Internal Controls

What Is Internal Control?

In the broadest possible sense, internal controls are the methods and procedures used to provide reasonable assurance that the organization's objectives and goals will be met. More specifically, an overall system of internal control is an integrated collection of control systems used by an organization. It is all the methods and measures adopted to accomplish the five major objectives of a system of internal controls. These objectives are to ensure:

  • the reliability and integrity of information;
  • compliance with policies, procedures, plans, laws and regulations;
  • the safeguarding of assets;
  • the economical and efficient use of resources; and
  • the accomplishment of established objectives and goals.

Internal controls are detective, corrective, or preventive by nature. Detective controls are designed to detect errors or irregularities that may have occurred. Corrective controls are designed to correct errors or irregularities that have been detected. Preventive controls, on the other hand, are designed to keep errors and irregularities from occurring in the first place. Controls may be automated, manual or hybrid.

Internal control consists of five interrelated components, each of which is an integral part of the management process and plays a specific role in departmental internal control procedures.

This sets the tone of the organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility; how it organizes and develops its human resources; and the attention and direction provided by the Board of Visitors.

Risk assessment is the identification and analysis of the risks relevant to the achievement of the organization's objectives. Assessment may include looking at departmental routines, activities, and personnel, identifying any potential problems. This forms the basis for determining how the risks should be managed.

These are the policies and procedures that help ensure management that management directives are implemented. Control activities occur at all levels of the organization and include things such as performance reviews, functional or activity reviews, transaction reviews, reconciliations, processing controls, physical controls and segregation of duties. More specifically, typical controls seen every day are:
 

  • Transaction Authorizations - to ensure that all transactions are approved by responsible personnel in accordance with their specific or general authority before the transaction is recorded. Examples: Authorized signatures should be on all purchase orders, travel vouchers, key request forms, etc.; validation that the person signing the form is an authorized signee for the department.
     
  • Documentation - all back-up documentation required is properly maintained.
     
  • Review For Completeness - to ensure that no valid transactions have been omitted from the accounting records.
     
  • Accuracy - to ensure that all valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner. Examples: Comparison of book and bank balances and accounting for differences; comparison of time records to payroll payment records; monthly review of expenditures posted to the budget with expenditure documentation on hand.
     
  • Validity (fairly represents events) to ensure that all recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management's general authorization. Example: Determination that expenditures are allowable per University and State guidelines.
     
  • Physical Safeguards - to ensure that access to physical assets and information systems is controlled and properly restricted to authorized personnel. Examples: Office doors are locked, when no one is present, to guard against theft of office furniture and equipment; periodic inventories are taken to confirm the existence of assets; to protect the integrity of the data, passwords are not shared or revealed.
     
  • Error Handling - to ensure that errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.
     
  • Segregation Of Duties - to ensure that duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.
     

    • Examples: The petty cash custodian maintains funds and submits receipts for reimbursement; the review of receipts and approval of reimbursement is performed by someone other than the custodian; receipting, recording, and reconciliation of funds should not be under the complete control of one individual.

A well designed process with appropriate internal controls should meet most if not all of these control objectives.
Additional information about assessing internal controls activities.

An information system should provide information that is accurate and relevant to the right people in a timely fashion so that they may carry out their responsibilities.

This is the process that assesses the quality of the system's performance over time. Ongoing monitoring is the daily review of reports, supervision and self-assessment. Separate evaluations external to the unit are carried out on a periodic basis.

Systems of internal control are beneficial to organizations because they provide an organized means of achieving goals and objectives. They also provide a measure of security and assurance to management that policies are being followed and assets are not being misused.

In an organization where controls are weak or non-existent, a number of problems can result, such as:
 

  • reduced quality of services or product,
  • unauthorized transactions
  • inaccurate or incomplete information
  • untimely reports
  • assets are not safeguarded
  • misappropriation of funds.

Who Is Responsible For Internal Control?

Everyone in the University has some responsibility for internal control. Some employees may produce information used in the internal control system or take other actions needed to effect control. University leaders are ultimately responsible for the establishment and maintenance of a system of internal controls and must assume ownership for the internal control systems in their areas of responsibility. University Policy No. 3010 defines the responsibilities for internal accounting controls at the University.

Internal and external auditors are responsible for making periodic reviews of internal controls to determine if they are functioning as intended.

Limitations of Internal Control

There are inherent limitations to any system of internal control. In the performance of the control procedures, errors can result from misunderstanding instructions, mistakes of judgment, carelessness, or other personal factors. Control procedures which require a segregation of duties can be circumvented by collusion. Similarly, control procedures can be circumvented intentionally by management. Over a period of time, with changing conditions, control procedures may deteriorate or become inadequate.