- Architecture, Planning & Construction
- Audit & Advisory Services
- Bookstore
- Buying Products & Services
- Camp Tontozona
- Facilities & Operations
- Finance & Accounting
- Forms
- Human Resources
- Legal Affairs
- Mail Services
- News & Announcements
- Parking & Transportation
- Police & Safety
- Policies & Procedures
- Property Control
- Sun Card
- Technology
- Trademark Management
- Training & Development
- Travel
- University Club
- Vendors & Licensing
Internal Controls Overview
Information Systems
This information applies if an individual or a department has access to personal or private information or the various ASU business systems and data warehouses.
Segregation of Duties - Different people should perform key information system duties. Employees should not process or approve actions affecting their own pay.
Suggested Practices - Have Different Individuals
- Enter and validate/approve transactions in software applications, such as, HRMS and Advantage
- Make and approve changes to software programs
- Authorize and effect access to data/systems
- Maintain records of assets and have custody of the assets
Potential Consequences of Not Segregating Duties
- Loss of funds or assets
- Misuse of information
- Improper use of ASU resources
- Inaccurate data - program changes do not properly process data
- Inaccurate data - data entered into system is not properly authorized
Accountability, Authorization and Approval - Accountability exists when you are able to determine who has access to what data, why they need access to that data, what applications are authorized for use, and where sensitive, private data resides.
Suggested Practices
- Limit business system and data access to appropriate users
- Adhere to security and privacy policies for: email, Web use and electronic communication
- Determine approval hierarchies and appoint a security administrator
- Implement security measures to protect access to electronic resources and private information
- Communicate and coordinate access with UTO
- Train employees on computer access, security, software, and appropriate use of ASU information
- Address reported or suspected access and security violations
Potential Consequences If Accountability Does Not Exist
- Misuse of information
- Identity theft
- Improper use of ASU resources
- Damage to public image/reputation
- Legal actions
- Security of Assets - Electronic information is a valuable asset. Security controls reduce the risk of harm caused by error, accident, natural disasters, or malicious action.
Suggested Practices
- Use and share data for business purposes only
- Design, document, and test internal processes to ensure security and data integrity
- Secure personal information in a locked or password protected location
- Regulate authorized access to resources through security measures such as user IDs and passwords
- Implement auditable authorization processes that adhere to ASU policies
- Train all users in security awareness
- Inform appropriate parties about security violations
- Restrict access of information and systems to people who need the access to perform their jobs
- Properly secure or discard personal and private information
Potential Consequences If Assets Are Not Adequately Secured
- Identify theft
- Damage to public image/reputation
- Misuse of ASU resources and information
Review and Reconciliation - Ensures that transactions are recorded correctly, can be retrieved, and are safeguarded from improper modification.
Suggested Practices
- Ensure data integrity by validating data
- Follow retention schedules and data retention requirements
Potential Consequences If No Review And Reconciliation
- Errors, discrepancies, or irregularities are not detected
- Inaccurate, incomplete records
- Improper access to business systems and data
