Booklet: Operations Section: Risk Mitigation and Control Implementation Subsection: Personnel Controls

Previous Subsection Table of Contents Next Subsection

Safe and sound IT operations demand appropriate, skilled personnel in addition to suitable technology. Operations management, in coordination with the human resources function, should ensure employee recruitment, hiring, and placement processes provide for thorough applicant screening and background checks at the time of employment. If IT operations are sensitive, background checks should be updated periodically during employment.

Staff stability is important to employee morale and operations effectiveness. High employee turnover can disrupt workflow, degrade service and production quality, and increase training resource demands. To the extent possible, management should seek to minimize employee turnover. Clearly defined duties, responsibilities, expectations, and accountability may help minimize employee turnover.

Organizational structure should include dual controls and separation and rotation of duties where appropriate and feasible. Internal control procedures, dual control and rotation of duties facilitate cross-training, improve depth of personnel skill, and succession. In addition to serving as a quality control mechanism, separation of duties deters employee dishonesty, fraud, or intentional harm to equipment, systems, and data. Management should organize functional duties so no one person performs a process from beginning to end or checks the accuracy of his or her own work. Except in emergencies, computer operators should not perform duties other than those directly relating to equipment operation. For example, computer operators should not perform data preparation activities, such as reject re-entry, general ledger balancing, or unposted items settlement.

Adequate separation of duties is a challenge in smaller institutions. In such circumstances, rotation of duties can be an effective mitigating control. Management should closely review and monitor individual performance and activities in these situations to provide effective supervision, facilitate training, and serve as a validation to control effectiveness.

Previous Subsection Table of Contents Next Subsection           Home IT Booklets Glossary Resources Presentations