As defined by the Institute of Internal Auditors, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following areas:
- Compliance with policies, procedures, contracts, laws, and regulations
- Accomplishment of goals and objectives
- Reliability and integrity of financial data
- Economical, effective, and efficient use of resources
- Safeguarding of assets
Management is responsible for the design and ongoing maintenance and monitoring of internal controls. Internal audit evaluates and assesses the controls.
Types of Internal Controls
Preventive Controls – procedures designed to prevent errors/irregularities from occurring
- Separation of duties
- Management oversight
- System access controls
- Physical access controls
- Required supporting documentation
Detective Controls – procedures designed to detect errors/irregularities after transaction processing
- Account reconciliation and review
- Trend analysis
- Budget vs. actual analyses
- Effective monitoring
- System audit trails
- Exception reports
- Mandatory vacations
- Job rotations
Internal Audit tests/evaluates the effectiveness of internal controls through inquiry, observation, business process walkthroughs, inspection of relevant documentation and/or the re-performance of processes, specific procedures, calculations, etc. If internal controls are found to be lacking, Internal Audit will work with the unit to develop stronger controls. Sometimes stronger controls are cost prohibitive. When that is the reality, management will have to identify and rely on compensating controls or accept the risk that some achievement objective will not be met.
- Segregation of duties.
- Supervisory review and approval.
- Management oversight/supervision.
- Safeguard assets.
- Perform periodic audits.
- Documented policies and procedures that are relevant, adequate, effective, and updated.
- Orientation, training, and awareness programs – informative and ongoing.
- Attend trade shows, conferences, and seminars for continuing professional development.
- Timely reconciliations performed on a regular basis and reviewed and approved by supervisor.
- Perform analyses and reviews to determine trends, transactions, budget vs. actual.
- Perform cost/benefit analyses.
- Embrace budget planning process.
- Review financial transactions regularly.
- Hire competent personnel.
- Perform background checks – credentials, references, criminal record.
- Establish measurable goals and performance objectives.
- Communicate expectations to staff.
- Conduct performance assessments/evaluations.
- Establish consequences for noncompliance.
- Build collaborative partnerships.
- Create independent/objective oversight committee.
- Conduct regular inspections of facilities, equipment, inventory, etc.
- Monitor work hours, vacations, sick leave, overtime, and comp time reported.
- Access – secured, limited, controlled, monitored.
- Back up data regularly.
- Develop and test a disaster recovery plan.
- Develop and test an emergency preparedness plan.
- Establish backup or contingency plan.
- Assign responsibility.
- Document conflict of interest disclosures.
- Develop and update strategic plans.
- Benchmark with other universities, university departments with similar functions, etc.
- Use surveys or solicit feedback.
- Perform safety inspections.
- Conduct physical security assessment.
- Promote and uphold ethical 'tone at the top'.