Internal controls ARE susceptible to being compromised. There are many circumstances where internal controls
are weakened or compromised. A few of the most common ones are mentioned below.
Ignorance/inadequate knowledge of University policies -
- The University is dynamic in nature; therefore, old policies may be modified or replaced.
Employees should stay alert to changes in policy, Institutional policies.
Segregation of Duties: In a perfect internal control environment (no such thing), an individual should not
perform more than one of the following activities:
- Record Keeping.
Some common examples are:
- Individuals who can authorize purchase orders should not be capable of processing
payments, receiving goods or services, or keeping inventory records.
- The person who checks the mail should not be able to prepare the deposit and record
the payment to customer accounts.
- A person who prepares the payroll voucher should not distribute or have custody of
the payroll checks.
- A person who inputs employee time into the payroll system should not have write access
to the payroll master file.
Unrestricted Access to Assets:
- Shared passwords or no passwords.
- Unlocked offices, data center.
- Unsecured cash or procurement cards.
- Open access (read/write) to computer systems.
- Making exceptions to established policies and procedures can be a major risk. There
are times when exceptions are necessary (no exceptions to law): however in those instances
they must be well documented and monitored.
Form over Substance:
- Approving documents without proper review - A departmental supervisor signs a time
sheet for an employee, but if the supervisor does not have assurance that the supporting
time records are accurate, the approval process lacks substance.