If an employee can create a transaction in the financial system through a cuff system (done via interface), should they be able to modify that transaction directly in the financial system? Is it separation of duties or internal control issue?
Audit Question
Answers
If the employee can create a transaction (for example an expense report or a corporate purchase) there should be process controls around the transaction. By this I mean there should be an approval process or a rules based approach (can approve up to $$ on specific budget accounts).
Changing a transaction should only be supported up until the point it creates a transaction in your financial system. This is true of any transaction - the audit trail in your financial system should explain all of your reporting and all change to that reporting. A reasonable edit period can be allowed prior to the process control - but you should be able to count on final transactions being final.
The one additional caveat to the above will be any industry specific tracking requirements - for example government and some non-profit systems will require change tracking on any change to an employee transaction.
I think it is both internal control and separation of duties. There should be very limited access to the financial system, whether that is only a few people having any access or very few people having the ability to push/approve a transaction into the general ledger.
For something like expense reports, there should be a an approval process where the submission is locked down and cannot be changed by the submitter once it is being reviewed (they can withdraw and make changes but then it has to go through the approval again). Someone (usually in Finance) should have the last say to make the expense report final and only at that point can it go into the general ledger (and possibly also be ready to be paid).
Filed Under:
FP&A