Welcome » IT Booklets » Operations » Risk Mitigation and Control Implementation » Personnel Controls
Safe and sound IT operations demand appropriate, skilled
personnel in addition to suitable technology. Operations
management, in coordination with the human resources function,
should ensure employee recruitment, hiring, and placement processes
provide for thorough applicant screening and background checks at
the time of employment. IfIT operations are sensitive, background
checks should be updated periodically during employment.
Staff stability is important to employee morale and operations
effectiveness. High employee turnover can disrupt workflow, degrade
service and production quality, and increase training resource
demands. To the extent possible, management should seek to minimize
employee turnover. Clearly defined duties, responsibilities,
expectations, and accountability may help minimize employee
turnover.Organizational structure should include dual controls and
separation and rotation of duties where appropriate and feasible.
Internal control procedures, dual control and rotation of duties
facilitate cross-training, improve depth of personnel skill, and
succession. In addition to serving as a quality control mechanism,
separation of duties deters employee dishonesty, fraud, or
intentional harm to equipment, systems, and data.Management should
organize functional duties so no one person performs a process from
beginning to end or checks the accuracy of his or her own work.
Except in emergencies,computer operators should not perform duties
other than those directly relating to equipment operation. For
example, computer operators should not perform data preparation
activities, such as reject re-entry, general ledger balancing, or
unposted items settlement.
Adequate separation of duties is a challenge in smaller
institutions. In such circumstances, rotation of duties can be an
effective mitigating control. Management should closely review and
monitor individual performance and activities in these situations
to provide effective supervision, facilitate training, and serve as
a validation to control effectiveness.