- Physically control access to your operation’s valuable assets - computers, iPads, mobile devices, cameras, chainsaws, lawnmowers and other equipment.
- Maintain an inventory and periodically review it to ensure all assets are on hand.
- Develop, document and implement a strategic plan that is aligned with the Department’s strategic plan to provide long-term perspective for service delivery and budgeting.
- Standard operating procedures should be documented and implemented for all critical functions and key business operations.
- Standard operating procedures should be maintained in a location where they can be accessed by all employees who need them to perform their job duties.
- Relevant standard operating procedures should be read by all employees when they begin work.
- Standard operating procedures should be reviewed and updated (at least once per year) or more frequently if operations change.
- If your operation collects payments, comply with the Department’s cash management plan.
- Issue a pre-numbered receipt for all payments received and retain a carbon copy of all receipts. Receipts should be used in numerical order.
- Ensure that an employee who is not involved in the collection process reconciles the collection records with deposit information.
- Physically safeguard cash, checks and credit card information. Change the combinations to any safes or other storage areas immediately upon the termination or transfer of an employee with knowledge of the combinations.
Segregation of Duties
- Assign duties to different employees.
- Never let a single employee control a process from start to finish.
- Separate incompatible duties, such as authorizing the purchase of an asset and then maintaining custody of that asset; requesting access to a system or data and actually controlling access to the system/data or making a change to a system and migrating the change into the production environment.
Sensitive Data Protection
- Each system user should have unique login credentials that are periodically updated throughout the year.
- System users should not be allowed to share login credentials or complete work under another user’s login.
- Do not store sensitive data (such as client, personnel, credit card data, SSNs, etc.) on local computers or portable media such as external hard drives or thumb drives. Use the Department’s central storage platforms for such data.
- Control access to your operation’s servers and central data storage locations. Periodically review the users who have access to your data (at least twice annually).
- Encrypt and physically secure any media that contain Department data.
- Use virtual private network (VPN) technology to access the network when working outside of a Department location.
- Enable automatic, passphrase-protected screen savers on your computers, laptops and other devices and lock when not attending to your device.
Transaction Review and Approval
- Periodically review your operation’s expenses to ensure their validity and appropriateness (and to track whether or not you are operating within budget).
- Ensure that employees assigned to review and approve transactions are in a position to know whether or not they are related to a legitimate business expense.
- Ensure that employees assigned to review and approve transactions have the authority to disapprove or question specific expenses.