An internal control system is the process that management uses to provide reasonable assurance that the University's goals and objectives will be achieved. It is the management of business risks and is a dynamic process that changes as personnel and circumstances change. The system includes organizational design, written policies and procedures, operating practices and physical barriers to protect assets and all personnel. The system should be designed to discourage occurrences of errors or irregularities and to identify, within a reasonable time frame, errors or irregularities that may occur. The internal control system encompasses a variety of internal controls such as background checks of prospective employees for sensitive positions to locking doors when the offices are closed for the evening. Although the internal control system is to be developed and monitored by the University's management, Internal Audit Services is available to assist in reviewing the internal control system and making suggestions for improvement.
The internal control system provides for safeguarding of assets, proper recording of transactions, and the efficient and effective accomplishment of the University's goals and objectives including compliance with federal, state, and University rules and regulations.
Responsibility for Internal Controls
The manager, who is responsible for the accomplishment of goals and objectives, is also responsible for establishment, maintenance and monitoring of the internal control system which helps ensure the accomplishment of those goals and objectives. He or she is responsible for the sound financial condition of the unit, protection of the University's assets, including its human resources, and compliance with federal, state, and University rules, regulations and procedures. He or she must ensure that the funds entrusted to the unit are used appropriately.
The manager may delegate some of the related duties but cannot delegate accountability and responsibility.
Components of Internal Controls
The control environment includes management's attitudes that are then reflected in the employees' attitudes. Management's attitudes should support ethical values and good business practices. A manager should promote compliance with University policies and procedures through his or her actions as well as through unit policies and procedures. He or she should ensure that employees also support ethical values and have the technical competence for the position. Policies and procedures should be written, provided to all staff and expectations for compliance communicated to staff. There should be no tolerance for fraud or conflicts of interest. Disciplinary action should be consistently applied to all employees. Managers must support compliance with University policies and procedures, if they expect employees to comply with University policies and procedures.
Managers should identify and analyze the relevant risks to the achievement of unit goals and objectives. He or she should determine what can go wrong, what areas have the most risk, what assets are at risk and who is in a position of risk. Uncontrolled risks may result in insufficient resources to achieve established goals through loss, misuse or mismanagement of resources.
Information and Communication
Information and communication relates to the communication of relevant information in a timely manner to help all employees complete their duties and fulfill an organization's objectives.
Information systems and technology plays a key role because they produce the reports, data and financial information, which makes it possible to effectively operate and evaluate performance.
Communication is the flow of information. Effective communication flows up, down, and laterally within the organization and to outside parties (i.e. students, community members, vendors, constituents, Trustees, Regents, etc.).
The primary controls for information and communication are:
- Understanding rights and obligations - Policies and procedures
- Validity of information - Data is properly supported
- Completeness - All relevant data is properly included
- Evaluations - Electronic routines are proven and tested, policies and procedures are understood, periodic reviews assess employees' understanding and performance, etc.
Control activities are those activities that provide a "reasonable" level of assurance that the unit's goals and objectives will be accomplished. Absolute assurance is not possible due to costs, collusion, human error and management's ability to override controls. Control activities include:
- Separation of duties
- Physical security of assets
- Access limitations
- Inventory counts
Control activities are designed to provide a reasonable level of assurance that the goals and objectives will be accomplished.
Monitoring ensures that the internal control system is operating as expected. It should be performed by supervisory personnel and focused on high-risk areas. It identifies changes in circumstances that may require changes to the internal control system. Where internal controls are weak, increased compensating controls such as supervisory reviews are necessary.
Establishing Good Internal Controls
Internal controls should be proactive, value-added and cost effective.
In the best case scenario, poor internal controls result in increased bureaucracy, reduced productivity, increased complexity, increased time to process transactions and increased non-value activities. In the worst case, poor internal controls interfere with the accomplishment of the unit's goals and objectives and allow for misuse or abuse of assets.
Fraud is a product of opportunity, pressures and rationalization. A system of good internal controls will keep opportunities for fraud to a minimum and will, through appropriate documentation and procedures, assist in the identification of a person who commits fraud. The system protects the University's assets and employees. Some common indicators or symptoms of fraud include:
- Employee will not take a vacation
- Changes in employee lifestyle, habits, behavior
- Decline in employee morale and/or attendance
- Unexplained variances
- Missing or altered documents
- Complaints about an employee
- Employee wants to control everything
- Reconciliations not performed
If a manager feels that an employee may be misusing funds, he or she should contact Internal Audit Services directly rather than try to conduct an investigation. The manager (or another employee) may contact us at 425-797-1084 or use the Report Concerns Form anonymously.
The presence of fraud symptoms does not mean that fraud is occurring, but fraud will not occur without at least some of these symptoms.