Internal controls ARE susceptible to being compromised. There are many circumstances where internal controls are weakened or compromised. A few of the most common ones are mentioned below.

Ignorance/inadequate knowledge of Institutional policies -

• The Institution is dynamic in nature; therefore, old policies may be modified or replaced. Employees should stay alert to changes in policy, Institutional policies.

Segregation of Duties: In a perfect internal control environment (no such thing), an individual should not perform more than one of the following activities:

• Authorization.
• Custody.
• Record Keeping.
• Reconciliation.

Some common examples are:

• Individuals who can authorize purchase orders should not be capable of processing payments, receiving goods or services, or keeping inventory records.
• The person who checks the mail should not be able to prepare the deposit and record the payment to customer accounts.
• A person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
• A person who inputs employee time into the payroll system should not have write access to the payroll master file.

Unrestricted Access to Assets:

• Shared passwords or no passwords.
• Unlocked offices, data center.
• Unsecured cash or procurement cards.
• Open access (read/write) to computer systems.

Control Override:

• Making exceptions to established policies and procedures can be a major risk. There are times when exceptions are necessary (no exceptions to law): however in those instances they must be well documented and monitored.

Form over Substance:

• Approving documents without proper review - A departmental supervisor signs a time sheet for an employee, but if the supervisor does not have assurance that the supporting time records are accurate, the approval process lacks substance.