A key internal control is controlling who has access to your accounting system and, if your system allows fine-tuned controls, who has access to which parts of the system, e.g. check-writing privileges, read/write access to customer or vendor ledgers, payroll data, bank ledger activity, or the full system. Staff shouldn’t have access to more areas of the system than they need for their job. For instance, accounts receivable staff shouldn’t be able to write checks, accounts payable staff shouldn’t be able to post customer invoices or credit memos, non-accountants may only need read access without being able to enter data.
Another control related to your data is disaster recovery. If a natural disaster damaged your office, how would you restore access to your accounting system and data?
Some information to include about accounting system access is:
- Who sets up access to the accounting system when a new staff person is hired, or someone’s role changes? Who determines the level of access each person needs?
- Do you set up separate usernames and passwords for each person? Do passwords have to be changed periodically?
- Do you require approvals for any transactions, e.g. large dollar amounts, unusual transactions, or transactions charged to certain contracts or funders, or rarely used revenue, expense, or balance sheet accounts?
- Do you cut off which periods can’t be posted to, e.g. months that have been closed, or future fiscal years?
For disaster recovery, consider documenting:
- Is data backed up periodically? How often, and in what format? Where are back-ups stored?
- If your office or computer systems were damaged, how would you restore your accounting system and data? Do you have CDs or other media to reinstall the software? Who is responsible for accessing your back-up data and restoring it? How long would your recovery take?
- Do you have any physical files that you need to protect, e.g. contracts, insurance policies, vendor invoices, copies of checks you’ve deposited?
- Do you periodically test your back-up data and recovery plans?
Check here for additional topics to cover in your accounting manual.