blog navigation

Open Comment Blog

blog posts

  • Open Comment Period: March 11 - March 20, 2020

    Mar 11, 2020 8:30 am by CFO Business and Finance Policy Office

    Audits, Internal Control, and Business System Security

    Welcome to the CFO Business and Finance Policy Office Open Comment Blog!

    The Office of the Vice President, Chief Financial Officer & Comptroller announces an open comment period, beginning March 11th and closing March 20th at 5 p.m. CT, to present updates and additions to policies and procedures relating to audits, internal controls, unit head responsibilities for internal controls, segregation of duties, FCIAA, and business financial information security.

    These changes impact Section 9 Audits and Internal Control and Section 19 Business Systems Access and Security of the Business and Financial Policies and Procedures Manual. The proposed policies are being presented as Section 9 - Audits, Internal Control, and Business System Security. These changes are proposed as part of the short- and long-term solutions identified during the Internal Controls Review: Procurement, Payment & Asset Accounting Systems Access and Procedures project.

    Specific role combinations will not be listed in the policy, however, the policy and procedural changes presented in this open comment period will support related efforts by the System Offices to mitigate the risk associated with deficient segregation of duties and improper role combinations. Specifically, the security role combinations that create high levels or risk include:

    • iBuy Requestor & FABweb Unit Rep, Unit Contact, Unit Head or Unit Specialist
    • iBuy Approver & FABweb Unit Rep, Unit Contact, Unit Head or Unit Specialist
    • Banner Department Manager or Banner Department Requestor with FABweb Unit Rep, Unit Contact, Unit Head, or Unit Specialist
    • P-Card Cardholder and FABweb Unit Rep, Unit Contact, Unit Head, or Unit Specialist

    Highlights of these policy and procedural changes include;

    • Strengthening language and defining segregation of duties expectations to clarify that responsibilities must be divided among different employees to ensure segregation of duties throughout the business process, especially those tasks related to authorization, record keeping, and asset custody.
    • Affirming that proper segregation of duties prevents identified inappropriate business system role combinations that create high levels of risk.
    • Clarifying internal control requirements that unit heads must follow as part of their responsibilities, and,
    • Formatting and consolidating to combine duplicative information and streamlining the internal control information.

    Please review the policy by downloading the PDF document below and provide feedback.

    Section 9 - Audits, Internal Control, and Business System Security (PDF)

    To leave feedback, please use the "Add Comment" link below. On the next screen, choose the "Sign in with my NetID" option and log in with your University credentials.

    You may also submit a comment without posting to the feedback board by contacting obfspolicies@uillinois.edu.

     

    stats

    • 79 Views
    • 6 Comments

    additional actions

    Comments are closed

    Comments

    jlmitch1@illinois.edu Mar 18, 2020 10:05 am

    Smaller units will feel the most direct impact of this policy as written.  While every attempt is made to make sure segration of duties is maintained, with the limitations listed here, it would most certainly require adding more staffing which for most units simply cannot be done.  Smaller units, if possible, when complete segregation cannot be achieved in the purest sense have implemented internal unit controls so that no one person can be in all of the roles of purchasing, receiving, and reporting assets without having other outside approvals from supervisors, PI's or shared services personnel. 

    Still speaking to smaller units, positions such as these most likely report up through one supervisor.  This would limit the supervisor from assisting them with learning their positions from hands on type processes.  Having the ability for staff to back each other up in times of absence would be greatly hindered by protocols with these limitations.

    psmorris@illinois.edu Mar 17, 2020 2:12 pm

    I understand the intent of the policy and agree with the need to separate certain duties.  However, the requirement to separate purchasing authority from inventory related authority is very counterproductive for many units.  Some units are just too small and may not have the personnel necessary to do this.  In other cases even in medium sized units, typically the person handling purchasing is the same peron that handles receiving and assigning property tags to new equipment. Disruption of that business process will inherently result in further delays in adding/updating Fabweb records, or may even cause them not to be done.  In my opinion the tradeoff in protecting misuse by a few individuals (if it may occur) is too much great when compared to cost savings and more accurate records by not requiring separation of these duties.

    sthomas8@illinois.edu Mar 13, 2020 9:59 am

    I understand the need segregate certain roles.  I am in an academic department that serves close to 1,500 students and has close to 100 employees (faculty/staff). Here's the issue I am facing:

    --Currently, Person A buys the item.

    --Person B Approves in Buy (or reconciles P-Card)

    --Person C (me) is also fund manager and backup approver in iBuy and also approves P-card.  This allows me to have a check on person A's purchase that Person B reconciled or approved.

    --I can make it so Person D receives the item and enters it in FabWeb (FabWeb Rep). 

    Problems: Person C (me) currently has a FabWeb Approver/Unit Contact role.  This allows me some oversight when the FabWeb Rep wants to make a transfer or surplus an item.  I would have to give up this role.

    If I then make person E the FabWeb Contact/Approver, then person E is an HR person that's extremely busy where I would have to add something to her plate not in her job decription.  Person E is also a P-Card holder.  I would have to take the P-Card away, and would lose a purchaser.

    Person D is also currently a purchaser.  I would have to take away her capabilities to use P-Card or iBuy.

    I would then only have Person A and Person F with purchasing abilities.  The next problem is that Person F has also taken on new projects.  She's historically been a backup purchaser.  Now, purchasing burdens fall on persons A and F (as opposed to what we have at present where A, D, E, F all have some capability).

    Most of of the purchases that persons A, D, E, and F make are NOT inventory or equipment.  I'd estimate that 90% of their purchases are supplies, items under 1,000, and purchases for faculty that support research and events (paper submissions, memberships, conference fees, advertising, continuing education fees, etc.).

    What would make the most sense is if Persons D and E could still be P-Card/iBuy requestors, but that Persons B and C simply don't permit them to buy anything over 1,000.   Meanwhile, we could run some reports or provide additional documentation to our Unit Head (Person G) to have some independent verification.  

    Also, I worry about the risk if Person C (me) has to give over FabWeb oversight to person E.  If I'm not making the iBuy/P-Card purchase and then it's being approved by someone else, then why can't I also be the FabWeb contact and approve transfers/surplus? I feel like this would impede my oversght role rather than help it.

    I'd add...I have a crew of 6 (counting me), plus our Unit Head.  I feel like if I'm having trouble, then smaller units will struggle more.   

    I'll add this: Because we're an academic unit, we have some staff on the student services side that could potentially have a role, but then we face the issue of academic advsiors and admissions staff getting into this process when they are not suited to help with inventory or the controls around it.  And, they themselves are busy with serving students.

    Next, Persons D and E have T-Cards, which aren't affected under the proposal.  However, if you ever go to a "one card" syetem, then we'd have more challenges with purchasing.  

    Finally, there was mention that some areas potentially looking at some centralization (for instance, Colleges taking on FabWeb roles if academic units have purchasing roles).  The problem I see with that is then the College has to keep track of a lot more, and that seems like it could get overwhelming and cause a different risk.

    Thanks for considering this comment (which turned into a novel)!

     

    astew5@uis.edu Mar 12, 2020 10:10 am

    While I understand the minimal risk involved with these role combinations, in some cases separating the roles will be difficult due to the size of some units and its staffing restrictions. 

    Currently, if an iBuy requestor purchases an item in iBuy, it is approved by a different individual as is the same with P-card purchases.  Likewise, I believe items entered in FabWeb are approved by a second person within the unit.  FabWeb Unit Heads rarely have ibuy or p-card access. 

    Prohibiting these role combinations seems extreme to just ensuring there are adequate checks and balances.

    bpesc2@uis.edu Mar 12, 2020 9:58 am

    Regarding "segregation of duties and improper role combinations" -

    Consideration of who can hold some of these roles OUTSIDE of a Unit might be wise.

    For a small department who has

    • an employee who leaves and whose position is not filled for a period of months
    • AND who then has another employee on leave for a period of seveal months,

    it becomes impossible to segregate duties unless someone outside of the department is able to take on some of those roles. Even then, if the Unit has a limited administrative staff, the choice of a person to act as a "backup" or alternate for these positions is also limited.

    bct@uic.edu Mar 11, 2020 3:50 pm

    I don't quite understand this.

    Mostly, I don't understand how the various role combinations are presented.

    Are you saying that each one of those is a complete list of combinations that should be avoided? Or are you saying that any subset of each of those lists is a risk?

    At the same time, I think it is a good idea to clarify language and reduce redundancy.  Segregation of duties is an important issue so explanations should be clear and understandable.