Internal Controls Exception Requests
If a prohibited role combination is deemed necessary for the continuation of business transactions within a department or college, the exception request webform must be used to request an exception to policy 9.1.2. All submitted requests will go through a minimum of three levels of review and approval: department-level, college-level, and university-level.
Internal Financial Environment
The exception request form requires you to provide information regarding the internal financial environment within your department and/or college. This includes providing detailed information about processes and activities related to three main areas: equipment management, purchasing, and financial reporting. You may draft this information ahead of time in three separate Word documents and attach it to the exception request form.
Mitigating Controls and Internal Review Procedures
All exception requests must include detailed mitigating controls and internal review procedures to be approved.
Mitigating controls are checks and balances to help ensure no fraudulent activities are taking place because of the high-risk system role access resulting from an approved exception request. Your mitigating controls must clearly define how you will monitor the activity of the employee(s) with prohibited role combinations to confirm it follows university policies and procedures and does not expose your department or the university to unnecessary risk.
Internal review procedures are the evaluation steps that will be employed within the unit to ensure that your mitigating controls are being followed correctly and consistently. Your review procedures should include how mitigations will be monitored as well as how changes will be identified and acted upon.
You may draft this information ahead of time in two separate Word documents and attach it to the exception request form.
Approvers and Unit Security Contacts
The exception request form will require you to identify the people for at least two levels of approval. You will have to identify the Unit Head (or an authorized delegate) for the department in which the system access will exist. This is the first approval. You will also have to identify someone at the college level, typically a Dean or Dean’s designee, to be the second approver. A third level of approval is required for UIC requests, which will require you to identify the Dean for the college in which the prohibited access will exists. The final approval is at the university level and is routed automatically based on the chart you select on the form.
You will also be required to identify the Unit Security Contact (USC) who will be responsible for processing your request in the Security Application after it is approved. The form will provide a link to look up your USC where you can search for your USC using college and department codes. You can also perform that search now with the Find my USC tool.
Exception Request Demonstration
Please view this demo session for the new Internal Controls exception request process. The video outlines how to complete the request form and how to process the requests in the Security Application.