Skip to main content

more options


Cornell Hotline

Prevalent Audit Concerns

Improper Segregation of Duties

Segregation of duties is an internal control intended to prevent or decrease the occurrence of innocent errors or intentional fraud. This is done by ensuring that no single individual has control over all phases of a transaction.

There are four general categories of duties: authorization, custody, record keeping and reconciliation. In an ideal system, different employees perform each of these four major functions. In other words, no one person has control of two or more of these responsibilities. The more negotiable the asset, the greater the need for proper segregation of duties - especially when dealing with cash, negotiable checks and inventories.

We often think of cash handling as the place where segregation of duties is most important, because cash is a highly liquid asset. This means that it is easy to take money and spend it without leaving a trail of where it went. Any department that accepts funds, has access to accounting records, or has control over any type of asset should be concerned with segregation of duties.

Some examples of incompatible duties are:

  • Authorizing a transaction, receiving and maintaining custody of the asset that resulted from the transaction.
  • Receiving checks (payment on account) and approving write-offs.
  • Depositing cash and reconciling bank statements.
  • Approving time cards and having custody of pay checks.

Separation of duties will only limit problems stemming from incompatible duties. It is possible, though not likely, that collusion will occur, making control procedures ineffective. Management needs to be aware of relationships (family and friends) and be alert to the possibility of collusion.

Also, in a small operation, it is not always possible to have enough staff to properly segregate duties. In those cases, management may need to take a more active role to achieve separation of duties, by checking the work done by others. Sometimes, the knowledge that records will be checked by others is enough to prevent misappropriation of assets.

Back to Top

Procurement Card Policy Not Followed

The university policy on procurement cards was established after much thought and review. The requirements of the policy are not arbitrary, but were established to keep Cornell in compliance with regulations and to allow other Cornell systems of recordkeeping and reporting to work properly.

For example, the procurement card policy prohibits the purchase of the services of independent contractors. This is because there is no way to track those payments and issue 1099's (Statements of Miscellaneous Income) at the end of the year, as required by Federal law.

Back to Top

Failure to Document Business Purpose

Lack of documented business purpose of travel and other business expenses is an audit concern that arises regularly.

The university receives, from a variety of sources, funds that carry with them fiduciary responsibilities. These responsibilities require that funds only be used for ordinary, reasonable, and actual business-related expenses incurred in furtherance of the university's missions. When university community members fail to provide supporting documentation evidencing business purpose of expenses, as required for internal and external reviewers, it can result in inappropriate charges going undetected. Evidence of lack of documented business purpose or failure to detect inappropriate charges could lead to fines, penalties, and a loss of the public trust which could have a serious impact on future funding.

Back to Top

Supervisors Not Approving Time Worked

Cornell has online approval for time worked by hourly employees. The person who approves an employee's timecard should be the person familiar with the employee's work and the hours the employee works, most often the employee's supervisor. In those cases where it is not possible for the supervisor to approve an employee's time online, the supervisor should document his or her approval in writing. Should a question come up later about a timecard, this gives an additional measure of certainty regarding the time recorded by the employee, as well as written evidence that the supervisor knew the employee worked those hours, and was approved to work those hours.

Back to Top

Failure to Perform Periodic Network Vulnerability Scans

We often find that units are not performing periodic network vulnerability scans on the workstations, servers, and printers they are responsible for.

Most operating systems have vulnerabilities that expose them to attacks. An attacker could exploit these vulnerabilities and disrupt or damage systems and gain access to confidential information, which could lead to fines penalties and damage Cornell's reputation. Regularly scanning workstations, servers, and printers for vulnerabilities and taking adequate steps to understand and correct them, helps to ensure that systems are protected from such attacks.

Back to Top

Terminated Employees Retain Access to Computer Systems

Often we find that employees who have left the university or who have transferred to another department still have access to computer systems. Unauthorized access to records is the biggest risk here, but the existence of this condition highlights a larger issue, the lack of procedure -- or the ineffectiveness of the existing procedure -- when employees are hired or leave the department. To deal with the computer access problem, departments could use a checklist of access to computer systems to be given to new hires, and use the same list to remove access when the employee leaves.

An employee may change positions within the department, requiring access to departmental systems that wasn't necessary at his or her initial hire date, or new systems may be implemented. For this reason, it is wise to periodically check who has access to your computer systems. Does your department have a procedure in place to do this?

Back to Top

Inadequate Cash Controls

Cash is a highly liquid asset, meaning that it can easily be misappropriated. For this reason, it is important to have strong controls over cash operations.

Cash should be physically secured with limited access to registers, safes and cash boxes. Deposits should be made timely, before large amounts of cash accumulate. Petty cash accounts should be reconciled regularly. Surprise cash counts should be made in any operation handling large amounts of cash.

Back to Top

Employees Not Given Annual Performance Appraisals

Annual performance appraisals are a tool of communication between employees and supervisors. They provide employees with feedback on the job they've been doing, serve as an opportunity for supervisors to make clear their expectations of their employees, and allow employee and supervisor to discuss strengths, weaknesses and goals for the coming year. Written performance appraisals provide a record of progress which may support later disciplinary or laudatory actions. All employees are entitled to know "how they're doing", and the written performance appraisal is a way to formally communicate this.

Back to Top

Inadequate Review of Transactions Before Approval

The effectiveness of internal controls are limited to the extent that decisions are made with judgment, in the available time, based on information on hand, and under pressure to conduct business. Internal controls can break down when authorizers do not review the forms they must sign, such as accounts payable vouchers, reconciliations and time cards. In audit office presentations, we like to state it this way: "We are looking for a signature, not an autograph." Unlike an autograph, a signature implies that a review took place.

Back to Top

Unlicensed Software is Installed on Department Computers

Having unlicensed software on your department's computers exposes the university to possible penalties from software vendors, as well as litigation costs and/or damage to the university's reputation. Departments should have a software management system in place that tracks software installed on university computers. An additional benefit to having such a system is the ability to take advantage of bulk purchases or site licenses for widely-used applications.

Back to Top

Regular Inventory of Capital Assets is Not Taken

The university Capital Assets Policy requires that physical inventory be taken every two years. Physical inventory involves locating the item, making sure the written record of its location, condition, serial number, etc. is correct, and removing the item if it no longer exists. Physical inventory gives management assurance that assets are still in the place of record, that they haven't been moved, disposed of, or stolen, and that they are still in working condition.

Back to Top

Proper Bidding Procedures are Not Followed

The university's bidding procedures were established to ensure that the university receives competitive pricing on goods and services. It also ensures that purchases are not subject to favoritism, and can protect against fraud in the purchasing process. In addition, individuals who use State and Federal funds to purchase items may be required, as a condition of accepting those funds, to bid out their purchases.

Back to Top

Sharing of NetID's and Passwords

Password sharing is described as prohibited in several university policies including, University Policy No. 4.12, Data Stewardship and Custodianship, No. 5.4.1, Security of IT Resources, No. 5.5, Stewardship and Custodianship of Electronic Mail, and No. 5.8, Authentication of Information Technology Resources.

Passwords are used to identify system users and provide a trail of each user's activity; therefore they must be known only to one user. It is very important that NetID passwords be known only to one user as NetID's are used to identify the user to services which display confidential personal data, including personal wage and benefits information. Sharing NetID passwords can also cause a breakdown in proper segregation of duties because NetID's are used to identify users to services such as COLTS and the CU Online Travel System where transactions are processed that require a separate preparer and approver. Sharing NetID's and passwords can allow one user to be both preparer and approver.

In some cases, we have found that NetID's and passwords are shared so one user can access another user's email. The need to access another user's email is not an appropriate reason to share NetID's and passwords. Alternative methods are available for accessing another user's email, units should contact CIT for more information.

Back to Top

Lack of Supervisor Review of Travel

The purpose of University Policy No. 3.2, University Travel, is to ensure that travel charged to university accounts is for legitimate business purposes. Failure to comply with this policy increases the risk of loss due to errors and irregularities. Policy No. 3.2 states that "supervisors must review all travel." This review must be performed by the traveler's supervisor as they are likely to be in the best position to assess the legitimacy of the business purpose for travel. Supervisory review can take many forms, such as pre-transaction review or a periodic scan of transactions with detailed review of unusual or questionable items. Delegation of this responsibility should only be on a short term, emergency basis.

Back to Top

Lack of Certification and Documented Review of Accrued Leave Balances

Certification and confirmation of accrued leave balances is essential to ensure accurate records are maintained. Requiring employees to regularly certify their leave balances and requiring the employee's supervisor to review and approve these certifications provides a strong control over the tracking of leave balances and reduces the possibility of errors or abuse of university leave benefits. Certification and supervisory review and approval also reduce the likelihood of disputes between the employee and the university at the time of separation from the university.

Back to Top