Booklet:
Operations
Section:
Risk
Mitigation and Control Implementation
Subsection:
Personnel
Controls
|
|
|
Safe
and sound IT operations demand appropriate, skilled personnel in addition
to suitable technology. Operations management, in coordination with the
human resources function, should ensure employee recruitment, hiring,
and placement processes provide for thorough applicant screening and background
checks at the time of employment. If IT operations are sensitive, background
checks should be updated periodically during employment.
Staff stability is important to employee morale and operations effectiveness.
High employee turnover can disrupt workflow, degrade service and production
quality, and increase training resource demands. To the extent possible,
management should seek to minimize employee turnover. Clearly defined
duties, responsibilities, expectations, and accountability may help minimize
employee turnover.
Organizational structure should include dual controls and separation and
rotation of duties where appropriate and feasible. Internal control procedures,
dual control and rotation of duties facilitate cross-training, improve
depth of personnel skill, and succession. In addition to serving as a
quality control mechanism, separation of duties deters employee dishonesty,
fraud, or intentional harm to equipment, systems, and data. Management
should organize functional duties so no one person performs a process
from beginning to end or checks the accuracy of his or her own work. Except
in emergencies, computer operators should not perform duties other than
those directly relating to equipment operation. For example, computer
operators should not perform data preparation activities, such as reject
re-entry, general ledger balancing, or unposted items settlement.
Adequate separation of duties is a challenge in smaller institutions.
In such circumstances, rotation of duties can be an effective mitigating
control. Management should closely review and monitor individual performance
and activities in these situations to provide effective supervision, facilitate
training, and serve as a validation to control effectiveness.
|