- What are internal controls?
- What is the purpose of internal controls?
- Are there different types of internal controls?
- Are internal auditors responsible for internal controls?
- How can I be sure that my department has sufficient internal controls?
- What is segregation of duties?
What are internal controls?
A control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization’s objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures. Controls can generally be classified as preventive, detective, compensating or steering. Preventive controls are designed to avoid errors or irregularities. Detective controls are designed to identify errors or irregularities after they have occurred so corrective action can be taken. Compensating controls are designed to provide reasonable assurance where resource limitations preclude the implementation of more direct controls. Steering controls (i.e. policies) are designed to guide actions towards the desired objectives.
Control activities are designed to meet specific risk-reduction objectives and generally fit within the following categories:
Documentation – All policies and procedures should be formally documented to ensure they are applied consistently by all staff and that the unit will not suffer unnecessarily by the departure of knowledgeable employees. Management decisions and financial transactions should be documented to provide reasonable assurance that University assets are adequately controlled and transactions are correctly recorded. Documentation should be retained in accordance with University policies.
Authorization – Approval authority should be commensurate with the nature and significance of the transactions and in compliance with University policy. Approval should only be given following a thorough review of supporting information to verify the propriety, accuracy and validity of transactions. Authorizations and delegations of signing authority should be documented in writing.
Reconciliations and Reviews – These should be performed at regular intervals by senior department personnel to ensure that controls are operating effectively and to uncover any errors or irregularities. Department heads and should reconcile and review Budget control reports at least monthly for accuracy, correct account classification, compliance with applicable policies/procedures and propriety. Principal Investigators/ Project coordinators should perform the same function using Budget control Reports.
Personnel – Competence and integrity should be stressed for all employees. They should be adequately trained and supervised and receive written position descriptions to document their assigned authority and responsibility.
Access Restrictions – Access to physical assets and records should be physically restricted to only those who are authorized and require access. Access to electronic information and processes should be further restricted by the appropriate use of passwords and restricted user account profiles. These measures limit the risk of asset misappropriation, tampering or other misuse.
Segregation of Duties – At a minimum, to prevent errors and irregularities individuals should not have responsibility for more than one of the three components of a transaction: initiation, processing and reconciliation. Where staffing levels permit, it is preferable to segregate all three components.
Designing an Effective Control Environment
Control procedures should be established for every business process to minimize the potential risks to the achievement of unit objectives.
It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support achievement of unit objectives. When determining which controls should be implemented, the cost of the control should not exceed the expected benefit of having it in place. In some cases, it may be necessary to implement compensating controls to address inherent limitations within the unit (e.g. where staffing levels are inadequate for a full segregation of incompatible duties, a unit may establish a compensating periodic trend analysis to identify unusual activity).
It is the responsibility of the Internal Audit Office to provide independent evaluations of the adequacy and effectiveness of key controls during the course of audit reviews and to report the results, including recommendations for improvement, to the unit head(s), their direct report(s), the Audit Committee of the University Council and other parties as appropriate.
What is the purpose of internal controls?
As noted above, the primary purpose is to help us achieve our objectives. Typically internal controls are noted for having four primary purposes:
- to protect the University’s assets,
- to ensure records are accurate,
- to promote operational efficiency, and
- to encourage adherence to policies and procedures.
Are there different types of internal controls?
Yes, generally speaking there are three types: preventative, detective and compensating or steering controls.
Preventative Controls are designed to discourage errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained.)
Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.)
Compensating Controls are designed to provide reasonable assurance where resource limitations preclude the implementation of more direct controls. (example monthly review of transactions by an independent person where segregation of duties is impossible) Steering controls (i.e. policies) are designed to guide actions towards the desired objectives.
Are internal auditors responsible for internal controls?
No. We play a role in our system of internal controls by performing evaluations and making recommendations for improved controls. However, the system of internal control is the responsibility of management. We believe every employee plays a role in either strengthening or weakening our institution’s internal control system.
How can I be sure that my department has sufficient internal controls?
Perform a self assessment of your controls. Contact Internal Audit for assistance in this process.
Request an internal audit. We budget several hours each year for administrative requests. If you have concerns or would like an independent assessment, contact the Internal Auditor.
Request an internal control training session. Internal Auditing performs training on internal controls and what we believe are minimum requirements. Contact the Internal Auditor if you would like us to present on this topic to your unit. You can review several prior presentations on our departmental web site.
What is segregation of duties?
Segregation of incompatible duties is a control element designed to prevent errors and irregularities. At a minimum, individuals should not have responsibility for all three components of a transaction cycle: initiation, processing and reconciliation/review. Where staffing levels permit, it is preferable to segregate all three components.