University administration is responsible for developing a strong internal control system that will ensure compliance with applicable laws, policies and procedures, adequately safeguard University assets, and ensure proper and accurate reporting of University activities. It is important to note that an audit does not relieve University administrators and employees of assigned responsibilities. Therefore, University management should not place reliance on an audit as an oversight control in lieu of management's supervisory oversight responsibilities.
What are the benefits of Internal Controls?
Key Internal Control Activities
Internal control is a process effected by a college or university's governing board, administration, faculty and staff designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
-
Effectiveness and efficiency of operations;
-
Reliability of financial reporting;
-
Compliance with applicable laws and regulations.
This definition reflects certain fundamental concepts:
-
Internal control is a process. It is a means to an end, not an end in itself.
-
Internal control is effected by people. It's not merely policy manuals and forms, but people functioning at every level of the institution. All personnel should be responsible to communicate problems in operations, deviations from established standards, and, violations of policy or law.
-
Internal control is geared to the achievement of objectives in several overlapping categories.
-
Internal control can be expected to provide only reasonable assurance to an organization's leaders regarding achievement of operational, financial reporting, and compliance objectives. It is not absolute assurance.
What are the Benefits of Internal Controls?
-
Internal controls help prevent errors and irregularities from occurring. If errors or irregularities do occur, internal controls will help ensure they are detected in a timely manner.
-
Internal controls encourage adherence to prescribed policies and procedures.
-
Internal controls protect employees: 1) by clearly outlining tasks and responsibilities, 2) by providing checks and balances, and, 3) from being accused of misappropriations, errors or irregularities.
Key Internal Control Activities
Segregation of Duties
Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for receiving cash or checks, preparing the deposit to the Cashier's Office, and reconciling the deposit to the Cashier's receipt and Balances should be separated.
Structure
Organizational structure - lines of authority and responsibility - should be clearly defined so that employees know to whom to report performance of duties, problems and questions related to position and organization as a whole. An organization chart is a good means of defining this structure as long as it is kept up to date. Part of the structure is also the rules that employees must abide by. Written policies and procedures provide guidance to employees in carrying out their duties, provide for clear rules on allowable and expected activity, as well as providing means for enforcement. The department's lines of authority and policies and procedures should be reviewed periodically to ensure in line with the organization's strategic missions.
Authorization and Approval
Transactions should be authorized and approved to help ensure the activity is consistent with departmental or institutional goals and objectives. For example, a department may have a policy that all purchase requisitions and invoice vouchers must be approved by the director. The important thing is that the person who approves transactions must have the authority to do so and the necessary knowledge to make informed decisions.
Reconciliation and Review
Performance reviews of specific functions or activities may focus on compliance, financial or operational issues. Reconciliation involves comparing transactions or activity recorded to other sources to help ensure that the information reported is accurate. For example, revenue and expense activity recorded on accounting reports should be reconciled or compared to supporting documents to ensure that the transactions are recorded timely, in the correct account, and for the right amount.
Security
Security may be physical or electronic (information system controls), or both. Equipment, inventories, cash, checks and other assets should be secured physically, and periodically counted and compared with amounts shown on control records. For example, the periodic physical confirmation of equipment by individual departments is a physical security control. Virus detection software should be current and updated regularly to help protect integrity of systems. Hardware and access controls (passwords) should be changed periodically and rigorously safeguarded to protect from unauthorized access to database, computer systems, etc. Special physical and software controls (such as encryption software) should be developed for systems containing sensitive and/or confidential information.
Internal controls, no matter how well designed and operated, can provide only reasonable assurance regarding the achievement of objectives. The concept of reasonable assurance recognizes the cost of internal controls should not exceed the benefits derived and also recognizes evaluation of these factors requires estimates and judgement by management. For objectives related to the effectiveness and efficiency of operations, internal control can only help to ensure management is aware of the entity's progress or lack of it.
Limitations which may hinder the effectiveness of an otherwise adequate system of internal controls include:
-
resource constraints
-
inadequate skill, knowledge or ability
-
degree of motivation by management and employees
-
faulty judgments
-
unintentional errors
Additionally, controls can be circumvented by collusion of two or more people. Even more important to recognize, management has the ability to override the internal control system.
These factors, combined with changing needs and personnel, make it risky to project any evaluation of internal control to future periods. On an on-going basis, management must evaluate business risks and the controls needed to manage those risks and keep existing controls effective. Management evaluation generally leads to periodic adjustments and corrective action, which also helps assure the continuing effectiveness of the internal control system. (see Risk Assessment).
back to topResources
-
BPPM 10.04 - Internal Control
-
Quick Reference Guide - Internal Controls