Guide to Internal Controls
ELEMENTS OF AN INTERNAL CONTROL SYSTEM
Internal controls are normally thought of as something of concern only to the Controller's Office and auditors. However, any area that authorizes use of resources, has control of assets, and provides information for the accounting records should be concerned with internal controls also known as management controls. All areas of an organization are subject to audit and need an internal control system in place to help minimize audit criticisms. Management must understand the importance of controls, the risks in circumventing the controls and the ramification of abusing controls.
Internal controls are systems, policies, procedures and practices that are used to detect or prevent errors of commission and omission. Internal controls should safeguard an entity's assets, which include accurate financial records. Internal controls also promote operational efficiency and encourage adherence to prescribed managerial policies and procedures as well as laws, rules and regulations. Effective internal control is a cornerstone of successful management. The following information is meant to assist in expanding the reader's knowledge of what an internal control system should encompass; it should aid in preventing adverse audit findings and strengthen management oversight in needed areas.
Return to the top of the page or the Table of Contents
MANAGEMENT AND THE CONTROL ENVIRONMENT
Management establishes and maintains the internal control system for the University. Management sets the tone, parameters and structures, but the responsibility of compliance belongs to all employees and their attitudes will help determine the success or failure of established controls. Management must demonstrate the importance of controls by ensuring their consistent application and show that compliance and controls are an integral part of the business operations.
Any control can be overridden by management. The risks associated with overrides must be assessed. Employees should be required to document any unusual request by management; preprinted forms may be used for such documentation. The use of such forms can provide a means for review of exceptions to controls. Top management needs to be aware that overrides may be more prevalent where there are decentralized branch operations, or areas of small operations making separation of duties difficult. Incentive programs can create an atmosphere for less than accurate records and/or inappropriate management overrides.
Return to the top of the page or the Table of Contents
METHODS OF DESIGNING AN INTERNAL CONTROL SYSTEM
Although an adequate internal control system should prevent errors, an effective system will help detect errors when they occur within a reasonable time period. There are several tools available to assist in the design of an internal control system. These methods highlight strengths and weaknesses which may exist in the internal control system.
-
A checklist review process is one form of evaluating a system. Issues of separation of duties, completeness of data, checks and balances, effect on operating efficiency, and possible overrides should be addressed. Checklists can be directed to the general environment as well as cycles within the operation. The checklist should state the objective to be achieved, possible risks if it’s not achieved, and question if the controls achieve the objective. The questions should relate to whether or not the controls are actually in use. If the questions are answerable by "yes/no", then they need to be worded in such a way that "yes" is not automatically the "correct" answer. An "incorrect" answer indicates a weakness and requires additional questions or investigation.
-
Flowcharting is another means of designing and evaluating an internal control system. Flowcharts can show the flow of document processing and/or the controls of a system. Decision trees are similarly helpful in designing proper controls, but these tools are useful only if they are updated as changes occur.
-
"Walk-throughs" and "transaction tracing" can be a useful tool. A transaction is walked through the system to determine if the procedure on paper can be accurately translated to actuality.
Return to the top of the page or the Table of Contents
BUILDING A SOUND CONTROL ENVIRONMENT
A successful internal control environment needs the cooperation of the employees, with executives and senior management taking the lead by setting personal examples of high ethical conduct. Because of the possibility of human error, a system may need redundant and/or compensating controls. The extent of additional controls should be determined through cost/benefit analysis. The design of a system must be well thought out, weighing compliance against cost/benefit. The risk of non-compliance and its results must also be weighed. Employees must understand they will not be penalized for decreased operating efficiency which may stem from complying with prescribed controls. Employee annual evaluations should include a section on adherence to established controls. In order to maximize the effectiveness of the internal control system, management needs to pay attention to employee feedback about what does and does not work. One set of controls may not govern every transaction. For example, high dollar transactions are inherently more risky and should be subject to more stringent controls.
Return to the top of the page or the Table of Contents
COMPLETENESS OF RECORDS AND THE AUDIT TRAIL
An audit trail is a chain of evidence; it is the path of an original source document to its final record in the accounting records. To establish an audit trail, all transactions, routine and non-routine need to be documented - especially - the non-routine, exception transaction.
Document control is vital in assuring all transactions are recorded. The use of pre-numbered forms where appropriate, can assist as a control. All forms, including voided forms, must be accounted for. The manager needs to understand the flow of documents, which should be outlined in a manual. Written job descriptions should designate the roles of employees in document processing. As a processing phase is completed, it should be documented (initialed, dated, etc.). If a computer is completing some of the processing steps, computer access should be restricted to authorized users and applications; the program should contain controls and checks for completeness, limits, and reasonableness.
Return to the top of the page or the Table of Contents
EXAMINATION OF INTERNAL CONTROLS
Auditors are using the computer more frequently in their audit techniques. Management should do the same. PC programs and specialized reports from OIT can be utilized to enhance the internal controls. This should be subject to cost/benefit analysis.
A standard audit technique is sampling, which means reviewing and/or testing a "sample of the whole." For example, if management has decided a particular transaction type requires two signatures, someone should periodically review several of the transactions (a random sample) to determine if two signatures are being obtained. If a particular operation is to be reviewed and initialed by someone, then a sample should be examined for such initials. Another example may be that every student file should contain a certain document. A sample of files should be reviewed for that purpose. The frequency of sampling will be determined by the volume and importance of the tested item. It will also be determined by the results of the sample. A large number of deviations would dictate more frequent and perhaps more extensive testing. The reviews and results should be documented; this will demonstrate to senior management and auditors that there is a commitment to efficient and effective operations.
Risk exposure worksheets can help with the design and evaluation of controls. They are used to determine the expected error or loss from one occurrence and the frequency with which this one occurrence is likely to be observed. The findings are subject to cost/benefit analysis.
A system of internal controls should recognize four major areas of risks:
-
valid documents may be lost and not recorded, or substitute documents may be entered into the records
-
transactions may be inaccurately recorded
-
assets may not be safeguarded
-
lack of compliance with established policies and procedures, laws, rules and regulations.
Return to the top of the page or the Table of Contents
Separation of duties is a key internal control concept. No single individual should have control over an entire transaction. The duties of authorization, custody of assets and record-keeping should be the responsibility of three different individuals. Duties are considered to be incompatible if one individual can perpetrate and conceal errors and irregularities in the course of performing day-to-day activities without detection. If adequate separation of duties is not possible due to lack of sufficient staff, vacations, etc., then there should be written evidence of increased supervisory oversight.
A formal organization of separation of duties must not be over ridden by the informal day-to-day structure. Unlimited access to accounting records, computer terminals, and assets, along with pre-signed forms, after-the-fact authorization, new employees, and a change in procedures will weaken the formal structure.
There is a risk in having an individual with a thorough knowledge and understanding of the entire system. Therefore, caution should be exercised in selecting individuals for cross training when it involves at least two of the above areas. Employees should be made aware of their control-related duties and the reasoning behind them.
Separation of duties is more difficult to achieve in a centralized, computerized environment. Compensating controls are needed, such as passwords, inquiry-only access, logs, edit checks, dual control of authorizations, exception reports, and reviews of input/output. Controls associated with passwords include having different levels of passwords, periodic expiration, deletions as employees terminate, and periodic re-logging in throughout the day. Separation of duties within an information technology department is a critical component of safeguarding assets and vital records.
Separation of duties can only limit the possibility of problems arising due to incompatible duties. Collusion can occur, invalidating the control procedures in place. The manager needs to be aware of co-worker relationships, as well as relationships outside the office, and be alert to the possibilities of collusion.
Return to the top of the page or the Table of Contents
MISCELLANEOUS INTERNAL CONTROLS
Procedures are needed to assure that transactions are authorized by management, acting within their scope of authority.
- Proper documentation of processing is needed for the necessary audit trail. Documented reviews of transactions gives validity to the audit trail.
- The following holds true at any level of employment, from a clerk to top management. Formal job descriptions are needed, which establish minimum work experience and educational and professional requirements. References should be checked and if warranted, employees should be bonded. Once hired, there needs to be a training program, periodic evaluations, and the employee should have access to policy and procedure manuals.
- Vacations should be required of employees and the duties assumed by another employee. An employee who is purposely violating procedures for personal gain may not want to take time off and have another person get involved in his/her routine. Often problems with the system will be uncovered when someone else does become involved.
- Use of common sense in safeguarding assets is an important control feature. Locks, limited access, computer passwords and requiring ID's are some of the means to be considered.
- The usefulness of record-keeping is limited unless reconciliation procedures are followed. This involves periodic comparison of written documentation and expectation to actuality.
- Retention policies are needed for both physical documents and information stored in the computer. Backup procedures for computerized information are critical. This applies to all levels including centralized systems and personal computers.
- Clear, precise, written instructions should be provided for each function. These specific procedures should be in addition to a more general set of procedures needed to describe an entire operation. Manuals, job descriptions, detailed and general guidelines need to be updated as changes occur.
- Computer output should be reviewed against source documents.
- Documents containing non-computerized math calculations should be verified. When necessary, footing and crossfooting should be performed.
- There should be a semi-annual or annual review of the controls in place. Are they being used and used consistently? Are they meeting their objective? Are they being circumvented? Do they apply to current conditions? Do they provide a timely check? Are they understandable, useful and necessary? Does the operation have both preventive and detection controls applicable to both manual and computerized systems? Does the benefit out weigh the cost?
Return to the top of the page or the Table of Contents
A well designed internal control system, which is utilized, cannot prevent errors, but can reduce the probability of their occurrence and/or lack of detection. Many past audit findings are due to lack of adequate internal controls - or controls that are not followed. If you would like additional information regarding internal controls, contact the Office of Inspector General.
Return to the top of the page or the Table of Contents
For more information on internal controls refer to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/, the Information Systems and Audit and Control Association (ISACA),
http://www.isaca.org/, and the Government Accountability Office
http://www.gao.gov/new.items/d011008g.pdf.