Grants Management (OGM) Billing Duty Segregation Guidelines

OGM or Billing Module(s)

Segregation of Duty Scenarios

Business Impact/Risk

Segregation Recommendations

AR - Decentralized Campus

Cash receipts (CR) functionality and accounts receivable (AR) billing functionality should be segregated.

Granting a single user the ability to enter invoice billings as well as enter/ apply cash receipts increases the risk that billing and cash receipt controls may be bypassed.

Segregate CR Specialist from AR Billing Specialist.

AR – Centralized & Decentralized Campuses

Individuals intended to have inquiry-only access should be granted inquiry-only responsibilities.

Unintentionally granting modify access to an inquiry-only individual increases the risk of unauthorized entries.

Limit those individuals to AR Inquiry only. All other AR and OGM responsibilities should not be granted.

AR – Central Office

Central Office Only

Access to setup and master information should be limited and restricted.

Granting inappropriate users access to maintain setup data could result in erroneous, unauthorized or unintentional changes.

Limit access to AR Setup.

Access to add/modify customer information should be restricted. In addition, this access should be segregated from the following processes:

  • Customer Invoice Creation
  • Cash Receipts Processing

Granting a single user the ability to create a new customer (or modify an existing customer) as well as perform customer invoice creation and/or cash receipts functions increases the risks that processing controls may be circumvented.

Limit access to Customer Maintenance-Specialist.

Segregate Customer Maintenance-Specialist from CR Specialist and AR Billing Specialist.

Cash receipts functionality and AR billing functionality should be segregated.

Granting a single user the ability to enter invoice billings as well as enter or apply cash receipts increases the risk that billing and cash receipt controls may be bypassed.

Segregate CR Specialist from AR Billing Specialist.

Individuals intended to have inquiry-only access should only be granted inquiry-only responsibilities.

Unintentionally granting modify access to an inquiry-only individual increases the risk of unauthorized entries.

Limit those individuals to AR Inquiry only. All other AR and OGM responsibilities should not be granted.

OGM – Decentralized Campus

Access to setup award and project templates should be restricted.

Granting inappropriate users with the access to setup project and award templates could result in erroneous, unauthorized or unintentional changes.

Limit access to Account Establishment Administrator.

Segregate Account Establishment Administrator from Account Establishment Specialist w/Budget Approval and Account Establishment Specialist.

Access to create, setup and modify award, project and task information should be segregated from approval of award and project budgets.

Granting a single user the ability to create, setup, modify and approve award and project budgets and information increases the risk that budget controls may be bypassed.

Segregate Account Establishment Specialist w/Budget Approval from Account Establishment Specialist.

Access to create and modify invoicing and billing information should be segregated from project and award setup/approval.

Granting a single user the ability to setup and approve a budget for an award or project and the ability to create billings for that project or award increases the risk that grant management controls may be circumvented.

Limit access to OGM Billing Specialist.

Segregate OGM Billing Specialist from Account Establishment Specialist, Account Establishment Specialist w/Budget Approval and Account Establishment Administrator.

Access to cost share usage and hourly time reporting data should be segregated from other grants management processes, such as billing, award/project management.

Granting users access to enter cost usages, enter hourly time for employees in conjunction with grant management functions such as billing and award/project maintenance increase the risk of unauthorized entries.

Segregate Cost Share OTPS Specialist and Hourly Time Reporting Specialist from OGM Billing Specialist, Account Establishment Specialist, Account Establishment Specialist w/Budget Approval and Account Establishment Administrator.

Individuals intended to have inquiry-only access should only be granted inquiry-only responsibilities.

Unintentionally granting modify access to an inquiry-only individual increases the risk of unauthorized entries.

Limit those individuals to Grants / AR Inquiry only. All other AR and OGM responsibilities should not be granted.

OGM – Centralized Campus

Central Office Only

Access to cost share usage and hourly time reporting data should be segregated from other grant management processes, such as submit, approve and transfer funds for awards, projects and task budgets.

Granting users access to enter cost usages, enter hourly time for employees in conjunction with grant management functions such as submitting, approving and transferring funds for awards/project budgets increases the risk of unauthorized entries and the potential for inaccurate budgets to exist.

Segregate Cost Share OTPS Specialist and Hourly Time Reporting Specialist from Budget Transfer Specialist.

Access to transfer funds within a budget should be restricted.

Granting inappropriate users with the access to transfer funds for project, award and task budgets could result in erroneous, unauthorized or unintentional changes.

Limit access to Budget Transfer Specialist.

Individuals intended to have inquiry-only access should only be granted inquiry-only responsibilities.

Unintentionally granting modify access to an inquiry-only individual increases the risk of unauthorized entries.

Limit those individuals to Grants / AR Inquiry only.

All other AR and OGM responsibilities should not be granted.

OGM – Central Office

Central Office Only

Access to setup award and project templates should be restricted.

Granting inappropriate users with the access to setup project and award templates could result in erroneous, unauthorized or unintentional changes.

Limit access to Account Establishment Administrator. Segregate Account Establishment Administrator from Account Establishment Specialist w/Budget Approval and Account Establishment Specialist.

Access to create, setup and modify award, project and task information should be segregated from approval of award and project budgets.

Granting a single user the ability to create, setup, modify and approve award and project budgets and information increases the risk that budget controls may be bypassed.

Segregate Account Establishment Specialist w/Budget Approval from Account Establishment Specialist.

Access to create and modify invoicing and billing information should be segregated from project and award setup/approval.

Granting a single user the ability to setup and approve a budget for an award or project and the ability to create billings for that project or award increases the risk that grant management controls may be circumvented.

Limit access to OGM Billing Specialist.

Segregate OGM Billing Specialist from Account Establishment Specialist, Account Establishment Specialist w/Budget Approval and Account Establishment Administrator.

Access to hourly time reporting data should be segregated from other grant management processes, such as billing, award/project management.

Granting a single user the ability to enter hourly reporting as well as perform billing and award/project management increases the risk of unapproved or unauthorized entries.

Segregate Hourly Time Reporting Specialist from OGM Billing Specialist, Account Establishment Specialist, Account Establishment Specialist w/Budget Approval and Account Establishment Administrator.

Individuals intended to have inquiry-only access should only be granted inquiry-only responsibilities.

Unintentionally granting modify access to an inquiry-only individual increases the risk of unauthorized entries.

Limit those individuals to Grants / AR Inquiry only.

All other AR and OGM responsibilities should not be granted.

Access to setup and master information should be limited and restricted.

Granting inappropriate users access to maintain setup data could result in erroneous, unauthorized or unintentional changes.

Limit access to Project / Grant Setup. Access to this data should be maintained centrally within central office only.


 

 

Feedback
Was this document clear and easy to follow? Please send your feedback to webfeedback@rfsuny.org.

Copyright © 2011 The Research Foundation of State University of New York