- What are internal controls?
- Who is responsible for internal controls?
- Are there different types of controls?
- How can my department contribute to the University's control environment?
- Internal Controls: Myths Versus Facts
What are internal controls?
Internal controls encompass the plan of organization and all of the coordinated methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal control extends beyond those matters which relate directly to the functions of the accounting and financial departments.
Simply put, internal controls are anything we do to help us achieve our objectives. They are the policies, procedures, practices and organizational structures implemented in order to:
- Protect the University's assets (including the University's reputation);
- Ensure records are accurate;
- Promote operational efficiency; and
- Encourage adherence to policies and procedures
Who is responsible for internal controls?
Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the Institution's internal control system. Therefore, all employees need to be aware of the concept and purpose of internal controls.
Are there different types of internal controls?
Yes, generally speaking there are two types: preventive and detective controls. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended.
Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:
- Segregation of Duties: Duties are segregated among different people to
reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.
- Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
- Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.
Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:
- Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.
- Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.
- Physical Inventories
How can my department contribute to the Universoty's control environment?
The control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization’s policies and procedures and ethical and behavioral standards.
As a Business Administrator/manager/employee of a department, you can do the following to enhance your department’s control environment:
- Make sure job descriptions exist, clearly state responsibility for internal control, and correctly translate desired competencies.
- Implement segregation of duties where duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.
- Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
- Ensure records are routinely reviewed and reconciled by someone other than the preparer or transactor, to determine that transactions have been properly processed. Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
- Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting suspected improprieties. For example, if your department is a recipient of sponsored funds, make sure that individuals administering funds are well trained on federal rules and regulations regarding the use of grant funds.
- Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees (in either hard copy or internet based form) helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover.
- Make sure that employees comply with Rice University’s Conflict of Interest Policy and disclose potential conflicts of interest.
- Make sure employee performance evaluations are conducted periodically. Good performance should be valued highly and recognized in a positive matter.
- Make sure that appropriate counseling and/or disciplinary action is taken when an employee does not comply with policies and procedures and/or behavioral standards.
|Internal controls result from a
strong set of policies and procedures (i.e., "If a policy doesn't exist, we don't have to do it").
|Internal controls are based on a strong control environment and
solid business practices that, in most cases, will be supported by policies; however, lack of formal policies does not preclude good business practices.
|Internal controls? That's why we have internal auditors.||Management and departmental
personnel are the owners of internal controls.
|Internal controls are all about finance and accounting. We do what the Office of Financial Affairs or the Department of Finance tells us to do.||Internal controls are integral to
every aspect of business.
|Internal controls are essentially negative, like a list of "thou shalt nots."||Internal controls make the right thing happen the first time.|
|Internal controls are a necessary evil. They take time away from our core activities and responsibilities.||
Internal controls should be built into, not onto, business processes.
|If controls are strong enough, we can be sure that errors and irregularities will always be detected.||Internal controls provide
reasonable, but not absolute, assurance that the organization's objectives will be achieved.
Looking for more?
More resources and information is at your fingertips!
If you are aware of a fraudulent act that was committed by a member of the UT Arlington campus community, you have the responsibility to notify either your supervisor, the appropriate Administrator, Department of Internal Audit or UT Arlington Police Department. Employees who in good faith report unlawful activity are protected by the Texas Whistle-Blower Act against retaliation.
To report fraud, waste or abuse at UT Arlington, contact the Ethics Hotline at 1-877-507-7314, or email firstname.lastname@example.org. You can also contact the State Auditor’s Office at:
1-800-TXAUDIT (1-800-892-8348), or online at http://sao.fraud.state.tx.us/.
If you are being audited, take a look at our Clent Resources section to better understand the process and expectations. Audits and reviews can be valuable and beneficial to your department - a surprisingly insightful experience.