3200-Internal Control
Definition
Control is
defined as follows:
Internal
control is broadly defined as a process effected by management and other
personnel, designed to provide reasonable assurance regarding the achievement
of objectives in the following overlapping categories:
·
Effectiveness and efficiency
of operations.
·
Reliability of financial
reporting.
·
Compliance with applicable
laws and regulations.
For a
control to be effective, actual results must be compared to expected results or
standards, and corrective action must be taken when indicated. An effective
system of internal control should have the following characteristics:
·
Establishment of standards;
·
Measurement of actual
performance;
·
Analysis and comparison of
actual results to standards;
·
Implementation of a program
of corrective actions; and
·
Review and revision of the
standards.
Controls
should be economical in time as well as money and should measure performance in
areas that are relevant to the planned result. Controls should also be timely
and easily understood by the people using them. Good controls will reflect the
goals of the department, indicate when the goals are not being achieved and
measure the critical items - those that have the most impact on achieving
goals.
The risk
of failure and the potential effect must be considered along with the cost of
establishing the control. Excessive control is costly and counterproductive.
Too little control presents undue risk. There should be a conscious effort made
to strike an appropriate balance.
Elements
of Internal Control
Internal
control consists of five interrelated components:
·
Control Environment -
The core of any institution is its people. Their individual attributes of
integrity, ethics and competence and the environment in which they operate
determine the success of the operation.
·
Risk Assessment -
Organizations must be aware of, and deal with, the risks that they face. They
must set objectives that integrate key activities. They must also establish
mechanisms to identify, analyze and manage the related risks.
·
Control Activities -
Control policies and procedures must be established and executed to help ensure
that actions necessary to achieve the university objectives are effectively
carried out.
·
Information and Communication - Surrounding the control activities are information and
communication systems. These enable the organization's people to capture and
exchange the information needed to conduct, manage and control its operations.
·
Monitoring - The
entire process must be monitored and modified as necessary. Thus, the system
can react dynamically to changing conditions.
To
properly set the stage, the control environment is discussed first.
The Control Environment:
The
control environment, as established by the organization's administration, sets
the tone of an institution and influences the control consciousness of its
people. Likewise, leaders of each department, area or activity establish a
local control environment. This is the foundation for all other components of
internal control, providing discipline and structure. Control environment
factors include:
·
Integrity and ethical values;
·
The competence of the
organization's people;
·
Leadership philosophy and
style; and
·
Assignment of authority and
responsibility.
Risk Assessment:
Every
organization faces a variety of risks from external and internal sources that
must be assessed. A requirement of risk assessment is establishment of
objectives, linked at different levels and internally consistent. Risk assessment
is the identification and analysis of relevant risks to achievement of the
objectives. This forms the basis for determining how the risks should be
managed. Because economic, regulatory and operating conditions will continue to
change, mechanisms are needed to identify and deal with the special risks
associated with change.
Control Activities:
Control
activities are the policies and procedures that help ensure that the management
directives are carried out. They help ensure that necessary actions are taken
to address risks to achievement of the organization's objectives. Control
activities occur throughout the organization, at all levels and in all
functions. They include a range of activities as diverse as approvals,
authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties.
Information and Communication:
Pertinent
information must be identified, captured and communicated to appropriate
personnel on a timely basis. Information systems produce reports containing
operational, financial and compliance-related information. They deal not only
with internally generated data, but also information concerning external
events, activities and conditions.
Monitoring:
Internal
control systems must be monitored - a process that assesses the quality of the
system's performance over time. This is accomplished through ongoing activities
and separate evaluations.
Ongoing
monitoring occurs in the course of operations. It includes regular management
and supervisory activities and other actions that personnel take in performing
their duties.
The scope
and frequency of separate evaluations depends primarily on an assessment of
risks and the effectiveness of ongoing monitoring procedures. Internal control
deficiencies should be reported to higher levels of management, with serious
matters reported immediately to administration.
Segregation
of Duties
One of the
primary elements (or components) of internal control is the control activity of
segregation of duties which requires that one individual should not have the
ability to perform multiple phases of a transaction. The following sections
describe the components of this concept.
Segregation of Duties:
When the
work of one employee is checked by another, and when the responsibility for
custody of assets is separate from the responsibility for maintaining the
records relating to those assets, there is appropriate segregation of duties.
This helps detect errors in a timely manner and deter improper activities; and
at the same time, it should be devised to prompt operational efficiency and
allow for effective communications. Segregation can be divided into three basic
categories.
·
Separation of the custody of
assets from accounting.
·
Separation of the authorization
of transactions from the custody of related assets.
·
Separation of duties within
the accounting function.
Separation of the custody of assets from accounting. The reason for not permitting the person who has temporary
or permanent custody of an asset, or of documents that govern physical control
of an asset, to account for that asset is to protect against the risk of
conversion to personal use, covered up by falsified records. Thus, in an IT
system, for example, any persons performing the programming operating function
should be denied access to all input records and should not have custody of
assets that are accounted for under IT applications; in cases where this is not
feasible, compensating controls must be instituted.
Separation of the authorization of transactions from the
custody of related assets. For similar
reasons it is desirable, whenever possible, to prevent persons who authorize
transactions from having control over the related assets.
Separation of duties within the accounting function. In the least desirable accounting system, one employee
records a transaction from its origin to its ultimate posting, maximizing the
likelihood that unintentional errors will remain undetected and increasing the
opportunity for irregularities.
In an automated
system, segregation of duties is of a different nature than in manual systems,
but it is of equal importance. Frequent cross-checking is unnecessary because
of the computer's ability to perform consistently and uniformly, so the
emphasis should be on the separation of responsibility for processing of data
by computer operators, for custody of transaction and library files and for
programming.
Return to Table of Contents
Return to Office
of Internal Audit Main Page