Internal controls are broadly defined as processes, affected by an organization's people, designed to provide reasonable assurance regarding the achievement of the organization’s objectives. Typically internal controls are noted for having four primary purposes:
- to protect the University’s assets
- to ensure records are accurate
- to promote operational efficiency, and
- to encourage adherence to policies and procedures
We believe everyone uses internal controls in their typical daily activities such as the following:
- Do you lock your doors at home before leaving for work?
Probably so because you wanted to protect the assets in your home from theft.
- Do you write your PIN number on your debit card?
Probably not because you know if you lose your card, you would also most likely lose your money.
- Do you balance your bank statement each month?
Hopefully, because it ensures you know the correct balance in your account, ensures no one has inappropriately accessed your funds, and ensures that the bank hasn’t made mistakes in their records.
The items noted above, among other things, make up what we refer to as your personal
internal control system. These are things you do to achieve your objectives in your
own business and life. Many of these are simply logical, common-sense things you do
every day. Just as you apply these things to your personal internal control system, we want to
apply relevant controls to the University’s business and operational processes.
Internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.
- A computer application which checks validity prevents the entry of an invalid account number.
- A manager's review of purchases for propriety and validity prior to approval prevents
Detective controls are designed to identify an error or irregularity after it has occurred.
- An exception report detects and lists incorrect or invalid entries or transactions.
- A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts.
- The manager's review of long distance telephone charges will detect improper or personal
calls that should not have been charged to the account.
The system of internal control is the responsibility of management.
Internal Audit assists the University in maintaining effective controls by evaluating their effectiveness and efficiency, making recommendations for improved controls, and by promoting continuous improvement as part our internal auditing and consulting activity. Every employee plays a role in either strengthening or weakening our University's internal control system.
Below is a list of typical best business practices in maintaining an effective control environment:
Set a strong example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit's personnel.
Never sign something you do not understand.
Limit signature authority and do not let anyone sign your name (an employee should sign their own name). Never use a signature stamp.
If something does not make sense ask questions about it until it does. Pay attention to what your employees are doing.
Be familiar with University policies and procedures. Be willing to call and ask questions.
Consider unique risks your unit may have (i.e. cash collections, contracts and grants, etc.) and ensure additional oversight is provided.
Ensure departmental reports are reconciled monthly and review this reconciliation for any unusual transactions.
Do not let one employee have complete control of any process.
Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information.)
Ensure University assets are used for University business.