Definition:
Authorization is the basis by which the authority to complete the various stages of a transaction is delegated. These stages include the processes of Recording (initiate, submit, process), Approving (pre-approval, post entry review), and Reconciling. The main aspects of authorization are:
- Privilege: Typically, the application for which an individual is granted the ability to use or the duty in which they are granted the ability to perform.
- Role: Typically, a type of user, such as staff, principal investigator, administrator or other, more specific roles such as payroll coordinator. This often is dependent upon the privilege the role is associated with.
- Action: Typically, an action that the user can perform. Some examples are initiate, submit, approve, reconcile or view (inquiry).
- Span-of-control: This is a restriction upon the action granted to a user. This is often a restriction by organization code, budget number, or other organizational or financial entity defined restriction.
Purpose:
All transactions and activities should be carried out and approved by employees acting within their range of knowledge and proper span of control. Proper authorization practices serve as a proactive approach for preventing invalid transactions from occurring.
Concepts and Best Practices:
| Key Concept | Best Practice |
|---|---|
| Level of authority should be documented: Documented authority creates an expectation of responsibility and accountability. Authority to perform a particular action may come in hard copy documents or system generated authority (example: ASTRA access system) |
Policies and procedures within an organization should clearly identify which individuals have authority to initiate, submit, reconcile, view or approve different types of transactions. |
| Know what you are authorizing: Individuals should have first hand knowledge of the transactions being approved, or they should review supporting documentation to verify the validity and appropriateness of transactions. An employee being uninformed of their responsibilities related to departmental procedures is not acceptable in a good internal control system. |
Employees should be properly trained and informed of departmental procedures related to internal controls. |
| Authorization should be timely: Workflow is an important aspect of good internal controls. Time lags between approval and processing provide opportunities for altered documents and potential fraud. |
Many falsifications occur after the approval of a transaction. The workflow process should stress timely authorizations as well as timely processing of transactions following approval. Once a document has been approved it should not be returned to the preparer. |