What Are Internal Controls?
Internal controls are measures that are put into place to manage risk and to provide reasonable assurance that the University’s objectives and goals will be achieved.
Internal controls help to:
- Conduct business in an effective and efficient manner
- Safeguard assets and resources
- Deter and detect errors, fraud, and theft
- Ensure the accuracy of accounting data
- Produce reliable and timely financial reporting
- Ensure compliance with University policies and applicable laws and regulations
Components of Internal Control
There are five components of internal control, some of which are discussed in more detail below.
- Control Environment – This sets the “tone at the top” and is the foundation for internal controls.
- Risk Assessment – Recognizing potential risks and ensuring that there are procedures to deal with them.
- Control Activities – Establishing policies and procedures to help ensure that management’s processes for mitigating risks are carried out.
- Information and Communication – Systems or processes that support the identification, capture, and exchange of information in a form and time frame that enables employees to carry out their responsibilities.
- Monitoring – Processes used to assess the quality of internal performance over time. Ongoing monitoring occurs in the ordinary course of operations and includes regular management and supervisory activities.
The “tone at the top” provides the foundation that includes the following elements:
- Demonstrates commitment to integrity and ethics
- Exercises oversight responsibility
- Establishes structure, authority, and responsibility
- Demonstrates commitment to competence
- Enforces accountability
There are four steps to risk assessment:
- Establish objectives – What do you want to achieve?
- Identify risk – What can happen?
- Plan risk management – What is your response?
- Plan for change – Implement control activities.
Internal Risk Factors
- New personnel
- Change in management responsibilities
- Revamped information systems
- New programs
- Student needs or expectations
External Risk Factors
- Economic environment
- New legislation or regulations
- New technology
- Natural disasters, criminal, or terrorist actions
- Community needs or expectations
- Vendor and contractor performance and reliability
The two main types of internal controls are preventive and detective controls.
Preventive Controls – These are designed to prevent errors and irregularities from occurring. They are proactive controls that help prevent a loss.
- Segregation of Duties
- Approvals, Authorizations, and Verifications
- Security of Assets
Detective Controls – These are designed to find errors and irregularities after they have occurred. They are after-the-fact controls.
- Reviews of Performance
- Physical Inventory Counts
While all employees play a role in internal controls, management is responsible for ensuring that internal controls are established, implemented, and operating as intended. Management is also responsible for periodically evaluating the existing internal controls in their department to make sure they are still functioning as intended.
Internal Audit’s Responsibility
Internal Audit provides an independent evaluation of the adequacy of internal controls. The office works with department heads to identify areas of risk and internal controls that are not working properly.