Proper Authorization

Proper authorization is determined by a unit’s delegation plan, as required by University Policy 4.2, Transaction Authority and Payment Approval. The authority to complete the various stages of a transaction is determined by transaction type and dollar amount, as outlined in policy 4.2.

Authorization also involves access to information technology (IT) systems or resources. The main elements of IT authorization are as follows:

• Privilege: The access or usage rights granted to an individual of a computer application or system to perform their job duties.
• Role: The type of access granted to a user depending upon the user’s privileges associated with their function. Users may be staff members, principal investigators, administrators, or they may serve in a more specific function, such as a payroll coordinator. 
• Action: What activities a given role is allowed to perform. Some examples are initiate, submit, approve, reconcile, or view (inquiry).
• Span-of-Control: A restriction upon the action granted to a role. This is often a restriction by organization code, budget number, or other organizational or financial restriction.

Purpose

All transactions and activities should be conducted and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices proactively prevent invalid transactions from occurring.

Key Concepts and Control Examples

Document Levels of Authority:  

Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hardcopy documents or by system-generated authority (e.g., financial system access).

Control Example: Policies and procedures within an organization should clearly identify the individuals who have authority to initiate, submit, reconcile, view, or approve different types of transactions.

Know What You Are Authorizing:  

Individuals authorizing transactions should have firsthand knowledge of what they are approving, or they should review supporting documentation to verify that transactions are valid and appropriate. In a good internal control system, employees are kept informed of their responsibilities for verifying transactions before approving them.

Control Examples: 

• Employees should be properly trained and informed of university policies and departmental procedures related to internal controls.
• Documented approvals should support transactions.

Match to the Source: 

The oversight of any transaction is strengthened by the process of matching the transaction’s source documentation to the appropriate reporting documentation or reporting tool.

Control Example: For specific information, see the Reconciliation Guidelines on the Accounting website.

Authorize Promptly:

An efficient workflow is an important aspect of good internal controls. Unnecessary time lags between approving and processing create opportunities for altered documents and potential fraud.

Control Example: Many falsifications can occur after a transaction has been approved. The workflow process should stress prompt authorizations and transaction processing following approval. Once a document has been approved, it should not be returned to the preparer.

Monitor Authorizations:

Employee access and authorization should be monitored and updated to ensure that current employees have the necessary and appropriate access for their roles and that inappropriate authorities are removed promptly.

Control Example: Periodically validate authorization levels and system authorities to help control proper approvals and transactional integrity.