Skip navigation

Office of Internal Audit

Can an Internal Control be Compromised?

Internal controls ARE susceptible to being compromised. There are many circumstances where internal controls are weakened or compromised. A few of the most common ones are mentioned below.

Ignorance/inadequate knowledge of University policies -

  • The University is dynamic in nature; therefore, old policies may be modified or replaced. Employees should stay alert to changes in policy, Institutional policies.

Segregation of Duties: In a perfect internal control environment (no such thing), an individual should not perform more than one of the following activities:

  • Authorization.
  • Custody.
  • Record Keeping.
  • Reconciliation.

Some common examples are:

  • Individuals who can authorize purchase orders should not be capable of processing payments, receiving goods or services, or keeping inventory records.
  • The person who checks the mail should not be able to prepare the deposit and record the payment to customer accounts.
  • A person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
  • A person who inputs employee time into the payroll system should not have write access to the payroll master file.

Unrestricted Access to Assets:

  • Shared passwords or no passwords.
  • Unlocked offices, data center.
  • Unsecured cash or procurement cards.
  • Open access (read/write) to computer systems.

Control Override:

  • Making exceptions to established policies and procedures can be a major risk. There are times when exceptions are necessary (no exceptions to law): however in those instances they must be well documented and monitored.

Form over Substance:

  • Approving documents without proper review - A departmental supervisor signs a time sheet for an employee, but if the supervisor does not have assurance that the supporting time records are accurate, the approval process lacks substance.