Types of Controls
- Preventive controls are proactive in that they attempt to deter or prevent undesirable events from occurring
- Corrective controls are put in place when errors or irregularities have been detected
- Detective controls provide evidence that an error or irregularity has occurred. These controls may also be referred to as mitigating controls. They help to reduce risk associated with a failure to implement preventive controls.
For example, if properly segregating duties is not possible due to limitations of staffing resources, random or independent reviews of transactions, after-the-fact approvals, or exception report reviews can mitigate the risk exposure. While preventive controls are preferred, detective controls are still critical to provide evidence that the preventive controls are functioning as intended.
Internal Control Activities
Proper Approvals, Authorization, and Verification (Preventive)
The action of approving transactions should not be taken lightly. An approval indicates that the supporting documentation is complete, appropriate, accurate, and in compliance with University policy and procedures. Unusual items should be questioned.
Persons approving transactions should have the authority to do so and the knowledge to make informed decisions.
Authorization should always be obtained from a higher-level supervisor of the employee. This would include Department Heads, Directors, Vice Presidents, Deans, etc. who ordinarily would have signatory authority over such transactions. No one should be allowed to approve payments to him/herself or to suppliers and vendors for expenses they have personally incurred on behalf of the University.
Access to confidential information must be relevant to work responsibilities (“need-to-know” access). Authorization and access privileges must be modified or deleted, as appropriate, immediately upon the transfer or termination of employees in order to protect the integrity of the internal control system. Examples of actions to take upon transfer or termination of an employee are as follows:
- Return of keys to buildings, offices, and vehicles
- Return and cancellation of a JPMC credit card
- Notification to the ID Card Office relative to building access privileges
- Notification to the Comptroller’s Office of change in signature authority
- Disable computer access privileges
The identity of all individuals involved in a process or transaction should be readily determinable to isolate responsibility for errors or irregularities. This is known as an audit trail and can take the form of signatures, initials, date/time stamps, computer login IDs, or other means of identification. The documents or IT records containing this information must be kept on file and available for examination for a reasonable time period, in line with the record retention policy.
Separation of Duties (Preventive)
No one person should be able to control a transaction or process from beginning to end without intervention or review by at least one other person. Specifically, an individual should not be in position to initiate, approve, undertake, and review the same action. This principle is not limited to financial activities alone (i.e., processing student grades). Involving two or more people to perform key responsibilities reduces the opportunity for misappropriation of funds or fraud. Examples include:
- Revenue: A single person should not handle cash and verify deposits. Ideally, three people are needed to properly segregate duties. One person receives the revenue and creates a receipt, another person prepares the deposit, and a third reconciles it to the general ledger monthly. If only two are available, the cashier can return the validated deposit slip to the first person to be compared to the receipts generated. If the receipts were for a payment on an account, the deposit process should be separated from posting the payment to the accounts receivable.
- Expenditure: One person should not process, approve, and reconcile expenditures. At minimum, the approval and reconciliation duties should be segregated.
- Payroll: Ideally, one person should input time, another approve, and a third reconcile. The person who adds new employees on payroll should not also enter and approve hours worked, distribute paychecks (direct deposit should be encouraged), and manage the departmental budget.
In all cases, independent post-transactional review or reconciliations by the person fiscally responsible for the budget should be performed to help achieve greater control.
Monthly reconciliations of the detailed transactions posted to accounts are one of the most important controls that can be performed. These reviews provide a system of checks and balances to detect fraud, theft, inappropriate use of funds, or human error. Additionally, these reviews will assist in assessing the effectiveness and efficiency of business practices.
Fiscal responsibility may be delegated to clerical, faculty, or administrative staff but ultimately is retained by Deans, Directors, and Department Heads who should at minimum:
- Review reconciliations for consistency and reasonableness
- Ensure reconciliations are timely and complete
- Follow-up on any questionable items or problems detected
Overall, the University is very fortunate to have honest, competent, and dedicated employees. And while the vast majority of employees are trustworthy, the University must have checks and balances in place to detect the small minority of employees who may not be. Management (i.e., Deans, Directors, Managers, Supervisors, etc.) needs to understand that ultimately the responsibility for oversight and review remains with them. Some of the types of fraudulent activity to be aware of include, but are not limited to, the following:
- Creation of fictitious invoices to substantiate fictitious business expenses for reimbursement
- Use of the JPMC credit card to buy personal items
- Entry of time into payroll for hours not worked
- Use of University resources (i.e., supplies, equipment, student labor, etc.) to benefit a private business in which faculty or staff have ownership interest
- Misappropriation of cash receipts
Management is responsible for ensuring that routine reviews of financial transactions are adequate to provide reasonable assurance this type of activity is detected on a timely basis. Indication that the reviews have taken place should be documented (i.e., initials or checklist). Any discrepancies should be investigated.
Reconciliations can also serve to provide insight into the pattern of revenues and expenses that may provide opportunities to streamline or improve business processes. Financial activity should be compared on a regular basis to budgeted and/or projected amounts. Variances can indicate changes in the particular business environment, which may warrant changing certain aspects of how business is conducted. Other variances could indicate that processing errors or fraudulent activities are occurring. A variance threshold should be established based on key financial indicators. Variances in excess of the threshold should be investigated.
Security/Safeguarding (Preventive and Detective)
All reasonable efforts should be made to safeguard the physical assets of the organization from the risk of loss or damage. Examples of these assets include:
- Cash, checks, securities
- Machinery, office equipment, furnishings, vehicles
- Computer hardware, software, databases
- Cell phones
- Important documents, financial transaction records, confidential files
- Inventories of goods for resale, tools, supplies
Accuracy of Data Entry (Preventive and Detective)
Original data entry into production computing systems should be checked, verified, or edited in some way to identify errors to ensure accuracy and reliability of the data. The most appropriate or efficient method will depend on the particular computing system and the type of data. Examples of methods commonly used include:
- Comparison of output reports to original data entry documents
- Built-in computer system edits to check for “reasonableness” of data in key fields
- Comparison of batch totals of certain statistical data to output reports of matching statistics