What are internal controls?
The Institute of Internal Auditors defines internal controls as any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Internal Controls are the methods or procedures used by an organization to:
- ensure reliability and integrity of information
- ensure compliance with policies, laws, regulations, procedures, contracts
- safeguard assets
- promote economical and efficient use of resources
- accomplish goals and objectives
Generally, there are two types of controls: preventive and detective. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended.
Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:
- Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions, recording transactions and handling the related asset are divided. (Example: the individual collecting cash and depositing funds should be someone different than the individual responsible for entering that data into the system)
- Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures. (Example: Processing vouchers only after signatures have been obtained from appropriate personnel.)
- Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records. (Example: door locks and alarm system; physical inventory of equipment is counted and compared to records in Sunflower, the university fixed asset system.)
Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:
- Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up. (Example: comparing forecasted athletic ticket sales to the actual results and investigating significant variances.)
- Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary. (Example: Reconciling FIS Monthly Detail Reports to departmental records.)
Who is responsible for internal controls?
Everyone plays a part in James Madison University's internal control system. Ultimately management is responsible for ensuring that controls are in place. That responsibility is delegated to each area of operation. Every employee has some responsibility for making this internal control system function. Therefore, all JMU employees need to be aware of the concept and purpose of internal controls. Audit and Management Services is here to help you achieve that goal.
Framework for Internal Controls Evaluation
University Policy 1108 (Internal Controls) assigns primary responsibility for maintaining adequate internal controls to academic and administrative department heads, with vice presidents having ultimate responsibility for their divisions.
We use the COSO (Committee of Sponsoring Organizations of the Treadway Commission) Integrated Framework (2013) to evaluate internal controls over university business activities. COSO provides three categories of objectives which allow organizations to focus on differing aspects of internal control:
Operations Objectives pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
Reporting Objectives pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters or the entity’s policies.
Compliance Objectives pertain to adherence to laws and regulations to which the entity is subject.
Principles 1 and 2 are assessed via reviews of governance, risk assessments and enterprise risk management projects. Principles 3 through 9 and 13 through 17 are reviewed during preliminary work on the audit. Operational audits typically focus on principles 10, 11 and 12 as they are most directly related to controlling business processes.
Audit and Management Services has gathered sufficient and relevant information to support an opinion for the identified activities. Our opinion may be that the internal controls are:
- effective
- partially effective
- not effective
“Internal controls are effective” means that:
- Each of the five internal control components and relevant principles are present and functioning.
- The five components are operating together in an integrated manner.
How does my department rate?
Now that you've had a brief introduction to internal controls, you may use the Internal Controls Self-Assessment to evaluate controls for specific functions.