Published: July 14, 2020

Processing documents such as vendor invoices and employee timesheets involves frequent approvals. It can be inefficient to pass around paper for these purposes, so electronic options are attractive to many. Some local governments moved to electronic approvals already, using features in their financial software systems, while the pandemic and teleworking has others exploring options now.

(One caveat: The types of approvals we are discussing here are not the same as legally required signatures on a legal document. We include some links to resources on that topic below, but you should discuss any changes to those processes with your legal counsel.)

When it comes to electronic approvals for internal control purposes, here are five things you’ll want to keep in mind:

1. Ensure the approval is valid: You must have confidence that the electronic approval actually came from the person who reportedly approved it. Let’s say Mike, Water Utility Manager, approved an invoice to purchase a new work truck. You need to be certain that it is truly Mike giving the approval, and that no one else can approve it and make it appear as if Mike performed the action. Most commonly, the software system requires unique logins and passwords for each user. The system then records actions each individual performs and provides the mechanism to validate the approval.

2. Segregate duties: A control system needs to limit authority and responsibilities, whether the system is manual, automated, or something in between. If one of Mike’s employees, Jerry, is not authorized to perform approvals, the system should prevent him from doing so. In addition, the system should also not allow someone to create a transaction and also approve it. Mike might be able to approve Jerry’s timesheet, but he shouldn’t be able to approve his own.

3. Prevent changes after approval: It should not be possible to change transactional information after it has been approved. For example, once Mike has approved Jerry’s timesheet, no one should be able to change it without his subsequent approval.  

4. Assess security and fraud risk: Put some time and thought into the various ways someone might circumvent your controls. Temporary do-it-yourself paperless methods might be more vulnerable than your former manual control processes. For example, using email to approve timesheets and invoices involves more risk. Unfortunately, phishing emails are on the rise, and it can be quite difficult to tell the difference between valid and fraudulent messages. Just be sure to consider risks that could come from within the organization, as well as external ones.

5. Maintain the audit trail: You’ll need to show others after the fact that transactions were approved, who approved it and when it was done. It’s important to decide how you want to store it (electronic or hard copy), where it will be stored, and how long to keep it. If you are using email right now, you’ll want to find a way to capture and organize those emails so they are easy to find later. It would be best to formalize the process so that records are not lost or destroyed if employee roles change or turnover occurs.

Additional resources on this topic

Resources for electronic signatures on legal documents (see note above)

Share this on social!
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
« back to Audit Connection Home