Internal Control Practices | Information Systems

UC Davis' electronic information systems contain many forms of personal and private information.

By allowing appropriate system access and recording transactions in an accurate and timely manner, you can manage electronic information and ensure data integrity. Follow these internal control practices to make sure you handle electronic information and technology appropriately.

If you have access to personal or private information or use UC Davis' various electronic business systems, learn these best practices to protect UC Davis information.

  • Separation of duties
  • When your department is maintaining their own sub-systems it is essential that you maintain adequate separation of duties within that system.

    Best practice is to have different people:

    > Authorize access to sub-system to appropriate users.
    > Enter users into the sub-system after authorization is granted.
    > Review users of the sub-system when someone leaves the department or at least annually.
    > Initiate entries in sub-system.
    > Approve entries in sub-system.
    > Review and reconcile data in sub-system at least monthly.
    > Review and reconcile data from sub-system to the Kuali Financial System at least monthly.

    Potential consequences if duties are not separated:

    > Erroneous or fraudulent entries are fed into the Kuali Financial System.
    > Entries are not properly fed and recorded in the Kuali Financial System.
    > Unauthorized payments/reimbursements are made.
    > Unauthorized individuals could have access to sensitive data.
  • Accountability, authorization, and approval
  • When proper accountability exists, you know who has access to electronic and personal information, for what business purpose they have access, what information systems and data are authorized for use, and where sensitive, private information resides.

    Best practices:

    > Limit business system and data access to appropriate users.
    > Adhere to security and privacy policies for email, web browsing, and electronic communication.
    > Determine approval hierarchies and appoint a departmental security administrator (DSA).
    > Implement security measures to protect access to electronic resources and private information according PPM 310-24.
    > Communicate and coordinate access and security with IET.
    > Train employees in computer access, security, software, and appropriate use of university information.
    > Address reported or suspected access and security violations according to IET guidelines

    Potential consequences if accountability does not exist:

    > Misuse of information
    > Identity theft
    > Improper use of university assets
    > Damage to public image
    > Legal actions
  • Security of assets
  • UC Davis' electronic information is a valuable asset. Security controls prevent and reduce the risk of harm caused by error, accident, natural disasters, or malicious action. Avoid duplication of information if it’s available elsewhere. Store information in a secure location.

    Best practices:

    > Use and share data for business purposes only.
    > Design, document, and test internal processes to ensure security and data integrity.
    > Secure personal information in a locked or password protected location.
    > Regulate authorized access to resources through security measures such as user IDs and passwords.
    > Implement auditable authorization processes that adhere to university policies.
    > Train all users in security awareness.
    > Inform your DSA and system/data custodians about access rules and security violations.
    > Restrict access of information and systems to people who need the access to perform their jobs.
    > Periodically review information stored in electronic or paper format.
    > Secure or discard personal and private information properly.

    Potential consequences if electronic information is not secured:

    > Identity theft
    > Damage to public image
    > Misuse of university resources and information
  • Review and reconciliation
  • Your reconciliation activities confirm that transactions are recorded correctly, and be readily retrieved and are safeguarded from improper alteration. 

    Best practices:

    > Ensure data integrity by validating data with the Data Warehouse or Decision Support.
    > Follow retention schedules and data retention requirements.
    > Periodically review information stored in electronic or paper format.

    Potential consequences if review and reconciliation activities are not performed:

    > Errors, discrepancies, or irregularities undetected
    > Inaccurate, incomplete official records
    > Improper access to business systems and data




For questions on information systems and data integrity, contact Information and Education Technology. For questions on internal control practices, contact Controls & Accountability.