Internal Controls

Internal control is defined as a process which provides reasonable assurance regarding the achievement of certain objectives:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with laws and regulations

This definition reflects certain fundamental concepts:

• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
• Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
• Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Internal Controls can be complex, but internal controls in their simplest form are anything we do to help us achieve our objects. We all use internal controls to some extent in our daily live, so consider the following examples:

• We lock our homes before we leave for work – the objective is to prevent unwanted entry into our homes, thus safeguarding our household contents.
• Would you leave your credit card or social security number where everyone would have access to them? You most likely would not – the objective is to prevent identity theft and loss of money.
• You keep your on-line banking password in your memory and not written on the back of your keyboard to prevent unwanted access to your funds – the objective is to safeguard your assets.
• Some install security/surveillance systems in their homes and businesses – the objective is to deter, prevent unwanted entry, thus safeguarding assets.

RETURN TO TOP

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework consists of five interrelated components: the control environment, risk assessment, control activities, communication and information, and monitoring. If any one of these primary components is not functioning properly or is weak, the entire internal control system may be compromised. (see COSO Internal Control Poster) Here is how each component relates to pg电子下载 State University:

Control Environment: The core of any university is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate. They are the foundation on which everything rests. The control environment sets the tone of the organization and is considered the foundation for all other components of internal control, providing discipline and structure.

Risk Assessment: pg电子下载 State University establishes academic, research and administrative objectives, integrated with revenue and cost containment goals. Risk assessment helps in identify, analyzing, and managing risks that could prevent the achievement of these objectives. Assessment may include looking at departmental routines, activities, and personnel to identify any potential problems. This forms the basis for determining how the risks should be managed.

Control Activities: Policies and procedures are necessary to help management control risks and ensure the specified goals are achieved. Control activities occur at all levels of the organization and include things such as performance reviews, functional or activity reviews, transaction reviews, reconciliations, processing controls, physical controls and segregation of duties.

Information and Communication: Surrounding these activities are information and communication systems. These systems enable the capture and exchange of information needed to conduct, manage, and control the University’s operations. An information system should provide information that is accurate and relevant to the right people in a timely fashion so that they may carry out their responsibilities.

Monitoring: The entire process should be monitored and modifications made if necessary. By doing so, internal controls can be adjusted dynamically and changed as conditions warrant.

Most internal controls can be classified as preventative, detective, or corrective.

Preventative controls are designed to avoid errors or irregularities from occurring initially which may have negative effects on the University. A few examples preventative controls include:

• Utilizing separation of duties for cash handling, which can be achieved by assigning different individuals to duties such as collecting cash, maintaining documentation, preparing deposits, and reconciling records.
• Reading and understanding University policies and procedures, such as timekeeping requirements for hourly employees helps prevent violations of the Federal Fair Labor Standards Act.
• Manager’s reviewing monthly credit card statements for the validity and appropriateness of purchases prior to approval prevents inappropriate expenditures.

Detective controls are designed to identify an error or irregularity after it has occurred. These controls are performed on a routine basis to identify any issues that pose potential risks to the University on a timely basis. A few examples of detective controls include:

• An exception report detects and lists incorrect or invalid entries or transactions.
• A comparison of validated cash receipt vouchers to monthly account detail will detect deposits posted to erroneous accounts.
• Taking an annual physical inventory of computer equipment stored in a particular place will determine if any items have been misplaced or stolen.
• Using a surveillance system helps to identify perpetrators.

Corrective controls are designed to correct errors or irregularities that have been detected. They also include any measure taken to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity. They are usually put into place after understanding the reasons why an error or irregularity occurred in the first place. A few examples of corrective controls include:

• Disciplinary action taken by a supervisor as a result of an employee’s misconduct.
• New policies implemented or modification to existing policies prohibiting inefficient or insecure practices such as password sharing.
• Training employees on the proper procedures as part of corrective actions.

Unfortunately, processes and control activities are not perfect, and mistakes and problems will be found. There will always be inherent limitations to any system of internal control with humans involved such as human error or judgement, management override as well as collusion by two or more employees. People make mistakes and will often find weaknesses in the control procedures, whether by accident or with intent. While many circumstances may compromise the effectiveness of your internal control structure, the following list a few of the most common and serious of these that warrant special mention:

Inadequate Segregation of Duties – (The most common audit finding) – Separating responsibility for physical custody of an asset from the related record keeping is a critical control.

• Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable).
• The person who prepares the deposit should not post the receipts to the customer accounts.
• The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.

Inappropriate Access to Assets – Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.

• Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable).
• Only authorized individuals should be issued keys for restricted areas.

Inadequate Knowledge of University Policies – The university is not a static environment – new policies and policy revisions are a part of our continual evolution. All University Policies and Procedures (see ASU Policies). Managers must stay abreast of these changes and understand their responsibilities.

Form Over Substance – Controls can appear to be well designed but still lack substance, as is often the case with required approvals.

• The account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance.

Control Override – Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.

• Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.

Limitations of Internal Controls – There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).

• A manager who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.

Everyone in the University has some responsibility for internal control. Some employees may produce information used in the internal control system or take other actions needed to effect control. University management is ultimately responsible for designing and maintaining an adequate system of internal control. COSO suggests that operating management perform a self-evaluation control review. Evaluating your internal controls provides assurance that the internal control system is effective and may take the form of self-assessments, where the responsible individuals from a particular unit or function determine the effectiveness of controls for their activities

The Office of Internal Audit has developed a self-assessment to assist you in evaluating internal controls. For additional information, see Self-Assessment.

Reference

Committee of Sponsoring Organization (COSO) Internal Control – Integrated Framework