Internal Controls — Information Systems & Technology


  • IT policies, procedures, and definitions are clearly communicated.
  • Organizational structure, policies and procedures are clearly defined and communicated.
  • Systems changes are authorized and approved.
  • Master files are monitored for integrity.
  • Verifying accuracy of output.
  • Proper design and use of information system documents and records are maintained.
  • Access to and use of the information system, assets and records are reasonable and restricted to authorized individuals.
  • Segregation of duties exists in functions related to the information systems.
  • Transactions and activities related to the information systems are properly authorized.
  • Performance of information system functions is independently verified.
  • All staff are trained on cybersecurity awareness and best practices.
  • System users are granted only the access needed to perform their duties.


  • Control may be superficial, inconsistently followed or subject to override or circumvention.
  • Opportunities to perpetrate and conceal fraud may exist if personnel have direct or indirect access to assets, or if any user has too much access to systems or information.
  • Personnel may not fully understand users' needs or the accounting aspects of the systems; systems may be developed that perform improper calculation, prepare erroneous reports or cause other processing errors.
  • Systems may be designed with inadequate control in the application programs.
  • User control may be incomplete or ineffectual as a result of poor knowledge of the system and the processing functions performed by the application programs.
  • Unauthorized persons may obtain detailed knowledge of applications and use that knowledge to perpetrate irregularities.
  • Personnel may make systems changes that do not conform to users' needs, resulting in processing errors.
  • Unauthorized program modifications may be implemented to perpetrate and conceal fraud.
  • Master files may contain erroneous data that cause errors in all transactions using those data.
  • Master file data may be altered to allow the processing of fraudulent transactions.
  • Master file data may be altered prior to the preparation of statements or confirmation.
  • Unauthorized or fraudulent transactions introduced during processing may not be detected.
  • Employees are susceptible to spam and phishing attacks, and/or password hacking.