Managing system access controls is a critical activity that will contribute to mitigating the opportunity for fraud. In an ideal world, super user access should only be granted to employees outside of Finance that are not responsible for any financial activities, such as employees in the Information Technology (IT) Department. All user access changes should be run through the IT Department and approved by their supervisor within Finance who has direct knowledge of their job duties. However, in order to balance operational efficiencies with access rights, this is not always practical.
It is imperative that school districts identify super users and review user access for all employees with access to financial system roles. All users’ needs should be evaluated based on their role(s) in the Finance Department. The minimum level of access should be granted to each employee in order to perform their required task. For example, a single employee should not have access to add vendors, edit vendor information, and pay vendors. Also, a single employee should not have access to change employee pay rates and process payroll.
In the event that this access is unable to be segregated due to system limitations or operational efficiencies, the school district should implement procedures to periodically review the activity for these employees. All employees should have clearly defined job duties so that it is easier to identify inappropriate activity by individuals not authorized for certain actions. It is also preferable for user access to be defined by position, rather than employee. Therefore, when an employee changes positions, their old access should be removed and replaced with the access defined in their new position.
School districts should evaluate their controls to manage system access on an ongoing basis. Technology is a constantly evolving field which presents unique opportunities for fraudulent activity. Implementing these best practices will help reduce the risk of fraud and help detect any improper activity.