Guide to Internal Controls
ELEMENTS OF AN INTERNAL CONTROL SYSTEM
Internal controls are normally thought of as something of concern only to the Controller's Office and auditors. However, any area that authorizes use of resources, has control of assets, and provides information for the accounting records should be concerned with internal controls also known as management controls. All areas of an organization are subject to audit and need an internal control system in place to help minimize audit criticisms. Management must understand the importance of controls, the risks in circumventing the controls and the ramification of abusing controls.
Internal controls are systems, policies, procedures and practices that are used to detect or prevent errors of commission and omission. Internal controls should safeguard an entity's assets, which include accurate financial records. Internal controls also promote operational efficiency and encourage adherence to prescribed managerial policies and procedures as well as laws, rules and regulations. Effective internal control is a cornerstone of successful management. The following information is meant to assist in expanding the reader's knowledge of what an internal control system should encompass; it should aid in preventing adverse audit findings and strengthen management oversight in needed areas.
Management establishes and maintains the internal control system for the University. Management sets the tone, parameters and structures, but the responsibility of compliance belongs to all employees and their attitudes will help determine the success or failure of established controls. Management must demonstrate the importance of controls by ensuring their consistent application and show that compliance and controls are an integral part of the business operations.
Any control can be overridden by management. The risks associated with overrides must be assessed. Employees should be required to document any unusual request by management; preprinted forms may be used for such documentation. The use of such forms can provide a means for review of exceptions to controls. Top management needs to be aware that overrides may be more prevalent where there are decentralized branch operations, or areas of small operations making separation of duties difficult. Incentive programs can create an atmosphere for less than accurate records and/or inappropriate management overrides.
Although an adequate internal control system should prevent errors, an effective system will help detect errors when they occur within a reasonable time period. There are several tools available to assist in the design of an internal control system. These methods highlight strengths and weaknesses which may exist in the internal control system.
A successful internal control environment needs the cooperation of the employees, with executives and senior management taking the lead by setting personal examples of high ethical conduct. Because of the possibility of human error, a system may need redundant and/or compensating controls. The extent of additional controls should be determined through cost/benefit analysis. The design of a system must be well thought out, weighing compliance against cost/benefit. The risk of non-compliance and its results must also be weighed. Employees must understand they will not be penalized for decreased operating efficiency which may stem from complying with prescribed controls. Employee annual evaluations should include a section on adherence to established controls. In order to maximize the effectiveness of the internal control system, management needs to pay attention to employee feedback about what does and does not work. One set of controls may not govern every transaction. For example, high dollar transactions are inherently more risky and should be subject to more stringent controls.
An audit trail is a chain of evidence; it is the path of an original source document to its final record in the accounting records. To establish an audit trail, all transactions, routine and non-routine need to be documented - especially - the non-routine, exception transaction.
Document control is vital in assuring all transactions are recorded. The use of pre-numbered forms where appropriate, can assist as a control. All forms, including voided forms, must be accounted for. The manager needs to understand the flow of documents, which should be outlined in a manual. Written job descriptions should designate the roles of employees in document processing. As a processing phase is completed, it should be documented (initialed, dated, etc.). If a computer is completing some of the processing steps, computer access should be restricted to authorized users and applications; the program should contain controls and checks for completeness, limits, and reasonableness.
Auditors are using the computer more frequently in their audit techniques. Management should do the same. PC programs and specialized reports from OIT can be utilized to enhance the internal controls. This should be subject to cost/benefit analysis.
A standard audit technique is sampling, which means reviewing and/or testing a "sample of the whole." For example, if management has decided a particular transaction type requires two signatures, someone should periodically review several of the transactions (a random sample) to determine if two signatures are being obtained. If a particular operation is to be reviewed and initialed by someone, then a sample should be examined for such initials. Another example may be that every student file should contain a certain document. A sample of files should be reviewed for that purpose. The frequency of sampling will be determined by the volume and importance of the tested item. It will also be determined by the results of the sample. A large number of deviations would dictate more frequent and perhaps more extensive testing. The reviews and results should be documented; this will demonstrate to senior management and auditors that there is a commitment to efficient and effective operations.
Risk exposure worksheets can help with the design and evaluation of controls. They are used to determine the expected error or loss from one occurrence and the frequency with which this one occurrence is likely to be observed. The findings are subject to cost/benefit analysis.
A system of internal controls should recognize four major areas of risks:
Separation of duties is a key internal control concept. No single individual should have control over an entire transaction. The duties of authorization, custody of assets and record-keeping should be the responsibility of three different individuals. Duties are considered to be incompatible if one individual can perpetrate and conceal errors and irregularities in the course of performing day-to-day activities without detection. If adequate separation of duties is not possible due to lack of sufficient staff, vacations, etc., then there should be written evidence of increased supervisory oversight.
A formal organization of separation of duties must not be over ridden by the informal day-to-day structure. Unlimited access to accounting records, computer terminals, and assets, along with pre-signed forms, after-the-fact authorization, new employees, and a change in procedures will weaken the formal structure.
There is a risk in having an individual with a thorough knowledge and understanding of the entire system. Therefore, caution should be exercised in selecting individuals for cross training when it involves at least two of the above areas. Employees should be made aware of their control-related duties and the reasoning behind them.
Separation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls are needed, such as passwords, inquiry-only access, logs, edit checks, dual control of authorizations, exception reports, and reviews of input/output. Controls associated with passwords include having different levels of passwords, periodic expiration, deletions as employees terminate, and periodic re-logging in throughout the day. Separation of duties within an information technology department is a critical component of safeguarding assets and vital records.
Separation of duties can only limit the possibility of problems arising due to incompatible duties. Collusion can occur, invalidating the control procedures in place. The manager needs to be aware of co-worker relationships, as well as relationships outside the office, and be alert to the possibilities of collusion.
Procedures are needed to assure that transactions are authorized by management, acting within their scope of authority.
A well designed internal control system, which is utilized, cannot prevent errors, but can reduce the probability of their occurrence and/or lack of detection. Many past audit findings are due to lack of adequate internal controls - or controls that are not followed. If you would like additional information regarding internal controls, contact the Office of Inspector General.
For more information on internal controls refer to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/, the Information Systems and Audit and Control Association (ISACA), http://www.isaca.org/, and the Government Accountability Office http://www.gao.gov/new.items/d011008g.pdf.