First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Is it really possible to control employees’ use of company computers?

All users of company IT systems are responsible for knowing and complying with company policies for acceptable usage, and conducting themselves accordingly when using company IT resources. Policies should address any risks you expect to encounter, including security, IT resource capacities, system responsiveness and throughput, and issues of potential legal liability to the company.

System access and acceptable use

Countless risks may result from inappropriate use of your company’s information technology resources: unauthorized for instance, system and data access, various system failures, and system compromise from virus attacks, spyware, Trojan Horses, worms, and other forms of malware. Your policies for appropriate IT use are intended to prevent exceeding planned and budgeted IT resource capacities and misuse of resources for non-business-related activities, such as viewing or collecting pornographic material, gambling, criminal pursuits, personal use and personal business pursuits unrelated to the business objectives of the company.

Other examples of misuse include, but are not limited to:

  • Using an account or user identifier that the user is not authorized to use
  • Interfering with the normal operation of any element of the company’s IT systems
  • Installing or running a program that may damage or interfere with the proper operation of IT systems
  • Attempting to bypass security or data protection schemes, or uncovering security loopholes
  • Violating terms of software licensing agreements or copyright laws
  • Accessing privileged data or software without the explicit consent of the owner

These activities may be more common than you like to think! Consider this case of a supervisor who circulated pornography to co-workers and vendors.

Data access and data protection

A worker may use various methods to access certain data. For example, a Microsoft Word document can be opened not only with Word but also with other basic document applications, such as Notepad and WordPad. However, modifying a Word document with these applications may permanently corrupt the file and make it inaccessible.

Similarly, for a relational database, there are various utilities and a native SQL language available to access or manipulate the data. Here also, accessing the database using available utilities may make some or all of the data unavailable to other applications.

Users must have a good understanding of the underlying data structure to view and especially to update the data with any program other than the one intended by the data designer. Simply viewing the data may not damage it, but this action may make the data unavailable to other applications for some period of time.

For data that is intended to be accessed by multiple users simultaneously, it is necessary to provide interfaces that allow multi-user access while maintaining data integrity and preventing data corruption. When a user needs to take a set of data offline for updating purposes, the data must be subjected to a check-out protection mechanism to prevent all other users from updating while the data is offline. When the updating user has completed updating and replacing the data, a check-in process frees up the data for other users to update. Without the check-out mechanism, any data updates done while the data is offline would be negated when the original user replaced the data. Most operating systems have the ability to lock data in this way.

Internet access

As the laptop, tablet and smartphone have become more ubiquitous than land-line telephones, it is becoming common to treat them in a similar manner: employees are expected to use them primarily for business purposes, but a limited amount of personal use is tolerated. One problematic area has been Internet access. Without clear rules, some will take advantage or engage in excessive non-productive activities. The need for rules will depend upon the corporate culture and other factors, such as the seniority of employees and their ability to understand implied limits. In many cases clear rules are necessary so that employees understand what is and is not appropriate.

Use of the web constitutes such an important tool for research that in many cases overly precise restrictions may be counter-productive. However, users must be clear that the Internet may not be used:

  • To access offensive material
  • To engage in activities that are risky to the user and company IT systems
  • To engage in activities that waste productivity and resources
  • To expose the company to embarrassment, violation of human rights codes or laws, or possible litigation by offended employees, clients or government agencies
  • For any commercial activity other than company business

Risky activities and productivity and resource-wasters on the Internet include unauthorized personal use, especially accessing dating, gambling and gaming sites, participating in chat rooms, shopping and downloading streaming audio, video and other files that use excessive network bandwidth. Downloading any files or enabling the execution of any active content downloaded from unknown Internet sites is especially risky since this can result in the import of malware onto company systems.


Policies can help you manage employees’ and others’ use of company IT resources, and dramatically reduce the potential risk to you and your assets. To do so effectively, however, it’s crucial to assess IT risks, understand your IT resources and goals, and clarify your users’ online activities and expected conduct before developing or updating IT policies and other internal controls.

Information Technology PolicyPro published by First Reference has the sample policies and commentaries you need to manage your employees company IT resources.

Follow me

Jeffrey Sherman

Chief financial officer, author, lecturer and professor focussing on corporate finance at Atrium Mortgage Investment Corporation, Canadian Mortgage Capital Corp., Trimel Pharmaceuticals Corporation, and Anagram Services
Jeffrey D. Sherman, BComm, MBA, CIM, FCA, is a director or CFO of several public companies and has had over 20 years of executive management experience. He is the author of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro and Information Technology PolicyPro (guides to governance, procedures and internal control, all published by First Reference and the CPA). Read more
Follow me

, , , , , , , , , , , , , , , , ,

Comments are currently closed.