Audits, Internal Control, and Business System Security
Welcome to the CFO Business and Finance Policy Office Open Comment Blog!
The Office of the Vice President, Chief Financial Officer & Comptroller announces an open comment period, beginning March 11th and closing March 20th at 5 p.m. CT, to present updates and additions to policies and procedures relating to audits, internal controls, unit head responsibilities for internal controls, segregation of duties, FCIAA, and business financial information security.
These changes impact Section 9 Audits and Internal Control and Section 19 Business Systems Access and Security of the Business and Financial Policies and Procedures Manual. The proposed policies are being presented as Section 9 - Audits, Internal Control, and Business System Security. These changes are proposed as part of the short- and long-term solutions identified during the Internal Controls Review: Procurement, Payment & Asset Accounting Systems Access and Procedures project.
Specific role combinations will not be listed in the policy, however, the policy and procedural changes presented in this open comment period will support related efforts by the System Offices to mitigate the risk associated with deficient segregation of duties and improper role combinations. Specifically, the security role combinations that create high levels or risk include:
- iBuy Requestor & FABweb Unit Rep, Unit Contact, Unit Head or Unit Specialist
- iBuy Approver & FABweb Unit Rep, Unit Contact, Unit Head or Unit Specialist
- Banner Department Manager or Banner Department Requestor with FABweb Unit Rep, Unit Contact, Unit Head, or Unit Specialist
- P-Card Cardholder and FABweb Unit Rep, Unit Contact, Unit Head, or Unit Specialist
Highlights of these policy and procedural changes include;
- Strengthening language and defining segregation of duties expectations to clarify that responsibilities must be divided among different employees to ensure segregation of duties throughout the business process, especially those tasks related to authorization, record keeping, and asset custody.
- Affirming that proper segregation of duties prevents identified inappropriate business system role combinations that create high levels of risk.
- Clarifying internal control requirements that unit heads must follow as part of their responsibilities, and,
- Formatting and consolidating to combine duplicative information and streamlining the internal control information.
Please review the policy by downloading the PDF document below and provide feedback.
Section 9 - Audits, Internal Control, and Business System Security (PDF)
To leave feedback, please use the "Add Comment" link below. On the next screen, choose the "Sign in with my NetID" option and log in with your University credentials.
You may also submit a comment without posting to the feedback board by contacting email@example.com.