Proper authorization is determined by a unit’s delegation plan, as required by University Policy 4.2, Transaction Authority and Payment Approval. The authority to complete the various stages of a transaction is determined by transaction type and dollar amount, as outlined in policy 4.2.
Authorization also involves access to information technology (IT) systems or resources. The main elements of IT authorization are as follows:
All transactions and activities should be conducted and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices proactively prevent invalid transactions from occurring.
Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hardcopy documents or by system-generated authority (e.g., financial system access).
Control Example: Policies and procedures within an organization should clearly identify the individuals who have authority to initiate, submit, reconcile, view, or approve different types of transactions.
Individuals authorizing transactions should have firsthand knowledge of what they are approving, or they should review supporting documentation to verify that transactions are valid and appropriate. In a good internal control system, employees are kept informed of their responsibilities for verifying transactions before approving them.
The oversight of any transaction is strengthened by the process of matching the transaction’s source documentation to the appropriate reporting documentation or reporting tool.
Control Example: For specific information, see the Reconciliation Guidelines on the Accounting website.
An efficient workflow is an important aspect of good internal controls. Unnecessary time lags between approving and processing create opportunities for altered documents and potential fraud.
Control Example: Many falsifications can occur after a transaction has been approved. The workflow process should stress prompt authorizations and transaction processing following approval. Once a document has been approved, it should not be returned to the preparer.
Employee access and authorization should be monitored and updated to ensure that current employees have the necessary and appropriate access for their roles and that inappropriate authorities are removed promptly.
Control Example: Periodically validate authorization levels and system authorities to help control proper approvals and transactional integrity.