RISKS | CONTROLS | COMPLIANCE ALERT
Volume 4 | Issue 1 | January – March 2023
“Lock it down, ensure compliance, and segregate your
duties to minimize threats and maximize effectiveness”
GETTING AHEAD OF THE CURVE:
NEW YEAR, SAME THREATS!
RECENT SUCCESS:
COMPLIANCE WITH RESEARCH TRAINING AND POLICY DEVELOPMENT RESULTED IN NO ADVERSE AUDIT FINDINGS FOR ORED.
INTERNAL CONTROL:
ARE INCOMPATIBLE DUTIES SEGREGATED?
As the new year begins, cybersecurity remains a top concern for academic institutions. In 2022, more than 200 government, education, and healthcare organizations in the United States fell victim to ransomware alone. Forty-four (44) universities and colleges were among the group impacted (www.emsisoft.com). According to Tech Republic, cyber threats facing organizations in 2023 include ransomware, phishing, supply chain vulnerabilities, and cloud security.
At FIU, the IT personnel in each business unit play an important role in configuring and maintaining secure systems that impact the University’s cybersecurity posture. However, all employees (i.e., executive management, faculty, and staff) and students play a vital role in cyber defense whether it involves adhering to or assisting in the enforcement of security policies, timely notifying IT of any security/configuration issues, or maintaining awareness about cyber threats through annual security awareness training.
Below are steps that each business units can take to play their part in keeping FIU safe:
The threat of cyberattacks is continuously present. Understanding that all members of the FIU community play an important role in fending off this threat is an important first step. Business unit leaders, managers, supervisors, and IT personnel should take the lead in ensuring that appropriate steps are taken to reduce the risk of a successful cyberattack occurring at the University. This can be achieved by being vigilant and following the steps outlined above.
In a recently published internal audit report that focused on the processes the Office of Research and Economic Development (ORED) has implemented to ensure compliance with research training and policies, it was noted that for FY 2021, FIU received more than $310 million in awarded research funding, submitted 107 invention disclosures, and filed 74 U.S. patent applications. These achievements help FIU to maintain its R1 status.
The audit report also highlighted a few additional achievements. For one, the auditors reported no adverse findings. This is a commendable achievement and speaks to the efforts the staff of ORED, the Office of Compliance and Integrity, the Office of the General Counsel, faculty, and researchers have put into ensuring compliance with training and policy development requirements. At the time of the audit, ORED had 57 research-related policies, and the auditors specifically reported that ORED has effective process controls for creating and maintaining research-related policies and ensuring research-related training is adequate and completed timely.
The report cites the following as support for the auditor’s conclusions:
- A comparison of FIU’s research-related policies and other selected universities in Florida’s State University System found ORED’s policies to be comparable to its peers.
- ORED’s process for monitoring policy violations, including how violations are received and documented, was determined to be adequate.
- ORED’s research-related policies were enacted in accordance with University policy development and adoption protocol, and were reviewed timely and communicated adequately.
- ORED’s research-related policies and research-related trainings addressed key risks and adhered to pertinent federal and state regulations.
- Required research trainings were completed prior to researchers working on their projects.
- A comparison of research-related trainings among FIU and other selected universities in Florida’s State University System found ORED’s trainings to be comparable to its peers.
Introduction
Effective management is enhanced by sound internal controls. Sound internal controls include practical, situational, and effective control activities. Control activities are the actions management has established through policies and procedures to achieve its objectives and respond to risks in the internal control system.¹ Segregation of duties is an important control activity that each business unit of FIU should make every effort to implement into its operations and workflows.
What is Segregation of Duties?
Segregation of duties is a basic building block of sustainable risk management. The principle is founded on the concept of shared responsibilities of key tasks of an organization’s critical processes or functions among multiple individuals or departments.² At its core, proper segregation of duties is designed to prevent one individual from having total control over a transaction or process.
This includes separating the responsibilities for the following functions:³
Segregating these key duties and responsibilities among different people can serve to reduce the risk of error, misuse, waste, abuse, or fraud. Be mindful that even the most diligent employee can make mistakes, and regrettably, not all employees will conduct themselves ethically. In either case, absent collusion, proper segregation of duties increases the likelihood that other employees will identify mistakes or improprieties.
What can I do to implement adequate segregation of duties?
Before segregating any function, it is important to identify your business unit’s key processes and to obtain a clear understanding of them and their related functions. This includes understanding each task performed, its interrelationship to other tasks, and identifying who performs them.
After having this understanding, you should do the following:
- Identify incompatible tasks that should not be performed by the same person because of the potential breakdown of control. Some incompatible tasks/privileges are automatically segregated within the University’s ERP system.
- For each process, determine if any one person is capable of authorizing, processing, recording, and reviewing the same transaction, and handling any related assets of the transaction or event. Even if that person does not perform all these duties, does that individual authorize and process the transaction and have custody of the related asset? You should try to identify paired duties that could facilitate concealment of errors or improprieties.
- Ensure that the same person who records funds does not also deposit funds or reconcile the funds collection. Examples of other pairings of incompatible duties to avoid are having the same person ordering and receiving merchandise, or the procurement card holder receiving merchandise and reconciling the card account activities.
- Review and approve system roles/privileges assigned to employees who are a part of key processes and workflows, ensuring that incompatible roles/privileges are not assigned. Have your Information Technology Administrator review the roles/privileges of existing staff for conflicting or incompatible access and discuss the results of their review with you. For example, an employee should not have rights or the ability to operate in the system development environment and to deploy applications to the production environment.
- Periodically rotate carefully selected key assignments among staff. This should be done with thoughtfulness to avoid giving an individual the opportunity to conceal his/her own errors or improprieties.
- Periodically repeat the preceding actions, especially when changes to operations occur and/or when new systems and processes are introduced.
- If segregation of duties is not practical within an operational process because of limited personnel or other factors, design alternative control activities to address the risk of fraud, waste, or abuse in the operational process.⁴ An alternative design could be that key or incompatible duties are segregate between different subgroups with the business unit. An example of this could entail assigning recording and reconciling duties, respectively, to individuals from different departments within a college or business unit.
Conclusion
A well-designed and effective system of internal controls is instrumental to FIU and its respective departments achieving their objectives and goals. Proper segregation of duties is an important control activity that enhances risk management efforts to prevent error, misuse, waste, abuse, or fraud, as well as assigns shared responsibility and accountability. Managers and supervisors must be aware that there are definite actions that they can take to ensure that proper segregation of duties is implemented into their operations and workflows. The effort is well worth it. Please feel free to contact the Office of Internal Audit if you have questions about implementing adequate internal controls, including proper segregation of duties.
1 GAO-14-704G, Standards for Internal Control in the Federal Government (The Green Book)
2 Segregation of Duties (aicpa.org)
3 Segregation of Duties: What it is and Why it’s Important – Hyperproof
4 GAO-14-704G, Standards for Internal Control in the Federal Government (The Green Book)
OTHER RESOURCES
- Need to report fraud, waste, and abuse? You may do so at: compliance.fiu.edu/hotline/or auditors@fiu.edu.
- Need to report a Whistle-blower complaint? You must do so in writing to the OIA (auditors@fiu.edu) or call us at the following number: 305-348-2107.
- State University System of Florida Board of Governors’ Regulations: flbog.edu.
ABOUT US
The FIU Office of Internal Audit serves as an independent appraisal function for the University. Our audits of the University’s colleges and departments evaluate financial processes, internal controls, and compliance with laws, rules, and regulations with a view toward ensuring that services are appropriately delivered in the most efficient and economic manner possible. Our Office is also responsible for conducting investigations for all allegations of fraud, waste, abuse, and whistleblower complaints.