Internal Controls

As defined by the Institute of Internal Auditors, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following areas:

• Compliance with policies, procedures, contracts, laws, and regulations
• Accomplishment of goals and objectives
• Reliability and integrity of financial data
• Economical, effective, and efficient use of resources
• Safeguarding of assets

Management is responsible for the design and ongoing maintenance and monitoring of internal controls. Internal audit evaluates and assesses the controls.

Types of Internal Controls

Preventive Controls – procedures designed to prevent errors/irregularities from occurring

• Authorization/approvals
• Separation of duties
• Management oversight
• System access controls
• Physical access controls
• Required supporting documentation

Detective Controls – procedures designed to detect errors/irregularities after transaction processing

• Account reconciliation and review
• Trend analysis
• Budget vs. actual analyses
• Effective monitoring
• System audit trails
• Exception reports
• Complaints/tips/hotlines
• Mandatory vacations
• Job rotations

Internal Audit tests/evaluates the effectiveness of internal controls through inquiry, observation, business process walkthroughs, inspection of relevant documentation and/or the re-performance of processes, specific procedures, calculations, etc. If internal controls are found to be lacking, Internal Audit will work with the unit to develop stronger controls. Sometimes stronger controls are cost prohibitive. When that is the reality, management will have to identify and rely on compensating controls or accept the risk that some achievement objective will not be met.