CSS Menu - Vertical
Internal Controls

Click here to download the Internal Control Checklist. Please visit our website from time to time for updated versions of the Checklist.

An internal control system is the process that an administrator uses to provide reasonable assurance that the unit's goals and objectives will be achieved. It is the management of business risks and is a dynamic process that changes as personnel and circumstances change. The system includes organizational design, written policies and procedures, actual operating practices, physical barriers to protect assets and all personnel. The system should be designed to discourage occurrences of errors or irregularities and to identify, within a reasonable time frame, errors or irregularities that may occur. The internal control system encompasses a variety of internal controls such as background checks of prospective employees for sensitive positions to locking the door when the office is closed for the evening. Although the internal control system is to be developed and monitored by the unit administrator, the Office of Audit & Compliance Review (OACR) is available to assist in reviewing the internal control system and making suggestions for improvement.

The internal control system provides for safeguarding of assets, proper recording of transactions, and the efficient and effective accomplishment of the unit's and university's goals and objectives including compliance with federal, state, and university rules and regulations.

RESPONSIBILITY FOR INTERNAL CONTROLS

The administrator who is responsible for the accomplishment of goals and objectives is also responsible for establishment, maintenance, and monitoring of the internal control system which helps ensure the accomplishment of those goals and objectives. He or she is responsible for the sound financial condition of the unit, protection of the university's assets including its human resources, and compliance with federal, state, and University rules, regulations, and procedures. He or she must ensure that the funds entrusted to the unit are used appropriately.

The administrator may delegate some of the related duties but cannot delegate accountability.

THE IMPORTANCE OF GOOD INTERNAL CONTROLS

Good internal controls are essential to assuring the accomplishment of goals and objectives. They provide reliable financial reporting for management decisions. They ensure compliance with applicable laws and regulations to avoid the risk of public scandals. Poor or excessive internal controls reduce productivity, increase the complexity of processing transactions, increase the time required to process transactions and add no value to the activities.

Good internal controls help ensure efficient and effective operations that accomplish the goals of the unit and still protect employees and assets.

COMPONENTS OF INTERNAL CONTROLS

Control Environment
The control environment includes administrator's attitudes that are then reflected in the employees' attitudes. An administrator's attitudes should support ethical values and good business practices. An administrator should promote compliance with university policies and procedures through his or her actions as well as through unit policies and procedures. He or she should ensure that employees also support ethical values and have the technical competence for the position. Background checks should be performed prior to hiring for key positions. Policies and procedures should be written, provided to all staff, and expectations for compliance communicated to staff. There should be no tolerance for fraud or conflicts of interests. Disciplinary action should be consistently applied to all employees.

Administrators must support compliance with university policies and procedures if they expect employees to have that attitude.


Risk Assessment
Administrators should identify and analyze the relevant risks to the achievement of unit goals and objectives. He or she should determine what can go wrong, what areas have the most risk, what assets are at risk, and who is in a position of risk. Risks may include:

Public scandal
Revenues not received or if received, not recorded properly
Assets (financial, personnel, space, personal property) not used efficiently
Assets (financial, personnel, space, personal property) not used to accomplish unit goals and objectives
Assets (financial, personnel, space, personal property) may be diverted to personal use
Information used for decision making is not reliable, timely, or available
Methods to control risks should be identified and the associated costs analyzed and compared to the risk. For some risks, there may not be reasonable controls or the cost of controls may be prohibitive.

Uncontrolled risks may result in insufficient resources to achieve established goals through loss, misuse or mismanagement of resources.


Control Activities
Control activities are those activities that provide a "reasonable" level of assurance that the unit's goals and objectives will be accomplished. Absolute assurance is not possible due to costs, collusion, human error, and management's ability to override controls. Control activities include

Authorization to initiate or approve transactions should be limited to specific personnel. Authorizations can be limited by type of transactions or amount of transactions.
Separation of duties provide that one employee does not have the responsibility for all phases of a transaction. Generally, an employee with physical access to an asset should not also be responsible for accounting records relating to that asset.
 Assets should be physically secured.
Access to assets should be limited.
Reconciliations of assets to accounting records should be prepared periodically and reconciling items should be resolved timely.
 Physical assets should be counted periodically and the results of the counts compared to accounting records. Discrepancies should be reported to appropriate administrators and investigated.
 Transactions should be properly documented and the records retained in an organized manner.

Control activities are designed to provide a reasonable level of assurance that the goals and objectives will be accomplished.


Information and communication system
The purpose of the information and communication system is to help ensure that employees are aware of the unit's goals and objectives, how they are to be accomplished, and who is responsible for the specific tasks to accomplish them. The information and communication system must also provide administrators with reports containing operational, financial, and compliance information to monitor progress toward accomplishing established goals and objectives and to allow administrators to make appropriate decisions. Information and communication systems include:

The university's written policies and procedures
The unit's goals and objectives
The unit's documented policies and procedures
Organization charts
Position descriptions
Performance evaluations
Training programs
Periodic reports measuring progress toward the accomplishment of goals and objectives

An essential part of the internal control system is an effective information and communication system that ensures that employees know what they are supposed to accomplish and how they are to do it.


Monitoring
Monitoring ensures that the internal control system is operating as expected. It should be performed by supervisory personnel and focused on high-risk areas. It identifies changes in circumstances that may require changes to the internal control system. Monitoring activities include:

Spot checks of transactions to ensure compliance with policies and procedure
 Reviews of financial reports such as comparisons of budgeted and actual revenues and expenditures and comparisons of current and prior months or years activities
 Reviews of FLAIR departmental ledgers and related reconciliations to departmental accounting records
 Reviews of outstanding encumbrances
 Reviews of high risk accounts or records including payroll pay lists and employee leave records
Evaluations of trends
Review of supporting documentation
Surprise cash and other asset counts
Documentation of software licenses
Reviews of tangible personal property and the related records
Follow up of complaints, rumors and allegations

Where internal controls are weak, increased compensating controls such as supervisory reviews are necessary.

ESTABLISHING GOOD INTERNAL CONTROLS

Internal controls should be proactive, value-added, and cost effective. To establish good internal controls administrators must:

Identify the unit goals for operations as they relate to the mission (education, research, and public service).
Identify the unit goals for finance and administration (budgets and human resource management).
Identify the unit compliance goals.
Identify and evaluate the risks and conflicts to the accomplishment of those goals. This can be accomplished through discussions with upper management and the Office of Audit & Compliance Review or through benchmarking with similar units within the university or with similar institutions.
Establish written policies and procedures that minimize material risks and conflicts and incorporate key internal controls.
 Provide the policies and procedures and appropriate training to staff to encourage compliance.

In the best case scenario, poor internal controls result in increased bureaucracy, reduced productivity, increased complexity, increased time to process transactions, and increased non-value activities. In the worst case, poor internal controls interfere with the accomplishment of the unit's goals and objectives and allow for misuse or abuse of assets.

FRAUD
Fraud is a product of opportunity, pressures, and rationalization. A system of good internal controls will keep opportunities for fraud to a minimum and will, through appropriate documentation and procedures, assist in the identification of a person who commits fraud. The system protects the university's assets and employees. Fraud symptoms include:

Missing or altered documents to support transactions
Excessive voided documents or transactions without supervisory approval
 Transactions with inappropriate authorizations
Excessive complaints from customers or other employees
Unusual billing addresses or arrangements
Payments based on photocopied invoices or fabricated invoices
Vendor payments sent to an employees address
An employee who
Is living beyond his or her means
Can't manage money
Doesn't take a vacation
Is dissatisfied with work
Is a take charge person
Has expensive habits
Has close relationships with customers or vendors

If administrators feels that an employee may be misusing funds, he or she should contact the Office of Audit & Compliance Review rather than try to conduct an investigation.

The presence of fraud symptoms does not mean that fraud is occurring but fraud will not occur without at least some of these symptoms.

 
 
Untitled Document
 
Tel: (352) 392-1391
Fax: (352) 392-3149
PO Box 113025
Office of Audit & Compliance Review
903 W University Ave Room 217
Gainesville, FL 32611
OACR Copyright ©2003,
Last Update on