About Contact Careers News Financial Aid ASU President Search
Internal Audit
Can an Internal Control be Compromised?

Internal controls ARE susceptible to being compromised. There are many circumstances where internal controls are weakened or compromised. A few of the most common ones are mentioned below.

Ignorance/inadequate knowledge of Institutional policies -

  • The Institution is dynamic in nature; therefore, old policies may be modified or replaced. Employees should stay alert to changes in policy, Institutional policies.

Segregation of Duties: In a perfect internal control environment (no such thing), an individual should not perform more than one of the following activities:

  • Authorization.
  • Custody.
  • Record Keeping.
  • Reconciliation.

Some common examples are:

  • Individuals who can authorize purchase orders should not be capable of processing payments, receiving goods or services, or keeping inventory records.
  • The person who checks the mail should not be able to prepare the deposit and record the payment to customer accounts.
  • A person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
  • A person who inputs employee time into the payroll system should not have write access to the payroll master file.

Unrestricted Access to Assets:

  • Shared passwords or no passwords.
  • Unlocked offices, data center.
  • Unsecured cash or procurement cards.
  • Open access (read/write) to computer systems.

Control Override:

  • Making exceptions to established policies and procedures can be a major risk. There are times when exceptions are necessary (no exceptions to law): however in those instances they must be well documented and monitored.

Form over Substance:

  • Approving documents without proper review - A departmental supervisor signs a time sheet for an employee, but if the supervisor does not have assurance that the supporting time records are accurate, the approval process lacks substance.