Internal Controls
An internal control system is the process that management uses to provide reasonable assurance that the university's goals and objectives will be achieved. It is the management of business risks and is a dynamic process that changes as personnel and circumstances change. The system includes organizational design, written policies and procedures, operating practices and physical barriers to protect assets and all personnel. The system should be designed to discourage occurrences of errors or irregularities and to identify, within a reasonable time frame, errors or irregularities that may occur.
Responsibility for Internal Controls
Management is responsible for establishment, maintenance and monitoring of the internal control system which helps ensure the accomplishment of the unit's goals and objectives. Management is responsible for the sound financial condition of the unit, safeguard of assets, proper recording of transactions and compliance with federal, state, and university policies and procedures. Management must ensure the funds entrusted to the unit are used appropriately. The manager may delegate some of the related duties but cannot delegate accountability and responsibility.
Although the internal control system is developed and monitored by management, Internal Audit Services is available to assist in reviewing the internal control system and making suggestions for improvement.
Components of Internal Controls
Control Environment
The control environment includes management's attitudes that are then reflected in the employees' attitudes. Management's attitudes should support ethical values and good business practices. A manager should promote compliance with university policies and procedures through their actions as well as through unit policies and procedures. They should ensure employees support ethical values and have the technical competence for the position. Policies and procedures should be written and expectations for compliance communicated to staff. There should be no tolerance for fraud or conflicts of interest. Disciplinary action should be consistently applied to all employees. Managers must support compliance with university policies and procedures, if they expect employees to comply with university policies and procedures.
Risk Assessment
Managers should identify and analyze the relevant risks to the achievement of unit goals and objectives. They should determine what can go wrong, what areas have the most risk, what assets are at risk and who is in a position of risk. Uncontrolled risks may result in insufficient resources to achieve established goals through loss, misuse or mismanagement of resources.
Information and Communication
Information and communication relates to the communication of relevant information in a timely manner to help all employees complete their duties and fulfill an organization's objectives.
Information systems and technology plays a key role because they produce the reports, data and financial information, which makes it possible to effectively operate and evaluate performance.
Communication is the flow of information. Effective communication flows up, down, and laterally within the organization and to outside parties (i.e. students, community members, vendors, constituents, trustees, etc.).
The primary controls for information and communication are:
- Understanding rights and obligations - policies and procedures
- Validity of information - data is properly supported and accurate
- Completeness - all relevant data is included
- Evaluations - electronic routines are proven and tested, policies and procedures are understood, periodic reviews assess employees' understanding and performance, etc.
Control Activities
Control activities are those activities that provide a "reasonable" level of assurance that the unit's goals and objectives will be accomplished. Absolute assurance is not possible due to costs, collusion, human error and management's ability to override controls. Control activities include:
- Authorizations
- Separation of duties
- Physical security of assets
- Access limitations
- Reconciliations
- Inventory counts
Monitoring
Monitoring ensures the internal control system is operating as expected. It should be performed by supervisory personnel and focused on high-risk areas. It identifies changes in circumstances that may require changes to the internal control system. Where internal controls are weak, increased compensating controls such as supervisory reviews are necessary.
Establishing Good Internal Controls
Internal controls should be proactive, value-added and cost effective.
In the best case scenario, poor internal controls result in increased bureaucracy, reduced productivity, increased complexity, increased time to process transactions and increased non-value activities. In the worst case, poor internal controls interfere with the accomplishment of the unit's goals and objectives and allow for misuse or abuse of assets.
Fraud
Fraud is a product of opportunity, pressures and rationalization. A system of good internal controls will keep opportunities for fraud to a minimum and will, through appropriate documentation and procedures, assist in the identification of a person who commits fraud. The system protects the university's assets and employees. Some common indicators or symptoms of fraud include:
- Employee will not take a vacation
- Changes in employee lifestyle, habits, behavior
- Decline in employee morale and/or attendance
- Unexplained variances
- Missing or altered documents
- Complaints about an employee
- Employee wants to control everything
- Reconciliations not performed
If a manager feels that an employee may be misusing funds, he or she should contact Internal Audit Services directly rather than try to conduct an investigation. The manager (or another employee) may contact us at (435)797-1084 or use USU's Reporting Hotline.
The presence of fraud symptoms does not mean that fraud is occurring, but fraud will not occur without at least some of these symptoms.