSO integrated framework of internal control?

Integrated Framework of Internal Control

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring

What are the Key Concepts?

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Reference COSO website or contact the Internal Audit Office for additional information.

Top of Page

May 2003

Controls Self Assessment

Controls Self Assessment is a tool or strategy used to provide management an opportunity to evaluate its own internal control environment through process maps and internal control questionnaires. Management can assess the overall performance of the operation, compliance with policies and procedures, evaluate business controls, and ensure effective business risk management.

If you desire assistance from the Internal Audit Office in developing your controls self-assessment strategy, please contact iadirector@purdue.edu or call 494-7588.

Top of Page

April 2003

What is a balanced scorecard framework?

It is a strategy-focused approach to performance management that includes non-financial and financial performance measures that are derived from the organization's vision and strategy. The balanced scorecard represents a strategic performance management and measurement system.

A Balanced Scorecard Framework for Internal Auditing Departments, The Institute of Internal Auditor's Research Foundation

Top of Page

March 2003

Internal Control Who is Responsible for it?

The short answer is EVERYONE in the Organization. While different levels of the Organization may be responsible for different aspects of internal controls, everyone has an obligation to make sure adequate levels of internal control exist. Five elements of internal control are the control environment, risk assessment, control activities, information and communication, and monitoring.

Recent legislation enacted by the United States Government (The Sarbanes-Oxley Act of 2002), which generally applies to all publicly traded companies, reinforces management's responsibility for establishing and maintaining a system of internal controls.

Top of Page

January 2003

Internal Control What is it?

A process within an organization designed to provide reasonable assurance that:

  • information is reliable, accurate, and timely
  • compliance exists with policies, plans, procedures, laws, regulations, and contracts
  • assets (including people) are safeguarded
  • resources are used economically and efficiently
  • overall established objectives and goals are met.

Top of Page


November 2002

Performance Monitoring

Monitoring is a process that allows for the assessment of the quality of the department's performance over time. Key components of monitoring include:

  • Routine evaluations of the overall effectiveness of the internal control systems, processes, and procedures;
  • Assessment of the organization structure for effectiveness;
  • Evaluation and review of policies and procedures; and
  • Evaluation of risk assessment procedures.

Ongoing monitoring is critical to ensuring proper evaluations and immediate changes, when necessary, to the department or operation.

Top of Page

October 2002

Preventive, Detective, and Corrective Controls

Controls give organizations the ability to achieve effective and efficient operations, to produce reliable financial reports, and to comply with applicable laws and regulations. Controls are generally categorized into three major categories: preventive, detective, and corrective.

Preventive controls prevent undesirable outcomes before they occur. They are more cost-effective than detective controls. Examples of preventive controls include:

  • Segregation of duties;
  • Programmed edit checks;
  • Use of access control software that allows only authorized personnel to access sensitive files; and
  • Employment of trustworthy, competent people.

Detective controls detect that an error, omission, or malicious act has occurred and report the occurrence. They measure the effectiveness of the preventive controls. Some errors cannot be prevented, so they must be detected when they occur. Examples of detective controls include:

  • Hash totals;
  • Check points in production jobs;
  • Past due account reports;
  • Bank reconciliations; Cash counts; and
  • Physical counts of inventories.

Corrective controls take over when improper outcomes occur and are detected. They are designed to identify the cause of a problem and to correct errors arising out of a problem. Examples of corrective controls include:

  • Contingency planning;
  • Back-up procedures; and
  • Re-run procedures.

Top of Page

September 2002

Information Technology Controls

In our August tip, we discussed the impact of SAS 94 on information technology controls. Controls associated with computer operations can be grouped into two broad categories ­ general controls and application controls.

General controls commonly include controls over data center operations, system software acquisition and maintenance, access restrictions, security, and application system development and maintenance.

Application controls include computerized steps within the application software. They are related to manual procedures that control the processing of various types of transactions. Together, these controls serve to ensure completeness, accuracy, and validity of all information in the system. This information is identified, captured, processed, and reported formally and informally. It is important to note that the quality of information influences the quality of decisions.

Top of Page

August 2002

Effective Information Technology Controls are Critical to the University

In April 2001, the American Institute of Public Accountants (AICPA) issued a statement on auditing standards (SAS) No. 94 titled, The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. This standard provides guidance on the effect of information technology on internal control and on the auditor's understanding of internal control and assessment of control risk. This standard notes that an organization's information technology use may affect any of the five internal control components, which are:

  • The control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

It is the University's responsibility to comply with the standards and the external auditors' responsibility to validate via their opinion that we are materially compliant with the standards. As you can see, effective information technology controls are critical to the University. If you would like more information, please contact our department.

Top of Page

July 2002


Only you should know your password. If anyone requests your password, even if they identify themselves as authorized to know this information, advise them that you are not permitted to provide your password and immediately advise your supervisor of this request.

Passwords are maintained by systems in a manner that makes them look jumbled (it's called encryption). Once you type in your password to any computer system, it should be encrypted in such a way that no one can undo that encryption. That is because no one needs to know what your password is besides you.


Top of Page

June 2002

Assess your Risks

One approach to establishing a strong internal control environment is to first review your operation and determine your business risks. Business risks are identified in six major categories. Within each business risk category, associated risks exist. There are several questions that can assist you in evaluating whether the business risks have been minimized. These include but are not limited to:

  • Revenues
    • Are we in compliance with revenue policies and procedures?
    • Do we have a current rate approval?
    • Are duties properly separated
    • Are reconciliations completed timely and effectively?
  • Operations
    • Have new strategies or initiatives been evaluated for changes in the control environment?
    • Are we operating efficiently and effectively?
    • Have we experienced personnel changes and are new personnel familiar with policies and procedures?
  • Information Technology
    • Have we evaluated controls associated with new technologies?
    • Do we have procedures to ensure continuity and disaster recovery?
    • Is the technology infrastructure good?
    • Have we made any system changes that have not been evaluated for proper controls?
    • Is the data secure?
  • Regulatory
    • Are we in compliance with federal, state, and other regulatory requirements?
  • Control Environment
    • Do we properly safeguard assets?
    • Are duties properly separated?
    • Are internal controls functioning as intended?
    • Are we in compliance with policies and procedures?
    • Does oversight and monitoring exist?
  • Expenses
    • Are resources properly used?
    • Are approval and reconciliation procedures appropriate?
    • Are duties properly separated?
    • Does oversight and monitoring exist?
    • Are we in compliance with expense policies and procedures?

Top of Page

May 2002

Separation of Duties

One extremely important internal control is to ensure that duties are properly separated. Duties must be divided among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for authorizing transactions, recording them, handling the related asset, and monitoring the activity should be separated. Consider the following when assessing your internal controls and if you recognize that your operation is handling transactions in the manner described, implement changes immediately.

Examples of Inappropriate Separation of Duties

  • An employee submits his/her timecard to the supervisor; the supervisor approves (signs) the timecard and returns it to the employee.
  • A payroll clerk submits his/her timecard to the supervisor for signature; the supervisor approves (signs) and returns it to the payroll clerk for processing.
  • A disbursement clerk authorizes expenditures, records the expenditure, and monitors the ledger activity.
  • One employee collects income (cash, checks, etc), verifies the source of income to the supporting documentation, prepares the required reports, and retains the reports.
  • One employee writes checks, signs checks, and reconciles the bank account.
  • No independent monitoring or reviews of income or expense occur within the operation.
  • One individual makes program changes to the production program and no independent review of the testing or expected results is completed.
  • Reconciliation and monitoring procedures rest with the individual responsible for processing transactions.
  • Checks are signed by the authorized signer and then returned for mailing to the individual responsible for preparing the bank reconciliation or maintaining the ledger. Checks are presigned (signed in blank) and given to the individual responsible for the bank reconciliation or maintaining the ledger.

Please contact us for more examples or if you are uncertain whether duties are properly eparated within your operation.

Top of Page

April 2002

Information Technology (IT) Internal Controls

  • What is internal control?
  • Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives including the reliability of data and reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations
  • Why are internal controls important to you and the University?
  • All staff have a fiduciary responsibility to ensure data integrity
  • Data integrity is critical for all computing systems
  • Data must be protected in accordance with external regulations and University policies and procedures
  • A report generated with unreliable data can lead to poor management decisions
  • Good decisions and future directions are not possible without good information (data)
  • Good control and security implementation within and around a system allows for protection of data (one of the University's most important assets)

Top of Page

March 2002

The Fair Labor Standards Acts -- Know the Law!

The Fair Labor Standards Act (FLSA) establishes minimum wage, overtime, and record-keeping standards for employees who are not exempt from its provisions. As a supervisor, you must know the law and University policies and procedures. Supervisors are responsible for proper monitoring of time and for ensuring that time is properly reported by their staff.

Know the overtime policy and procedures as stated in the Business Procedures Manual:

  • The overtime policy and its regulations apply to the employment of all regular and temporary staff members (including student employees) who work in excess of 40 hours weekly or eight hours daily, except for those who perform work classified as exempt under the Fair Labor Standards Acts;
  • Department heads or their designated representatives authorize overtime when there are increased workloads, emergencies, or work that requires employees with certain skills, training, or experience. To prevent last minute scheduling, supervisors should inform their employees as soon as possible that they are needed for overtime work.
  • Overtime not requested but permitted or condoned by a supervisor must be counted as "worked overtime"; and
  • The University has certain classifications that are monthly paid non- exempt staff. Monthly paid employees who are eligible for the payment of overtime are to be compensated at time and a half for overtime work.

Know employee classifications and if your staff members are eligible for overtime!

Further questions or clarification can be obtained from Human Resource Services-ask them.

The University does NOT tolerate violations of The Fair Labor Standards Act.

Top of Page

January 2002

What occurs during an audit?

Audit Process

Although every audit project is unique, the audit process is similar for most engagements and usually consists of three stages: Preliminary Review, Field Work, and Closure. Through these stages, Internal Audit wants to determine ways to minimize risks and increase efficiencies within your area taking a University system-wide approach.

Preliminary Review

After the decision has been made to audit your area, we gather information about your processes and procedures. We then review and evaluate the existing internal control structure and identify the audit objectives. Finally, we plan the remaining audit steps necessary to achieve the objectives.


The fieldwork involves gathering data and identifying opportunities for continuous process improvement. It is during this phase that we determine whether the controls identified during the preliminary review are operating in the manner you described.


A written report is issued showing the results of the audit steps performed. It will include advice and requests for action as needed based on the results.

Top of Page

January 2002

Risk Element Identification

A step to establishing a strong internal control environment is to review processes and determine what risk elements are contained within the process. Identifying risk elements leads directly to determining control points that can be implemented to help mitigate these risks. Risk elements within processes can include:

Attitude and competency of personnel involved in the process

  • Work performed by newer employees tackling the learning curve may need more thorough reviews Competent employees help reduce risk, but they may be able to "outsmart" the system

Accountability placed on employees

  • Expectations placed on employees and higher levels of accountability should lead to lower risk

Age of processes

  • Newer processes are generally more risky; however, older processes can also be risky if newer technologies or information are not incorporated

Complexity of processes

  • Highly complex processes or systems are generally more risky

Time constraints

  • Activities performed under pressure can be more risky and have the potential formore errors

Top of Page


December 2001

Logical Access Controls

Legitimate system users should be authenticated before they are allowed to use the system, and they should be allowed access only to the data they are authorized to use and then only to perform specific, authorized functions such as reading, copying, and adding to and detecting data. It is also important to protect data from those outside the organization. A favorite electronic espionage tactic is to gain access to a building and plug into an Ethernet jack in the wall and talk to the system. By configuring they system to respond only to hardware that it recognizes, this can be prevented.

To restrict logical access, a system must differentiate between authorized and unauthorized users utilizing what the user knows or possesses, where the user is accessing the system, or by some personal characteristic. Perhaps the most common approach is by what a person knows. For example, the computer could ask users a series of personal questions, such as mother's maiden name. Or users could be asked to enter a personal identification number.

Top of Page

November 2001

Control Activities for University Departments

Each University department can utilize internal controls to assist the organization in the achievement of the following objectives:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations.

Suggested internal control activities are:

  • Implement segregation of duties where duties are divided among different people. No one person should have control over all aspects of any financial transaction.
  • Make sure a person delegated approval authority authorizes transactions.
  • Ensure records are routinely reviewed and reconciled by someone other than the preparer.
  • Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
  • Provide employees with appropriate training to ensure they have the knowledge necessary to carry out their job duties. Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide continuity of activities in the event of prolonged employee absences or turnover.

Top of Page

October 2001

Physical Access Controls

Both the physical ability to use computer equipment (referred to as physical access) and the ability to gain access to company data (called logical access) should be restricted.

Hysical access security can be achieved by the following controls:

  • Placing computer equipment in locked rooms and restricting access to authorized personnel only.
  • Having only one or two entrances to the computer room. The entrances should be securely locked and watched carefully by security guards and closed-circuit television monitoring systems.
  • Requiring proper employee identification, such as a security badge, for passage through an access point. Modern security badges incorporate photos and magnetic, electric, or optical codes that can be read only by special readers. With dvancedidentification techniques, each employee's entry and exit may be automatically recorded in a log that is maintained on the computer and periodically reviewed by supervisory personnel.
  • Requiring that visitors sign a log as they enter and leave the site. They should be briefed on company security policies, assigned visitor's badges, and escorted to their destination.
  • Using a security alarm system to detect unauthorized access during off-hours.
  • Restricting access to private secured telephone lines or to authorized terminals or personal computers.
  • Installing locks on personal computers and other computer devices.

Top of Page

September 2001

Self-Assessment of Your Business Office Processes

Evaluating your business office processes is an important step in ensuring strong internal controls. When you evaluate your processes you should look for:

  • Procedures that were not implemented as intended;
  • Proper separation of duties;
  • Internal control points that do not exist anymore (reasons could include staff turnover, changes in processes, new technologies, etc.); and
  • Unnecessary control points that if eliminated or changed, would allow you to realize efficiencies.

More common evaluation methods include:

  • Flowcharting processes;Interviewing personnel involved in processes;
  • Walking through transactions start to finish; and
  • Utilizing questionnaires.

Top of Page

August 2001

Characteristics of Today's E-Commerce World

As opposed to yesterday's in-house computer application system, an E-Commerce application is open to public exposure. It is an extremely complex two-way network. Pushing information out invites outsiders in, and web server systems can be used as launching points for attacks.

Fundamentally, Internet / Web security is a set of procedures, practices, and technologies for protecting web servers, web users, and their surrounding organizations. E-Commerce applications must be protected from 6 major threats.

  • Hacking;
    • intrusion with intent to harm
  • Denial of service;
    • intent to prevent availability
  • Viruses / worms;
    • intent to destroy or 'harass'
  • Disclosure;
    • intent to share information not intended to be shared
  • Sabotage;
    • intent to damage or not to damage for a fee
  • Mimicking;
    • intent to copy with intent to embarrass or defraud

Top of Page

July 2001

Audit Trail

An audit trail is the evidence of actions performed upon data from original documents to final disposition. It is a concrete log of activities and events, either hardcopy or in the form of a computer file, and exists as one document or file or as a collection of documents. The existence of a reliable, easy-to-follow audit trail is considered one indication of good internal control in an organization.

Audit trails are useful for maintaining security and integrity of data and for recovering lost transactions. The purpose of maintaining an audit trail is to ensure the possibility of tracing errors to their source in order to investigate their cause, and to trace the effects of any identified errors on other reports and information items.

It is essential that computer application systems include an audit trail component. An electronic audit trail is a record showing who has accessed a computer system and what operations he or she has performed during a given period of time. An effective electronic audit trail cannot be deleted or altered in any way.

Basic components of an electronic audit trail include:

  • User name
  • Date and time stamp
  • Operation performed or attempted
    • (e.g. ADD, UPDATE, etc.)
  • Subject(s) and object(s) of the operation
    • Old value of data
    • New value of data
  • Status of the operation (completion result)

Top of Page

May 2001

Components of a Secure Server

Business policies, procedures, and practices are critical in ensuring the overall security of servers. From this foundation, additional components include:

Physical Security

  • Access
  • Backup/restore
  • Disaster recovery
  • Electrical power

Logical Security

  • Access controls
  • Firewalls
  • Log maintenance
  • Intrusion detection
  • Separation of duties

Cryptography or Data Encryption

  • Data protection
  • Confidentiality

Top of Page

April 2001

Business Risks and Associated Risk Elements

Business risks for operations typically include revenues, regulations, operations, control environment, information technology, and expenses. It is important to know your business risks and the associated risk elements within each business risk.

Associated risk elements within each business risk include:


  • Compliance with policies and procedures
  • Recording in accordance with the fund purpose


  • Legal liability
  • Federal, state, and other regulatory requirements


  • Efficiencies and effectiveness
  • Communications and complex interactions

Control Environment

  • Safeguard access
  • Compliance with policies and procedures
  • Oversight and monitoring

Information Technology

  • New technologies and infrastructure
  • Safeguarding data and data integrity


  • Proper use of resources and relationships with outside entities
  • Compliance with policies and procedures

Top of Page

March 2001

Internal Controls

What is internal control? Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives including reliability of data andreporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Why are internal controls important to you and your organization?

  • All staff have a fiduciary responsibility to ensure data integrity. Data integrity is critical for all computing systems and must be protected in accordance with external regulations and internal policies and procedures. A report generated with unreliable data can lead to poor management decisions. Good decisions and future directions are not possible without good information (data). Good control and security implementation within and around a system allows for protection of data (one of the organization's most important assets).

Top of Page

February 2001

Application Security

There are certain specifications that should always be considered and clearly defined when designing or purchasing a system. These include:

  • Data Integrity - Performance measure based on the rate of undetected errors/preservation of programs or data for their intended purpose (i.e., audit trails, access control);
  • Authentication - The act of verifying the identity of a user and the user's eligibility to access computerized information. Designed to protect against fraudulent logon activity (i.e., access control);
  • Non-Repudiation - The user cannot later deny performing a specific transaction (i.e., audit trails);
  • Confidentiality - Protection against unauthorized access to data (i.e., access control, authorization procedures); and
  • Availability - The system is available during normal operational hours (i.e., server security).

Top of Page

January 2001

Web Server Security

Web servers are vulnerable to attack and make attractive targets since they may contain files with sensitive financial and proprietary information and effectively bridge an organization's internal and external networks.

A properly secured web server offers only two TCP/IP services to the outside world: HTTP on port 80 and HTTP with SSL on port 443. Your web server is one of the most likely computers to be compromised by an outside attacker. It is visible and available so don't allow any sensitive financial and proprietary information to reside on this server!

Top of Page


December 2000

Effective Written Communication

Effective communication is an important component of good internal controls. Statistics show that, based on visual design, a person decides in 10 seconds if they want to read a document, and 65% only read the summary of a business report. Clear, concise communication will increase readability and help eliminate misunderstandings.

Steps to Effective Written Communication

  • Focus on the reader. Describe your audience, define your purpose and message, and organize your thoughts;
  • Write to express, not to impress. Draft your report and summarize in one sentence what you want to say. Be objective, avoiding negative language and eliminating repetitions. Use "plain English," active voice, and shorter paragraphs; and
  • Proof your work. After taking a break, do a final review of the document.

Top of Page

November 2000


A known fact in today's business environment is "change." Operational changes, business process changes, and system changes are but a few of the changes we experience on a daily basis. It is important to remember that the internal control environment changes when other business processes change. For that reason, the evaluation of the internal control environment is an on-going process versus a static process.

For more information on assessing internal controls in your business operation, please contact us at 47588.

Top of Page

October 2000

Security Administration

Security administration begins with management's commitment. Management must understand and evaluate security risks. Written policies clearly stating standards and procedures should be developed and enforced. Security administration functions include:

  • Maintaining access rules to files and resources;
  • Maintaining security and confidentiality over the issuance and proper maintenance of authorized user identifications and passwords;
  • Monitoring security violations and taking corrective action to ensure that appropriate security is provided; and
  • Periodically reviewing, evaluating, and updating the security policy.

Top of Page

September 2000

LAN Security

LANs facilitate the storage and retrieval of programs and data used by a group of people. LAN software and practices, if properly implemented, provide security for these programs and data; however, most LAN software default settings provide only a low level of security. The LAN security provisions available depend on the software product, product version, and implementation. Commonly available network security administration capabilities include:

  • Declaring ownership of programs, files, and storage;
  • Limiting access to read-only;
  • Implementing record and file locking to prevent simultaneous update; and
  • Enforcing user ID/password login procedures.

Sensitive data in a LAN environment should be password protected, encrypted, or stored in an area with higher file security than the common user access allows.

Top of Page

August 2000

Financial Statement Presentation and Management Assertions

Based on Statements on Auditing Standards

Financial statement presentation requires specific management assertions. Assertions are management's representations that are contained in financial statement components. They are classified according to the following categories:

  • Existence or Occurrence: Do the assets or liabilities exist?
  • Completeness: Are all transactions and accounts that should be presented in the financial statement included?
  • Rights and Obligations: Does the entity have the right to the asset and are the liabilities an obligation of the entity?
  • Valuation or Allocation: Have assets, liabilities, equity, revenue, and expenses been included at appropriate amounts? And
  • Presentation and Disclosure: Are components properly classified and disclosed?

Top of Page

July 2000

Password Security

While user IDs control system access, passwords are the most common form of user authentication. Basic control elements that are critical to ensuring proper access and accountability include:

  • Adhering to University policy not to share your password with someone else;
  • Protecting your password from unintentional release;
  • Memorizing your password (do not write it down);
  • Making your password more difficult to guess by adding numbers and special characters; and
  • Creating a password that is unknown by others (do not use the names of children, friends, pets, date of birth, telephone number, dictionary words, etc.).

Remember, careful use of your password protects both you and the University's systems.

Top of Page

June 2000

Understanding the Control Environment

Statements on Auditing Standards (SAS) Number 78, requires auditors to obtain an understanding of internal controls. The control environment sets the tone of an organization and includes integrity and ethical values, commitment to competence, board of directors or audit committee participation, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices.

Since electronic mail is gradually replacing conventional paper mail, it is important to know the security risks involved. E-mail messages are fairly easy to intercept and scan for key words. This can be done routinely, automatically, and undetectably on a large scale. Unless an e-mail message is encrypted prior to being sent, it will travel through potentially hundreds of servers and be accessible on all of them.

Top of Page

May 2000

Protecting Sensitive Information

In addition to protecting sensitive information on your workstations and network, you should also protect sensitive information that goes outside the control of your organization. Examples of sensitive data include credit card information, student information, and some personnel information.

Since electronic mail is gradually replacing conventional paper mail, it is important to know the security risks involved. E-mail messages are fairly easy to intercept and scan for key words. This can be done routinely, automatically, and undetectably on a large scale. Unless an e-mail message is encrypted prior to being sent, it will travel through potentially hundreds of servers and be accessible on all of them.

Top of Page

April 2000

Fair Labor Standards Acts -- Know the Law!

The Fair Labor Standards Act (FLSA) establishes minimum wage, overtime, and record-keeping standards for employees who are not exempt from its provisions. As a supervisor, you must know the law and University policies and procedures. Supervisors are responsible for proper monitoring of time and for ensuring that time is properly reported by their staff.

Know the overtime policy and procedures as stated in the Business Procedures Manual:

  • The overtime policy and its regulations apply to the employment of all regular and temporary staff members (including student employees) who work in excess of 40 hours weekly or eight hours daily, except for those who perform work classified as exempt under the Fair Labor Standards Acts;
  • Department heads or their designated representatives authorize overtime when there are increased workloads, emergencies, or work that requires employees with certain skills, training, or experience. To prevent last minute scheduling, supervisors should inform their employees as soon as possible that they are needed for overtime work. Overtime not requested but permitted or condoned by a supervisor must be counted as "worked overtime"; and
  • The University has certain classifications that are monthly paid non-exempt staff. Monthly paid employees who are eligible for the payment of overtime are to be compensated at time and a half for overtime work.

Know employee classifications and if your staff members are eligible for overtime! Further questions or clarification can be obtained from Personnel Services-ask them.

The University does NOT tolerate violations of the Fair Labor Standards Act.

Top of Page

March 2000

Understanding Domain Names and Trademarks

With the growing number of new web sites comes potential conflict with established web sites regarding domain names and trademarks. Infringements or unauthorized use of a domain name or trademark can result in legal recourse. It is important to understand the definitions and their differences.

Domain Name:

  • A unique name that identifies an internet site;
  • A name by which a company or organization is known on the internet;
  • Often established on a first-come, first-served basis;
  • Registration of a domain name does not have trademark status;
  • Wise to obtain a trademark registration immediately upon registering a domain name; and
  • Responsibility of the company to determine that their domain name is not infringing upon the rights of a third party.


  • Any word, name, symbol, device, or any combination thereof that identifies the source of goods or services, whether or not they are registered;
  • Conduct searches before use and registration of a trademark as a domain name to ensure that an infringement has not occurred;
  • Registration does not mean ownership; and
  • Trademark metatags are an infringement.

Top of Page

February 2000

Digital Signatures

As use of the Internet for business purposes increases, so does the need for establishing proper identification and authentication of the parties involved. The use of digital signatures may provide the assurances we need.

What is a digital signature?

A digital signature is an electronic signature formed using two related keys a public key and a secret or private key and is frequently regarded as the electronic equivalent of handwritten signatures. The objectives of digital signatures are to allow the recipient to prove the identity of the sender and assure the integrity of the data being transferred.

What are some legal considerations?

  • Proving the integrity and origin of the data and ensuring that they can be verified by a third party (non-repudiation);
  • Establishing an infrastructure that supports legal considerations;
  • Recognizing that legal jurisdictions may not acknowledge the technique of another, e.g., Indiana may differ from Illinois; and
  • Verifying reliability of the certification authority (the third party).

Top of Page

January 2000

Enforcing Controls

If employees are to accept controls willingly, they should understand what the controls are seeking to do and their responsibility in relation to the controls. When discussing responsibility, it is important to communicate the objective as well as the action required to obtain the objective. When lack of communication occurs, the following problems can develop:

  • Controls are perceived as unreasonable, creating apathy among the employees;
  • Controls are considered useless and, therefore, ignored; and/or
  • Sloppy application of controls occurs.

Educate personnel and then ask employees for feedback. When training and feedback are embraced by the organization, a team environment is created and employees are vested in the success of the control environment.

Top of Page


December 1999

Factors That Can Adversely Affect Control

Two essential components of control are execution of control procedures at the operating level and clear direction from top management. Despite knowledge of control procedures, employees at any level can effectively destroy a potentially adequate control system. Factors that can adversely affect control and segregation of duties include:

  • Controls in place but not effectively used;
  • Inefficient controls established;
  • System in place but not being used;
  • Access to assets not strictly controlled; and/or
  • Lack of controls.

A periodic review of company controls is crucial, giving consideration to the above factors. Engage in discussion with personnel at the operating level as well as top management to receive feedback on your current policies.

Next month, Enforcing Controls.

Top of Page

November 1999

Separation of Duties

Duties are incompatible if one person can perpetuate and conceal errors and irregularities while performing day-to-day activities. If the same person is the originator and reviewer of a document or transaction, no real protection against errors exists. Consider the following controls in authorization, custody, and accounting to ensure segregation of duties:

  • Assign specific responsibilities within the revenue, income-producing, or review cycle to different individuals;
  • Involve an independent third party as a check;
  • Cross-train individuals who perform no incompatible duties to cover for vacation periods; and
  • Conduct periodic checks for circumvention of existing controls.

Even with an efficient checks and balance system in place, adequate control systems can be destroyed. Next month we will discuss factors that can adversely affect control and segregation of duties.

Top of Page

October 1999

Internal Controls and Separation of Duties

Implementation of effective internal controls is the responsibility of the department and is shared throughout the University. Controls are designed to protect the University against losses caused by outsiders or caused by internal embezzlement, inefficiencies, ornegligence and carelessness. Controls are designed to protect innocent people. Controls typically fall into the following five categories:

  • Adequate separation of duties
  • Proper procedures for authorization
  • Adequate documents and records
  • Physical control over assets and records
  • Independent checks on performance (quality assurance reviews)

The review of an internal control environment is on going in nature. As processes and eople change, the control environment also changes. Be aware when changes have ccurred and reevaluate the internal control environment. The Internal Audit Office would be happy to assist you in this review process.

Top of Page

September 1999

Network Dial-in Security

It is possible to break network security using dial-in modems. Without dial-in controls, a caller can dial in and try passwords until they gain access. Once in, they can hide destructive pieces of software, pass to other networks, and steal data. To minimize the risk of unauthorized dial-in access:

  • Remote users should never store their passwords in plain text login scripts;
  • Portable PCs should be protected by physical keys and/or BIOS based passwords in case dial-in scripts or sensitive data may be stolen;
  • Dial-back modems should be used to call back only authorized remote users; and
  • One-time password generator devices should create a unique password for eachlogin to the system.

Top of Page

August 1999

Environmental Controls

As with physical security vulnerabilities, environmental vulnerabilities to data centers could result in serious losses to an organization. Environmental controls reduce the risk of disruption of business activity. Items to control and monitor include air quality, electrical power, and ground and atmospheric conditions. Examples of common environmental controls include:

  • Water detectors - in the computer room, should be placed under raised floors and near drain holes even if the computer room is on high ground.Hand-held fire extinguishers - should be strategic locations throughout the facility and inspected annually.
  • Smoke detectors - should be above and below the ceiling tiles throughout the facility. Detectors should produce an audible alarm as well as be linked to a monitored station.
  • Fire suppression systems - designed to automatically activate immediately afte detection of high heat typically generated by fire. Like smoke detectors, the system should produce an audible alarm and be linked to a central station that is regularly monitored.
  • Uninterruptible Power Supply (UPS) system - continues to provide electrical powerto the computer from a certain length of time in the event of a power failure. Most UPS systems also "cleanse" the power to ensure wattage to the computer remains consistent.
  • Prohibit eating, drinking, and smoking within the Information Processing Facility.

Top of Page

July 1999

Physical Data Center Controls

Physical security vulnerabilities to data centers could result in financial loss, legal repercussions, loss of credibility, or loss of competitive edge. Physical access controls are designed to protect the organization from unauthorized access. These controls should limit access to only those individuals authorized by management. Examples of some of the more common access controls are:

  • Bolting door locks -- These locks require the traditional metal key to gain entry. The key should be stamped "do not duplicate."
  • Combination door locks (cipher locks) -- This system uses a numeric keypad or dial to gain entry. The combination should be changed on a regular basis or whenever an employee with access is transferred, fired, or subject to disciplinary actions. This reduces the risk of the combination being known by unauthorized people.
  • Electronic door locks -- This system uses a magnetic or embedded chip based plastic card key or token entered into a sensor reader to gain access. A special code internally stored in the card or token is read by the sensor device that then activates the door locking mechanism.
  • Biometric door locks -- An individual's unique body features, such as voice, retina, fingerprint, or signature, activate these locks. This system is used in instances when extremely sensitive facilities must be protected, such as in the military.

Other methods include photo IDs, video cameras, security guards, escorted/controlled visitor access, dead man doors (two doors that only allow entry by one person at a time), terminal locks, and alarm systems.

Top of Page

June 1999

Web Page Liability

There are several ways you can be legally liable for content of your web pages. The University or you personally could be held liable if: Your web page:

  • Contains someone else's copyrighted material or trademark without permission;
  • Links to another page that contains someone else's copyrighted material or trademark without permission;
  • Presents fraudulent advertising; orPublishes defamatory statements.

You could also be liable for misuse of information gathered via your web page or cookies (sent or received by your web page).

Top of Page

May 1999

Workstation Security (Part II)

As presented in the November 1998 tip, workstation security can pose a large risk to data security. Any time a user leaves a workstation while it is logged into an application or just a network, it offers an opportunity for someone else to use that workstation and account to alter or view Purdue University data. Supervisory staff should take a role of "security officer" in their areas by the following:

  • Make sure all users are aware of their security responsibilities;
  • Randomly check workstations when no user is present to ensure that the workstation was either automatically locked (via a screen saver with password) or manually locked by the user; and
  • If the workstation is not locked, then any open applications should be noted to evaluate the risk of someone tampering with the data and the user should be reminded of their security duties.

Top of Page

April 1999


The year 2000 is a problem affecting all University academic, research and administrative units. Efforts should be made to identify systems and processes that fall under the classification of "high priority". High priority systems and processes are those which if they failed could cause:

  • A shut down of University operation, or hamper significant portions of research or instructional activities;
  • Health hazards to individuals;
  • Loss of revenue (students, state, government investments, contracts, grants, services, etc.) orSignificant litigation expenses or losses.

If you have issues or concerns that you feel need further review or discussion, please contact the Internal Audit Office.

Top of Page

March 1999

Procurement Card Purchase Controls
(Reference the Purdue University Departmental Purchasing Card Handbook)

Assess the control environment by asking the following questions regarding segregation of duties:

  • Is the person making purchases different than the person who is approving the purchases?
  • Has the person approving the purchases been granted comptroller authority?
  • Is the person performing the reconciliation different than the person who is purchasing and approving the purchases?
  • Is the review and approval of the reconciliation, supporting documentation, and ntramural approval performed independently of the procurement function?

Top of Page

February 1999

Year 2000 Readiness

Ask the following questions:

  • Have we identified all computer software and hardware and date sensitive embedded systems that may not be Year 2K compliant?
  • Have we taken action to "fix" these systems either by replacement or code changes?
  • Have we developed written contingency or backup plans in the event that "fixes" do not work as planned or we do not identify the date sensitive embedded systems?

Top of Page

January 1999

Internal Controls

Some employers estimate that as much s $40 billion is misappropriated annually by employees from their employers.1 Unfortunately, nonprofit organizations are not immune toemployee defalcation.

Developing strong internal control procedures is essential to deterring internal theft. One of the most important controls is ensuring that no single individual has absolute control without proper or adequate oversight. Circumstances or events that may cause the rganization or operation to be vulnerable include:

  • Lack of control consciousness;
  • Opportunity; and
  • Motivation.

Good internal controls are essential over cash, accounts receivable, inventory, purchasing functions, and payroll and personal expenses. Remember, the important elements of internal controls include information, communication, and monitoring of the internal control systems.

1 Nonprofit Controller's Manual

Top of Page


December 1998

Benefits of Control:

  • Internal controls are a positive means of helping managers and their staffs achieve objectives and goals. Good controls protect the organization and the employee. One basic control is comparing actual outcome with those planned.
  • Operating standards are also key to the control environment. They establish the kind of performance expected and are quantitative results. Ongoing review of the ontrol amount is necessary to ensure that controls do not become obsolete as changes are made in the operation and to operating standards.

Top of Page

November 1998

Workstation Security:

Workstation security can pose a large threat to data security. Even if all possible precautions are taken in choosing and protecting a password, an account can still be ulnerable if the user remains logged in while away from their computer. Someone could use that computer to change University data, and the transactions would list the account owner as the responsible party. They could also use that computer to look up sensitive information that would normally be unavailable to them. To avoid this problem:

  • Log out of all accounts while away from the computer;
  • Use the screen saver password option and set the screen saver delay to just a few minutes. Use the same principles for selecting a screen saver password that are used to select all other passwords.

Top of Page

October 1998

Password Security:

While the user ID controls system access, passwords are the most common form of user authentication used in information technology. There are basic control elements that are critical to ensuring proper access and accountability.

  • It is against University policy to share your password with someone else;Protect your password from unintentional release;
  • Never write your password down, and never display it where it is accessible to others;
  • Never use a password that is information known by others, i.e., the names of children, friends, pets, date of birth, telephone number, dictionary words, etc.

Remember, careful use of your password protects both you and the University's systems.

Top of Page

September 1998

Audit Suggestions:

Control (Defined)
The policies, procedures, and practices designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.

Control Evaluator
Evaluate the following five factors in terms of operational, financial, and compliance implications.

Control Environment: The core of any business is people and their attributes. Attributes nclude integrity, ethical values, and competence and the environment in which they operate.

Risk Assessment: Objectives of operations must be reviewed and mechanisms must beestablished to identify, analyze, and manage the related risks.

Control Activities: Control policies and procedures must be established and executed to ensure that risks are addressed and the entity's objectives are achieved.

Monitoring: Processes must be monitored and modifications made where necessary.

Information & Communication: Information and communication systems enable the capture and exchange of information needed to conduct, manage, and control its operations.

No Tip posted in August

Top of Page

Feedback | E-mail Webmaster
Maintained by: Purdue Marketing and Media

Purdue University, West Lafayette, IN 47907
(765) 494-4600, E-mail: marketing@purdue.edu
© 2010 Purdue University | An equal access/equal opportunity university | Copyright Complaints
If you have trouble accessing this page because of a disability, please contact Purdue Marketing and Media at marketing@purdue.edu.