About this Policy
Security Access Validation
Policy Number: 21303
Effective Date:
Dec 12, 2017
Last Updated:
May 11, 2018
Responsible Office:
UM System Controller's Office
Responsible Administrator:
UM System Controller
Policy Contact:
Campus Division of Finance
Categories:
- Finance
Menu:
- Scope
- Reason for Policy
- Policy Statement
- Definitions
- Accountabilities
- Forms
- Related Information
- History
- Procedure
Scope
This policy applies to all University employees who authorize security to University financial systems required to execute job duties.
This policy identifies security access validation to ensure that PeopleSoft security access is accurate and needed. Also, to ensure that adequate segregation of duties is in place.
Policy Statement
The ability to effect transactions and access information is granted through the necessary financial systems. Access to the financial systems should only be provided to individuals whose jobs require access to the system and at a minimum level needed to perform the intended function.
System access is controlled through the use of sign-in controls. When a user requires system access a request is submitted through the proper approval chain, which may include fiscal managers, Campus Division of Finance and/or MU Health Care Controller's Office. Additional controls exist within the financial systems to limit a person's access to certain features and functions. The manager or supervisor has responsibility to ensure system access is granted and removed when appropriate and to ensure User Roles are consistent with job roles.
Access to the financial systems must be periodically verified as staff are hired, leave, or change positions at the University. Managers must ensure User Roles and authorization reflect responsibilities of staff. A person's responsibilities in a new position may not require the same access as their previous position or that of their predecessor. In addition, the exiting manager must remove all roles pertaining to a vacated position. Failure to properly assign or change financial system User Roles is a primary reason staff members share passwords—a significant control weakness.
User Roles with high risk are those with the ability to authorize the expenditure of funds and those within the core offices. It is critical that these roles are evaluated timely with change in duties and employee turnover to ensure adequate internal controls. User Roles fitting these criteria include financial approvers and Grant Project Managers.
User Roles with low risk are those with the ability to view financial systems. It is important that these roles are evaluated. In addition, these roles do not have the ability to create or approve expenditure transactions. User Roles fitting these criteria may include financial viers and payable transaction viewers.
Definitions
User Roles - Within the financial system, user roles are those functions or system features that an employee may have access to complete necessary financial tasks.
Accountabilities
Division of Finance:
- Assess financial security for employees in core offices to ensure adequate internal controls during change of duties and employee turnover.
- When granting financial security ensure segregation of duties exists between current user roles and requested roles.
Campus Division of Finance:
- Review reports or facilitate distribution of reports to departments provided by the IT Security Manager timely and advise of any required modifications to the users’ role assignments.
- When granting financial security ensure segregation of duties exists between current user roles and requested roles.
Fiscal Managers:
- Assess financial security for employees to ensure adequate segregation of duties during change of duties, employee turnover, and periodically for the department as a whole.
- Managers are to identify any control issues or lack of segreation of duties and notify the Campus Division of Finance to correct access.
Additional Details
Forms
Related Information
Policy 21301 on Internal Controls
Policy 21302 on Segregation of Duties
History
Revised in May 2018 to reflect the level of risk of certain roles and outlines the review required based on the risk.
Formerly Accounting Policy Manual 2.25.60 – Security Access Validation (revised 5/06/2007)
Procedure
Reviewed 2018-10-17