Guidelines to General Internal Controls
What are Internal Controls?
Internal controls are processes implemented by management to provide reasonable assurance measures are taken to:
- Safeguard University assets and resources from waste, fraud, accidental loss, or inefficiency
- Ensure the reliability and integrity of financial information. Internal controls deter and detect errors, fraud, and theft. Additionally, controls ensure that management has accurate, timely, and complete information in order to plan, monitor, and report business operations.
- Secure compliance with federal, state and local laws and regulations impacting the operations of our business.
- Promote efficient and effective performance by establishing an environment in which managers and staff can maximize efficiency and effectiveness of their operations to accomplish and monitor operational goals and objectives.
Why do we want them?
Controls minimize risk. Risks are the possibility that an organization will not:
- Achieve its goals
- Operate effectively and efficiently
- Protect itself from loss or fraud
- Provide reliable financial data
- Comply with laws and defined policies
Who is Responsible?
Everyone within the University has a role in internal controls. Roles vary depending on the level of responsibility of an individual.
- The Board of Trustees, Chancellor, and Senior Executives establish the presence of integrity, ethics, competence, and a positive control environment.
- Directors and Department Heads are responsible for the implementation, maintenance, and oversight of internal controls in their areas.
- Managers and Supervisors are responsible for ensuring policies and procedures are adhered to, including communicating the expectations and duties of staff as part of a control environment.
- All staff should be aware of proper internal control procedures within their specific job responsibilities.
- Internal Audit Services role is to examine the adequacy and effectiveness of the University’s internal controls and make recommendations where improvements are needed. In order to maintain independence and objectivity, the office does not have responsibility for establishing, implementing, or maintaining internal controls.
Framework for Internal Control – COSO
The framework of a good internal control system includes:
- Control environment: A sound control environment is established by the administration through communication, attitude, and example. This behavior sets the tone of an institution and is the foundation for all components of internal control. This includes a focus on:
- Integrity and ethical values
- Commitment to oversight of the development and performance of internal control
- Leadership philosophy and diligence in designing structures, reporting lines, and appropriate authorities for assigning responsibilities
- Competency of individuals
- Accountability of individuals for their internal control responsibilities
- Risk Assessment: Every entity faces risks from external and internal sources that must be assessed. An organization establishes objectives, identifies risks to the achievement of those objectives, and analyzes how the risks should be managed. This process is ongoing and a critical component of an effective internal control system.
- Control Activities: These are the policies and procedures that help ensure actions are taken to mitigate risks that impact the University’s objectives. The activities include approvals and authorizations, documentation and verifications, reconciliations, security of assets, and segregation of duties. All policies and procedures must be implemented thoughtfully, conscientiously, and consistently.
- Information and communication: The availability of relevant, quality information and clear communication of objectives, responsibilities, and expectations is paramount to a good internal control system.
- Monitoring and Reviewing: The system of internal control needs to be periodically reviewed by management. The scope and frequency depends on risks and effectiveness of monitoring procedures. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors.
Internal Control Limitations
No matter how well internal controls are designed, they can only provide reasonable assurance that objectives will be achieved. Controls can break down through human error and judgment, or management override. Collusion, or individuals acting collectively, can also circumvent control systems. Internal control deficiencies should be reported to the Dean, Director, or Department Head. Serious concerns, or cases where the reporter wishes to remain anonymous should be reported using the EthicsPoint Confidential Hotline.
The most common replies from management for not implementing recommendations include: staff size limitations prevent efforts to properly segregate duties, the cost of implementing a control may exceeds the benefit of the control, or the systems have inherent limitations. These issues are not an excuse to ignore control concerns. In many cases compensating controls can be implemented. Internal Audit can assist in designing and establishing effective internal control systems that are feasible in your operations.