













Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Internal control promotes effectiveness and efficiency of operations, reduces the risk of asset loss, and helps to ensure compliance with laws and regulations.
Typology: Lecture notes
1 / 21
This page cannot be seen from the preview
Don't miss anything!














University’s system of internal controls.
Understanding Internal Controls applies to all University departments and operations. The examples of control activities contained in this guide are not presented as all-inclusive or exhaustive of all the specific controls appropriate in each department or unit. Over time, controls may be expected to change to reflect changes in our operating environment.
An effective control system provides reasonable, but not absolute assurance for the safeguarding of assets, the reliability of financial information, and the compliance with laws and regulations. Reasonable assurance is a concept that acknowledges that control systems should be developed and implemented to provide management with the appropriate balance between risk of a certain business practice and the level of control required to ensure business objectives are met. The cost of a control should not exceed the benefit to be derived from it.
The degree of control employed is a matter of good business judgment. When business controls are found to contain weaknesses, we must choose among the following alternatives:
The guidance presented in this document should not be considered to "stand alone." This guide should be used in conjunction with existing policies and procedures.
All employees of the University are responsible for managing internal controls. Each Group, Business Unit, or Department Head is specifically responsible for ensuring that internal controls are established, properly documented, and maintained in each organization.
There are many resources to assist employees in managing their internal control systems and processes. Primary resources include the campus Controller and the Internal Audit Department. In general, while all employees are responsible for the quality of their internal controls, Controllers are responsible for providing campus leadership to ensure that effective internal control and accountability practices are in place. Internal Audit is primarily responsible for assisting management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control.
Risk is the probablity that an event or action will adversely affect the organization. The primary categories of risk are errors, omissions, delay and fraud. In order to achieve goals and objectives, management needs to effectively balance risks and controls. Therefore, control procedures need to be developed so that they decrease risk to a level where management can accept the exposure to that risk. By performing this balancing act "reasonable assurance” can be attained. As it relates to financial and compliance goals, being out of balance can cause the following problems:
Excessive Risks Excessive Controls
Loss of Assets, Donor or Grants Increased Bureaucracy Poor Business Decisions Reduced Productivity Noncompliance Increased Complexity Increased Regulations Increased Cycle Time Public Scandals Increase of No-Value Activities
In order to achieve a balance between risk and controls , internal controls should be proactive, value-added, cost-effective and address exposure to risk.
There are generally three requirements for fraud to occur - motivation, opportunity and personal characteristics. Motivation is usually situational pressures in the form of a need for money, personal satisfaction, or to alleviate a fear of failure. Opportunity is access to a situation where fraud can be perpetrated, such as weaknesses in internal controls, necessities of an operating environment, management styles and corporate culture. Personal characteristics include a willingness to commit fraud. Personal integrity and moral standards need to be “flexible” enough to justify the fraud, perhaps out of a need to feed their children or pay for a family illness.
It is difficult to have an effect on an individual’s motivation for fraud. Personal characteristics can sometimes be changed through training and awareness programs. Opportunity is the easiest and most effective requirement to address to reduce the probability of fraud. By developing effective systems of internal control, you can remove opportunities to commit fraud.
All five internal control components must be present to conclude that internal control is effective. The following diagram captures the internal control process and illustrates the ongoing nature of the process:
The control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization's policies and procedures and its ethical and behavioral standards. The control environment encompasses technical competence and ethical commitment; it is an intangible factor that is essential to effective internal control.
A governing board and management enhance an organization's control environment when they establish and effectively communicate written policies and procedures, a code of ethics, and standards of conduct. Moreover, a governing board and management enhance the control environment when they behave in an ethical manner-creating a positive "tone at the top"--and when they require that same standard of conduct from everyone in the organization. Who is Responsible? Management is responsible for "setting the tone" for their organization. Management should foster a control environment that encourages:
Control Environment Tips
Effective human resource policies and procedures enhance an organization's control environment. These policies and procedures should address hiring, orientation, training, evaluations, counseling, promotions, compensation, and disciplinary actions. In the event that an employee does not comply with an organization's policies and procedures or behavioral standards, an organization must take appropriate disciplinary action to maintain an effective control environment. The control environment is greatly influenced by the extent to which individuals recognize that they will be held accountable.
Listed below are some tips to enhance a department's control environment. This list is not all- inclusive, nor will every item apply to every department; it can, however, serve as a starting point. Make sure that the following policies and procedures are available in your department (hard copy or Internet access): Administrative Procedures Business and Finance Bulletins Employee Handbook
Purchasing Manual Personnel Memorandum
I. Determine Goals and Objectives
The central theme of internal control is (1) to identify risks to the achievement of an organization's objectives and (2) to do what is necessary to manage those risks. Thus, setting goals and objectives is a precondition to internal controls.
At the highest levels, goals and objectives should be presented in a strategic plan that includes a mission statement and broadly defined strategic initiatives. At the department level, goals and objectives should support the organization's strategic plan. Goals and objectives are classified in the following categories:
It is important that risk identification be comprehensive, at the department level and at the activity or process level, for operations, financial reporting, and compliance objectives. Both external and internal risk factors need to be considered. Usually, several risks can be identified for each objective.
Higher Risk Below are some types of transactions that may pose higher risks to Transaction departments/colleges: Types Petty cash (if high volumes are processed) Assets with Alternative Uses Cash Receipts (continuing education programs, gifts, endowments, special events, bookstore, athletic programs, performances, etc.) Consultant Payments and Other Payments for Services Travel Expenditures Scholarships Payments to Non-Vendors Equipment Delivered Directly to Department Purchase Exemptions (sole source) Payroll (rates, changes, terminations) Equipment Equipment Moved Off-Location Software Licensing Issues Intellectual Property Confidential Information Grants (meeting terms, not overspending) These are transaction types that deserve a conscious risk review.
Quantitative When evaluating the potential impact of risk, both quantitative and qualitative & Qualitative costs need to be addressed. Quantitative costs include the cost of property, Costs equipment, or inventory, cash dollar loss, damage and repair costs, cost of defending a lawsuit, etc.
Qualitative costs can have wide-ranging implications to the University. These costs may include: Loss of public trust Loss of future grants, gifts and donations Injury to the school's reputation Increased legislation Violation of laws
Default on a project Bad publicity Decreased enrollment
III. Risk Analysis
After risks have been identified, a risk analysis should be performed to prioritize those risks:
Prioritizing helps departments focus their attention on managing significant risks ( i.e., risks with reasonable likelihood of occurrence and large potential impacts).
Risk Assessment Tips
Listed below are tips to guide a department through its risk assessment:
Control activities are actions, supported by policies and procedures that, when carried out properly and in a timely manner, manage or reduce risks.
Who is Responsible****? In the same way that managers are primarily responsible for identifying the financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system.
Controls over Information Systems (Preventive and Detective). Controls over information systems are grouped into two broad categories- general controls and application controls. General controls commonly include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance. Application controls such as computer matching and edit checks are programmed steps within application software; they are designed to help ensure the completeness and accuracy of transaction processing, authorization, and validity. General controls are needed to support the functioning of application controls; both are needed to ensure complete and accurate information processing.
Control activities must be implemented thoughtfully, conscientiously, and consistently; a procedure will not be useful if performed mechanically without a sharp continuing focus on conditions to which the policy is directed. Further, it is essential that unusual conditions identified as a result of performing control activities be investigated and appropriate corrective action be taken.
Control Activities - Approvals ( Preventive )
An important control activity is authorization/approval. Authorization is the delegation of authority; it may be general or specific. Giving a department permission to expend funds from an approved budget is an example of general authorization. Specific authorization relates to individual transactions; it requires the signature or electronic approval of a transaction by a person with approval authority. Approval of a transaction means that the approver has reviewed the supporting documentation and is satisfied that the transaction is appropriate, accurate and complies with applicable laws, regulations, policies, and procedures. Approvers should review supporting documentation, question unusual items, and make sure that necessary information is present to justify the transaction-before they sign it. Signing blank forms should never be allowed.
Approval authority may be linked to specific dollar levels. Transactions that exceed the specified dollar level would require approval at a higher level. Under no circumstance should an approver tell someone that they could sign the approver's name on behalf of the approver. Similarly, under no circumstance should an approver with electronic approval authority share his password with another person. To ensure proper segregation of duties, the person
initiating a transaction should not be the person who approves the transaction. A department's approval levels should be specified in a departmental policies and procedures manual.
Control Activities - Reconciliations ( Detective )
Broadly defined, a reconciliation is a comparison of different sets of data to one another, identifying and investigating differences, and taking corrective action, when necessary, to resolve differences. Reconciling monthly financial reports from the Accounting Department ( e.g. , Statement of Accounts, Ledger Sheets, etc.) to file copies of supporting documentation or departmental accounting records is an example of reconciling one set of data to another. This control activity helps to ensure the accuracy and completeness of transactions that have been charged to a department's accounts. To ensure proper segregation of duties, the person who approves transactions or handles cash receipts should not be the person who performs the reconciliation. Another example of a reconciliation is comparing vacation and sick leave balances per departmental records to vacation and sick leave balances per the payroll system. A critical element of the reconciliation process is to resolve differences. It does no good to note differences and do nothing about it. Differences should be identified, investigated, and explained--corrective action must be taken. If an expenditure is incorrectly charged to a department's accounts, then the approver should request a correcting journal entry; the reconciler should ascertain that the correcting journal entry was posted. Reconciliations should be documented and approved by management.
Control Activities - Reviews ( Detective )
Reviewing reports, statements, reconciliations, and other information by management is an important control activity; management should review such information for consistency and reasonableness. Reviews of performance provide a basis for detecting problems. Management should compare information about current performance to budgets, forecasts, prior periods or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions which require follow-up. Management's review of reports, statements, reconciliations, and other information should be documented as well as the resolution of items noted for follow-up.
Control Activities – Information Systems
University employees use a variety of information systems: mainframe computers, local area and wide area networks of minicomputers and personal computers, single-user workstations and personal computers, telephone systems, video conference systems, etc. The need for internal control over these systems depends on the criticality and confidentiality of the information and the complexity of the applications that reside on the systems. There are basically two categories of controls over information systems: (1) General Controls and (2) Application Controls.
General controls apply to entire information systems and to all the applications that reside on the systems.
General Controls Include:
♦ Access Security, Data & Program Security, Physical Security
♦ Software Development & Program Change Controls
♦ Data Center Operations
♦ Disaster Recovery
General controls consist of practices designed to maintain the integrity and availability of information processing functions, networks, and associated application systems. These controls apply to business application processing in computer centers by ensuring complete and accurate processing. These controls ensure that correct data files are processed, processing diagnostics and errors are noted and resolved, applications and functions are processed according to established schedules, file backups are taken at appropriate intervals, recovery procedures for processing failures are established, software development and change control procedures are consistently applied, and actions of computer operators and system administrators are reviewed. Additionally, these controls ensure that physical security and environmental measures are taken to reduce the risk of sabotage, vandalism and destruction of networks and computer processing centers.
Finally, these controls ensure the adoption of disaster planning to guide the successful recovery and continuity of networks and computer processing in the event of a disaster.
Applications are the computer programs and processes, including manual processes, that enable us to conduct essential activities; buying products, paying people, accounting for research costs, and forecasting and monitoring budgets
Application controls apply to computer application systems and include input controls ( e.g. , edit checks), processing controls ( e.g., record counts), and output controls ( e.g. , error listings), they are specific to individual applications.
Application Controls Include: Programmed Procedures Within Application Software
♦ Input Controls (Data Entry) -Authorization -Validation -Error Notification and Correction
♦ Processing Controls
♦ Output Controls
They consist of the mechanisms in place over each separate computer system that ensure that authorized data is completely and accurately processed. They are designed to prevent, detect, and correct errors and irregularities as transactions flow through the business system. They ensure that the transactions and programs are secured, the systems can resume processing after some business interruption, all transactions are corrected and accounted for when errors occur, and the system processes data in an efficient manner.
Electronic Data Interchange, Voice Response, and Expert Systems are types of applications that may require certain controls in addition to general application controls.
When a department decides to purchase or develop an application, department personnel must ensure the application includes adequate application controls: (1) input controls, (2) processing controls, and (3) output controls.
Input controls ensure the complete and accurate recording of authorized transactions by only authorized users; identify rejected, suspended, and duplicate items; and ensure resubmission of rejected and suspended items. Examples of input controls are error listings, field checks, limit checks, self-checking digits, sequence checks, validity checks, key verification, matching, and completeness checks.
Processing controls ensure the complete and accurate processing of authorized transactions. Examples of processing controls are run-to-run control totals, posting checks, end-of-file procedures, concurrency controls, control files, and audit trails.
When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:
Information and communication are simple concepts. Nevertheless, communicating with people and getting information to people in a form and timeframe that is useful to them is a constant challenge. When completing a Business Controls Worksheet for a significant activity (or process) in a department, evaluate the quality of related information and communication systems.
Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control such as self-assessments, peer reviews, and internal audits. The purpose of monitoring is to determine whether internal control is adequately designed, properly executed, and effective. Internal control is adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Internal control is effective if management and interested stakeholders have reasonable assurance that:
While internal control is a process, its effectiveness is an assessment of the condition of the process at one or more points in time.
Just as control activities help to ensure that actions to manage risks are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner and that the end result is effective internal control. Ongoing monitoring activities include various management and supervisory activities that
evaluate and improve the design, execution, and effectiveness of internal control. Separate evaluations, on the other hand, such as self-assessments and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control. Department employees perform self-assessments ; internal auditors who provide an independent appraisal of internal control perform internal audits.
Management's role in the internal control system is critical to its effectiveness. Managers, like auditors, don't have to look at every single piece of information to determine that the controls are functioning and should focus their monitoring activities in high-risk areas. The use of spot checks of transactions or basic sampling techniques can provide a reasonable level of confidence that the controls are functioning as intended.