Internal Controls
An internal control system is the process that an administrator uses to provide reasonable assurance that the unit’s goals and objectives will be achieved. It is the management of business risks and is a dynamic process that changes as personnel and circumstances change. The system includes organizational design, written policies and procedures, actual operating practices, physical barriers to protect assets, and all personnel. The system should be designed to discourage occurrences of errors or irregularities and to identify, within a reasonable time frame, errors or irregularities that may occur.
Internal Audit tests/evaluates the effectiveness of internal controls through inquiry, observation, business process walkthroughs, inspection of relevant documentation and/or the re-performance of processes, specific procedures, calculations, etc. If internal controls are found to be lacking, Internal Audit will collaborate with the unit to develop stronger controls. Sometimes, stronger controls are cost-prohibitive. When that is the reality, management will have to identify and rely on compensating controls or accept the risk that some achievement objective will not be met.
The Importance of Good Internal Controls
Good internal controls are essential to assuring the accomplishment of goals and objectives. They provide reliable financial reporting for management decisions. They ensure compliance with applicable laws and regulations to avoid the risk of public scandals. Poor or excessive internal controls reduce productivity, increase the complexity of processing transactions, increase the time required to process transactions and add no value to the activities. Good internal controls help ensure efficient and effective operations that accomplish the goals of the unit and still protect employees and assets.
Responsibility for Internal Controls
The administrator who is responsible for the accomplishment of goals and objectives is also responsible for the establishment, maintenance, and monitoring of the internal control system, which helps ensure the accomplishment of those goals and objectives. He or she is responsible for the sound financial condition of the unit, protection of the university’s assets, including its human resources, and compliance with federal, state, and University rules, regulations, and procedures. He or she must ensure that the funds entrusted to the unit are used appropriately. The administrator may delegate some of the related duties, but cannot delegate accountability.
Components of Good Internal Controls
Control Environment
Administrators must support compliance with university policies and procedures if they expect employees to have that attitude.
Control Activities
Control activities are those activities that provide a “reasonable” level of assurance that the unit’s goals and objectives will be accomplished.
Control Communication
An essential part of the internal control system is an effective information and communication system that ensures that employees know what they are supposed to accomplish and how they are to do it.
Control Monitoring
Monitoring ensures that the internal control system is operating as expected. It should be performed by supervisory personnel and focused on high-risk areas. It identifies changes in circumstances that may require changes to the internal control system.
Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.
Types of Internal Controls
Preventive Controls
A preventive control is designed to deter or prevent errors, irregularities, or undesirable events from occurring.
- Separation of duties
- Management oversight
- System access controls
- Physical access controls
- Required supporting documentation
Detective Controls
A detective control is designed to detect and alert management to errors, irregularities, or undesirable events after they have occurred.
- Account reconciliation and review
- Trend analysis
- Budget vs. actual analysis
- Effective monitoring
- System audit trails
- Exception reports
- Complaints/tips/hotlines
- Mandatory vacations
- Job rotations
