Internal control consists of five interrelated components. These are derived from the way management runs an operation or function, and are integrated with the management process. Although the components apply to the entire University, small and mid-size departments may implement them differently than large ones. Its controls may be less formal and less structured, yet a small department can still have effective internal control. The internal controls components are:
• Control environment - The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the University.
• Risk assessment - Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
• Control activities - Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
• Information and communication - Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that make it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across and up the organization.
• Monitoring - Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the President.
The internal control definition (with its underlying fundamental concepts of process, effected by people, providing reasonable assurance), together with the categorization of objectives and the components and criteria for effectiveness, and the associated discussions, constitute this internal control framework.
Why are internal controls important?
Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.
What can my department do?
Control activities include, but are not limited to, the following:
• Implement segregation of duties where duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.
• Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
• Ensure records are routinely reviewed and reconciled, by someone other than the preparer or transactor, to determine that transactions have been properly processed.
• Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
• Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting suspected improprieties.
• Make sure university and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover.
Remember, everyone in the department has responsibility for internal control.
The above internal controls definition was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
How do I determine if my department’s internal controls are effective?
A&AS has developed the internal control self-assessment tool that your department can use to help you assess the effectiveness of your controls. This tool is comprised of multiple categories that you can choose to assess.
Please contact A&AS if you have any questions, or to schedule a meeting to discuss your results.