Click
here to
download the Internal Control Checklist. Please
visit our website from time to time for updated
versions of the Checklist.
An
internal control system is the process that an administrator uses to provide
reasonable assurance that the unit's goals and objectives will be achieved. It
is the management of business risks and is a dynamic process that changes as
personnel and circumstances change. The system includes organizational design,
written policies and procedures, actual operating practices, physical barriers
to protect assets and all personnel. The system should be designed to discourage
occurrences of errors or irregularities and to identify, within a reasonable
time frame, errors or irregularities that may occur. The internal control system
encompasses a variety of internal controls such as background checks of prospective
employees for sensitive positions to locking the door when the office is closed
for the evening. Although the internal control system is to be developed and
monitored by the unit administrator, the Office of Audit & Compliance Review
(OACR) is available to assist in reviewing the internal control system and making
suggestions for improvement.
The
internal control system provides for safeguarding of
assets, proper recording of transactions, and the efficient
and effective accomplishment of the unit's and university's
goals and objectives including compliance with federal,
state, and university rules and regulations.
RESPONSIBILITY
FOR INTERNAL CONTROLS
The
administrator who is responsible for the accomplishment
of goals and objectives is also responsible for establishment,
maintenance, and monitoring of the internal control
system which helps ensure the accomplishment of those
goals and objectives. He or she is responsible for
the sound financial condition of the unit, protection
of the university's assets including its human resources,
and compliance with federal, state, and University
rules, regulations, and procedures. He or she must
ensure that the funds entrusted to the unit are used
appropriately.
The
administrator may delegate some of the related duties
but cannot delegate accountability.
THE
IMPORTANCE OF GOOD INTERNAL CONTROLS
Good
internal controls are essential to assuring the accomplishment
of goals and objectives. They provide reliable financial
reporting for management decisions. They ensure compliance
with applicable laws and regulations to avoid the risk
of public scandals. Poor or excessive internal controls
reduce productivity, increase the complexity of processing
transactions, increase the time required to process
transactions and add no value to the activities.
Good
internal controls help ensure efficient and effective
operations that accomplish the goals of the unit and
still protect employees and assets.
COMPONENTS
OF INTERNAL CONTROLS
 Control
Environment
The control environment includes administrator's attitudes that are then reflected
in the employees' attitudes. An administrator's attitudes should support ethical
values and good business practices. An administrator should promote compliance
with university policies and procedures through his or her actions as well
as through unit policies and procedures. He or she should ensure that employees
also support ethical values and have the technical competence for the position.
Background checks should be performed prior to hiring for key positions. Policies
and procedures should be written, provided to all staff, and expectations for
compliance communicated to staff. There should be no tolerance for fraud or
conflicts of interests. Disciplinary action should be consistently applied
to all employees.
Administrators
must support compliance with university policies and
procedures if they expect employees to have that attitude.
Risk
Assessment
Administrators should identify and analyze the relevant risks to the achievement
of unit goals and objectives. He or she should determine what can go wrong,
what areas have the most risk, what assets are at risk, and who is in a position
of risk. Risks may include:
Public
scandal
Revenues
not received or if received, not recorded properly
Assets
(financial, personnel, space, personal property) not
used efficiently
Assets
(financial, personnel, space, personal property) not
used to accomplish unit goals and objectives
Assets
(financial, personnel, space, personal property) may
be diverted to personal use
Information
used for decision making is not reliable, timely, or
available
Methods
to control risks should be identified and the associated
costs analyzed and compared to the risk. For some risks,
there may not be reasonable controls or the cost of
controls may be prohibitive.
Uncontrolled
risks may result in insufficient resources to achieve
established goals through loss, misuse or mismanagement
of resources.
Control
Activities
Control activities are those activities that provide a "reasonable" level
of assurance that the unit's goals and objectives will be accomplished. Absolute
assurance is not possible due to costs, collusion, human error, and management's
ability to override controls. Control activities include
Authorization
to initiate or approve transactions should be limited
to specific personnel. Authorizations can be limited
by type of transactions or amount of transactions.
Separation
of duties provide that one employee does not
have the responsibility for all phases of a
transaction. Generally, an employee with physical
access to an asset should not also be responsible
for accounting records relating to that asset.
Assets
should be physically secured.
Access
to assets should be limited.
Reconciliations
of assets to accounting records
should be prepared periodically
and reconciling items should
be resolved timely.
Physical
assets should be counted periodically
and the results of the counts
compared to accounting records.
Discrepancies should be reported
to appropriate administrators
and investigated.
Transactions
should be properly documented
and the records retained in an
organized manner.
Control
activities are designed to provide a reasonable level
of assurance that the goals and objectives will be
accomplished.
Information
and communication system
The purpose of the information and communication system is to help ensure that
employees are aware of the unit's goals and objectives, how they are to be
accomplished, and who is responsible for the specific tasks to accomplish them.
The information and communication system must also provide administrators with
reports containing operational, financial, and compliance information to monitor
progress toward accomplishing established goals and objectives and to allow
administrators to make appropriate decisions. Information and communication
systems include:
The
university's written policies and procedures
The
unit's goals and objectives
The
unit's documented policies and procedures
Organization
charts
Position
descriptions
Performance
evaluations
Training
programs
Periodic
reports measuring progress toward the accomplishment
of goals and objectives
An
essential part of the internal control system is an
effective information and communication system that
ensures that employees know what they are supposed
to accomplish and how they are to do it.
Monitoring
Monitoring ensures that the internal control system is operating as expected.
It should be performed by supervisory personnel and focused on high-risk areas.
It identifies changes in circumstances that may require changes to the internal
control system. Monitoring activities include:
Spot
checks of transactions to ensure compliance with
policies and procedure
Reviews
of financial reports such as comparisons of budgeted
and actual revenues and expenditures and comparisons
of current and prior months or years activities
Reviews
of FLAIR departmental ledgers and related reconciliations
to departmental accounting records
Reviews
of outstanding encumbrances
Reviews
of high risk accounts or records including payroll pay
lists and employee leave records
Evaluations
of trends
Review
of supporting documentation
Surprise
cash and other asset counts
Documentation
of software licenses
Reviews
of tangible personal property and the related records
Follow
up of complaints, rumors and allegations
Where
internal controls are weak, increased compensating controls
such as supervisory reviews are necessary.
ESTABLISHING GOOD INTERNAL CONTROLS
Internal
controls should be proactive, value-added, and cost
effective. To establish good internal controls administrators
must:
Identify
the unit goals for operations as they relate to
the mission (education, research, and public service).
Identify
the unit goals for finance and administration (budgets
and human resource management).
Identify
the unit compliance goals.
Identify
and evaluate the risks and conflicts to the accomplishment
of those goals. This can be accomplished through discussions
with upper management and the Office of Audit & Compliance
Review or through benchmarking with similar units within
the university or with similar institutions.
Establish
written policies and procedures that minimize material
risks and conflicts and incorporate key internal controls.
Provide
the policies and procedures and appropriate training
to staff to encourage compliance.
In
the best case scenario, poor internal controls result
in increased bureaucracy, reduced productivity, increased
complexity, increased time to process transactions,
and increased non-value activities. In the worst case,
poor internal controls interfere with the accomplishment
of the unit's goals and objectives and allow for misuse
or abuse of assets.
FRAUD
Fraud
is a product of opportunity, pressures, and rationalization.
A system of good internal controls will keep opportunities
for fraud to a minimum and will, through appropriate
documentation and procedures, assist in the identification
of a person who commits fraud. The system protects the
university's assets and employees. Fraud symptoms include:
Missing
or altered documents to support transactions
Excessive
voided documents or transactions without supervisory
approval
Transactions
with inappropriate authorizations
Excessive
complaints from customers or other employees
Unusual
billing addresses or arrangements
Payments
based on photocopied invoices or fabricated invoices
Vendor
payments sent to an employees address
An
employee who
Is
living beyond his or her means
Can't to manage money
Doesn't take a vacation
Is dissatisfied with work
Is a take charge person
Has expensive habits
Has close relationships with customers or vendors
If
administrators feels that an employee may be misusing
funds, he or she should contact the Office of Audit & Compliance
Review rather than try to conduct an investigation.
The
presence of fraud symptoms does not mean that fraud
is occurring but fraud will not occur without at least
some of these symptoms. |
.jpg)
