What are internal controls and why are they important?
What is the manager's responsibility?
What is Internal Audit's responsibility?
What can jeopardize internal controls?
How much do internal controls cost?
Whether or not your unit has ever been audited, you may have heard of Internal Controls. This brochure presents a brief, practical discussion of Internal Controls for the unit manager.
Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used by managers every day.
- Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly statement of account to verify transactions are common internal controls employed to achieve specific objectives.
All managers, from the unit level to the President of the University, use internal controls to help assure that their units operate according to plan. And the methods they use--policies, procedures, organizational design, and physical barriers--constitute the internal control structure of the Indiana University.
Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.
- A computer application which checks validity prevents the entry of an invalid account number.
- Reading and understanding University Human Resource policies, such as Work Hours [for PA Staff], helps prevent violations of the Federal Fair Labor Standards Act. [Human Resources Professional Staff Policy 2.14]
- A manager's review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.
Detective controls are designed to identify an error or irregularity after it has occurred.
- An exception report detects and lists incorrect or invalid entries or transactions.
- A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts.
- The manager's review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.
Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable level of assurance that the processes and products for which you are responsible are adequately protected.
- Maintaining written procedures for manual processing will ensure that operations can continue in the event of computer failure.
You, as managers, are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit. To evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories.
- Propriety of Transactions for all activity within accounts for which the manager is responsible [IU Financial Policy I-1: Role of Fiscal Officer, Account Manager, and Account Supervisor]
- Reliability and Integrity of Information for internal management decisions and external agency reports
- Compliance with Indiana University Policies and Government Regulations, including but not limited to: Human Resources, Financial, Purchasing, granting agencies, and state and federal government
- Safeguarding Assets, including physical objects and University data
- Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the unit and Indiana University
Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your unit.
Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to Indiana University administration and the Board of Trustees. Auditors look at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes of the unit, discusses the major objectives with the manager, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur.
The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the manager focus on control risks, manager insights, and potential control enhancements. The greater the risk, the more extensive the control that is warranted.
The auditor's evaluation includes an examination of the following internal control elements:
Personnel - should be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals.
- Organizational charts provide a visual presentation of lines of authority.
- Periodic updates of job descriptions ensures that employees are aware of the duties they are expected to perform.
Authorization Procedures - should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with Indiana University policy.
- Time records should be signed by the employee and supervisor with direct knowledge of the employee's work schedule. [IU Financial Policy IV-1]
- An account manager or fiscal officer may delegate signature authority only to an exempt employee or an appointed biweekly employee. [IU Financial Policy I-10]
Segregation of Duties - should reduce the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.
- Authorization for the assessment of class fees (Registrar) is segregated from the collection of those fees (Bursar).
Physical Restrictions - are the most important type of protective measure for safeguarding University assets, processes, and data.
- Safe combinations should be changed periodically and anytime a staff member knowing the combination terminates employment.
- Critical forms, such as custodial fund checkbooks, should be adequately secured.
- Alarm systems may be necessary to adequately protect large amounts of cash, other valuable assets, or sensitive data
Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.
- The Equipment Loan Form documents the authorized removal of equipment from campus and provides assurance that an individual has accepted responsibility for the item. [IU Financial Policy I-140]
- State Board of Accounts approval for all new or revised forms having a financial implication provides consistency and ensures that adequate transaction information is recorded. [IU Financial Policy I-100]
Monitoring Operations - is essential to verify that controls are operating properly. Reconciliation, confirmations, and exception reports can provide this type of information.
- Biannual equipment inventories comply with granting agency regulations and provide assurance that assets physically exist and are available for use.
- Account managers, account supervisors, and fiscal officers must verify the propriety of transactions within their accounts. [IU Financial Policy I-1]
While many circumstances may compromise the effectiveness of your internal control structure, a few of the most common and serious of these warrant special mention:
Inadequate Segregation of Duties - (Our most common audit finding) - Separating responsibility for physical custody of an asset from the related record keeping is a critical control.
- Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable).
- The person who prepares the deposit should not post the receipts to the customer accounts.
- The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.
- An employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access.
- Only authorized individuals should be issued keys for restricted areas.
Inadequate Knowledge of Indiana University Policies -The University is not a static environment--new policies and policy revisions are a part of our continual evolution. Many University policies are available electronically and printed copies can be supplied upon request by contacting the relevant University department. Managers must stay abreast of these changes and understand their responsibilities.
- Fiscal Misconduct - "If any employee knows or suspects that other university employees are engaged in theft, fraud, embezzlement, fiscal misconduct or violation of university financial policies, it is their responsibility to immediately notify the Internal Audit department or the appropriate campus police department." [IU Financial Policy I-30]
Form Over Substance - Controls can appear to be well designed but still lack substance, as is often the case with required approvals.
- The account manager's signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance.
Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.
- Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.
Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).
- A manager who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.
The cost of implementing a specific control should not exceed the expected benefit of the control.
- The potential loss of a computer printer may justify the cost of a door lock but not an alarm system.
- Computer screen savers with passwords are inexpensive, effective methods of protecting sensitive data on a computer.
Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective.
- Checks received in the mail are immediately separated from supporting documentation for restrictive endorsement and deposit. The supporting documentation is given to a different employee for crediting the payment or filling an order.
- Voided receipts are approved by someone (preferably a manager) other than the person preparing receipts.
A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as, reducing the risk of loss or theft.
- A bank lock box establishes accountability and restricts access to cash, in addition to streamlining operations by providing immediate deposits and (possibly) electronic application updates.
In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for Indiana University at large and attempt to identify and weigh the intangible as well as the tangible consequences.
- It may be difficult to determine the cost of poor public relations and lost goodwill if an ex-employee steals cash because the manager did not change the safe combination or retrieve University keys upon the employee's termination.
Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not a simple task and cannot be accomplished through a short set of quick fixes. However, we hope that this brochure has helped to explain the basic internal control concepts and have given you some ideas for improving your unit's controls. You can also request an internal control video and booklet by calling (812) 345-3361 and/or request one of our auditors to give a demonstration. This video was designed specifically for colleges and universities and is suitable for individual, group, or staff meeting viewing.For further advice and assistance in designing internal controls appropriate for your operation, you may contact Financial Management Services.