|
|
|
Simply
defined internal controls are those procedures you perform everyday
to get your job done. For example completing a form, having it signed
and approved, and making a copy for your records, is a procedure and
a control all at the same time.
A system of controls (or procedures) reduces business risk, which is
the probability that certain exposures will lead to loss or adverse
business conditions.
Internal controls are practices that protect or make more efficient
use of the University's assets. They are the kinds of things you already
do because they are generally just good business practices. Internal
controls can involve anything from protecting computer files with passwords
to making sure that the door is locked when everyone has gone home for
the night.
Typically, management is responsible for developing an appropriate system
of internal controls, but every employee is responsible for following
and applying those practices. They may seem unimportant by themselves,
but taken as a whole, they can have a major impact on the University's
operations. Internal controls can be preventive, detective or corrective
in nature:
|
|
•
|
Preventive controls are designed to discourage or pre-empt errors
or irregularities from occurring. They are more cost-effective than
detective controls. Credit checks, job descriptions, required authorization
signatures, data entry checks and physical control over assets to prevent
their improper use are all examples of preventive controls. |
|
•
|
Detective controls are designed to search for and identify errors
after they have occurred. They are more expensive than preventive controls,
but still essential since they measure the effectiveness of preventive
controls and are the only way to effectively control certain types of
errors. Account reviews and reconciliation's, observations of payroll
distribution, periodic physical inventory counts, passwords, transaction
edits and internal auditors are all examples of detective controls. |
|
•
|
Corrective controls are designed to prevent the recurrence of
errors. They begin when improper outcomes occur and are detected and
keep the "spotlight" on the problem until management can solve the problem
or correct the defect. Quality circle teams and budget variance reports
are examples of corrective controls. |
|
•
|
Auditors evaluate the effectiveness of an operation's internal
controls by first gathering information about how a unit operates, identifying
points at which errors or inefficiencies are possible, and identifying
system controls designed to prevent or detect such occurrences. Then,
they test the application and performance of those controls to assess
how well they work. You can evaluate controls in your department's operations
by following the same process.
|
|
Internal controls only provide reasonable assurance, a concept which
recognizes that the "cost" of internal controls should not exceed the
benefits derived from them. Management (with input from Internal Audit)
must make the decision as to how much control is enough. As needs and
personnel change, management will make changes in the systems of control
to ensure that the system is still providing reasonable assurance that
risks are being avoided.
Control activities are those specific policies and procedures that help
ensure management directives are implemented. They include a wide range
of activities that occur throughout the organization, by supervisory
and front-line personnel. This is not an all-inclusive list, but here
are some examples of common control activities.
|
|
|
|
|
•
|
Segregation of Duties:
Duties are divided, or segregated, among
different people to reduce the risk of error or inappropriate actions.
For instance, responsibilities for authorizing transactions, recording
them and handling the related asset are divided. |
|
•
|
Physical Controls:
Equipment, inventories, securities, cash and
other assets are secured physically, and periodically counted and compared
with amounts shown on control records. Access is restricted to those
with authority to handle them. |
|
•
|
Reconciliation's:
Comparisons are made between similar records
maintained by different persons to verify transaction details. |
|
•
|
Policies and Procedures:
Established policies, procedures and
even job descriptions provide guidance and training to ensure consistent
performance at a required level of quality. |
|
•
|
Transaction and Activity Reviews:
Managers running functions
or activities review performance reports. They may relate different
sets of data - operating or financial - to one another, together with
analyses of the relationships. |
|
•
|
Information Processing Controls:
A variety of controls are performed
to check accuracy, completeness and authorization of transactions. Data
entered are subject to edit checks or matching to approved control files.
Numerical sequences of transactions are accounted for, and file totals
are controlled and reconciled with prior balances and control accounts.
Development of new systems and changes to existing ones are controlled,
as is access to data, files and programs |
|
