What is this Thing Called Internal Controls?

Definition of Internal Control

Internal control is an “on-going process” put in place by the College’s Board of Trustee’s, administration, faculty and staff and is designed to provide reasonable assurance of effectively and efficiently safeguarding the College’s assets and meeting various operational, financial and compliance objectives required of the College.

All levels of management at Dixie State College (trustees, departments) have the primary responsible for establishing internal control processes to keep the College on course toward its financial goals, to help it achieve its mission, to minimize risk, to deal with change, and more effectively utilize the scarce financial resources that have been entrusted to the College.

The following key internal control objectives apply to College managers:

• Accuracy of financial statements or other information produced by the College
• Validity of transactions(financial or academic)
• Timelessness and completeness in processing transactions
• Timelessness and accuracy of information being provided(internally or externally)
• Compliance with applicable regulations and College policy and standards of conduct(Ethics)

Internal Control weaknesses present individuals with the opportunity to perpetrate and conceal fraudulent activity without detection or allow inadvertent errors to occur and not be detected in a timely manner.

The Elements of Internal Control

(1) Control Environment – The control environment sets the tone for an organization. It provides discipline and structure and strongly influences the control consciousness of the people within the organization. The control environment at Dixie State College begins with the administration’s philosophy and operating style as well as the priorities and direction provided by the College and its leaders.

Management enhances an organization’s control environment when they establish and effectively communicate written policies and procedures, a code of ethics, and standards of conduct. Moreover, management enhances the control environment when they behave in an ethical manner – creating a positive "tone at the top" – and when they require that same standard of conduct from everyone in the organization.

Management should foster a control environment which encourages:

• The highest levels of integrity and personal and professional leadership
• A leadership philosophy and operating style which promote internal control throughout the organization;
• An assignment of authority and responsibility which ensures the highest possible level of accountability.
• Communicate to employees that fraud (embezzlements, stealing, etc.) and conflicts of interest will not be tolerated.
• Communicate that College policies and procedures are important and WILL be followed.
• Make employees fully aware of their responsibilities (including internal controls).
• Make employees aware of department/College policies and procedures.
• Encourage self-monitoring of operations and job performance on an on-going basis.

(2) Risk Assessment – Risk assessment is the identification and analysis of relevant risks which may prevent the College or departments from meeting its operational, financial and compliance goals and objectives. Managers at Dixie State College should assess risks based on the types of activities performed, the organizational structure utilized, and the staffing levels and attitudes within the department.

(3) Control Activities – Control activities are the policies and procedures established to ensure that management’s directives are implemented. Dixie State College’s business managers must be cognizant of College policies and procedures and supplement these procedures with department level guidance when necessary. Managers should also understand that employees will respect and comply with policies and procedures IF they see this respect “modeled” from their immediate supervisors, managers and department heads.

Segregation of duties is an example of a general internal control principle which is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions. In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. When these functions cannot be separated, a detailed supervisory review of related activities is required as a compensating control activity. Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.

Segregation of Duties – The separation of certain functions such as initiating, authorizing, recording and reconciling transactions is an important control activity. The amount of segregation possible within a department depends on the size and structure of the department. However, every effort should be made by Dixie State College’s managers to ensure that one person does not have control over all parts of a transaction.

Specific examples of segregation of duties are as follows:

• The person who requisitions the purchase of goods or services should not be the person who approves the purchase.
• The person who approves the purchase of goods or services should not be the person who reconciles the monthly financial reports.
• The person who approves the purchase of goods or services should not be able to obtain custody of checks.
• The person who maintains and reconciles the accounting records should not be able to obtain custody of checks.
• The person who opens the mail and prepares a listing of checks received should not be the person who makes the deposit.
• The person who opens the mail and prepares a listing of checks received should not be the person who maintains the accounts receivable accounting records.

Authorization/ Approval Processes – Approving and Authorizing responsibilities within Dixie State College departments should be limited to as few people as possible. Any delegated authority should be clearly documented and passwords must be kept confidential. Also, supportive documentation should be reviewed for validity, completeness and accuracy.

To avoid compromising internal controls, it is important that authorizers ask questions about transactions, require documentation for ALL transaction placed before you for approval or signature and determine that the transaction is accurate, valid, complete, and in accordance with relevant financial, legal, and contractual requirements.

Authorizers/signers have a responsibility to verify and understand the types of transactions that they are approving.

Physical Control of Assets – Departmental managers are responsible for the physical control of assets within the department. Safeguards should be implemented to ensure proper accountability of assets.

(4) Information and Communication – Information and communication are essential to effecting control; information about an organization’s plans, control environment, risks, control activities, and performance must be communicated up, down, and across an organization. Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the people who need it – in a form and timeframe that is useful. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control an organization.

Information and communication systems can be formal or informal. Formal information and communication systems – which range from sophisticated computer technology to simple staff meetings – should provide input and feedback data relative to operations, financial reporting, and compliance objectives; such systems are vital to an organization’s success. Just the same, informal conversations with customers, suppliers, regulators, and employees often provide some of the most critical information needed to identify risks and opportunities.

Pertinent information must be identified, captured and communicated in a useable form and format and within a reasonable timeframe that enables staff and other users of this information to effectively and timely carry out their responsibilities

When assessing the adequacy of Information and communication controls over a significant activity (or process), the key questions to ask about Information and Communication are as follows:

• Does our department get the information it needs from internal and external sources – in a form and timeframe that is useful?
• Does our department get information that alerts it to internal or external risks (e.g., legislative, regulatory, and developments)?
• Does our department get information which measures its performance – information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives
• Does our department identify, capture, process, and communicate the information that others need (e.g., information used by our customers or other departments) in a form and timeframe that is useful?
• Does our department provide information to others that alerts them to internal or external risks?
• Does our department communicate effectively – internally and externally?
• If your answers to these and similar questions is generally in the negative, you may have a situation where critical information is not being communicated timely and accurately for decision making purposes.

(5) Monitoring – Monitoring is a process that assesses and evaluates the department’s effectiveness in meeting the College’s established financial and operational goals and objectives. In addition, there needs to be an ongoing system to monitor the effectiveness of the existing financial and operational controls that have previously been put in place time. Managers are responsible for monitoring the activities performed within the department.

Just as control activities help to ensure that actions to manage risks are carried out, monitoring helps to ensure that control activities and other planned actions to effect internal control are carried out properly and in a timely manner and that the end result is effective internal control. Ongoing monitoring activities include various management and supervisory activities that either validate or invalidate the design, execution, and effectiveness of internal control.

Separate evaluations, on the other hand, such as self-assessments and internal audits, are periodic evaluations of internal control components resulting in a formal report on internal control. Self-assessments are performed by department employees; internal audits are performed by internal auditors who provide an independent appraisal of internal control.

Monitoring by Departmental mangers would normally include such things as monthly financial statement review, departmental feedback sessions, internal evaluations (i.e. self-assessment), required explanations of variances noted between budget or planned performance, etc.

Frequent financial Reviews of data- Common approaches to “monitoring”

Budget to actual comparison
Current or prior period comparison
Performance indicators
Follow-up on unexpected results or unusual items

Reviewing reports, statements, reconciliations, and other information by management is an important control activity; management should review such information for consistency and reasonableness. Reviews of performance provide a basis for detecting problems. Management should compare information about current performance to budgets, forecasts, prior periods, competitors, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions which require follow-up. Management’s review of reports, statements, reconciliations, and other information should be documented as well as the resolution of items noted for follow-up.

Reconciliation of Internal Information

Broadly defined, reconciliation is a comparison of different sets of data to one another, identifying and investigating differences, and taking corrective action, when necessary, to resolve differences. Reconciling monthly financial reports to file copies of supporting documentation or departmental accounting records is an example of reconciling one set of data to another. This control activity helps to ensure the accuracy and completeness of transactions that have been charged to a department’s accounts.

To ensure proper segregation of duties, the person who approves transactions or handles cash receipts should not be the person who performs the reconciliation.

A critical element of the reconciliation process is to resolve differences. It does not do any good to note differences and do nothing about it. Differences should be identified, investigated, and explained – corrective action must be taken. If expenditure is incorrectly charged to a department’s accounts, then the approver should post a correcting journal entry; the reconciler should ascertain that the correcting journal entry was posted. Reconciliations should be documented and approved by management.

Common ways that Internal Controls are Compromised

The most common circumstances that may compromise the effectiveness of internal controls are:

• Inadequate segregation of duties – a single person is allowed to initiate and approve a transaction without additional review and authorization by a second individual.
• Inappropriate access to information – an employee is given access to confidential
• Information or system processes that are not necessary for their job function.
• Form over substance -- someone is given approval authority but lacks adequate knowledge of the transaction or area.
• Overriding of controls – Management and other high level individuals ignoring or making continuous exceptions to policies without properly documenting the exceptions or monitoring these exceptions so that they do not become the “policy”
• “Rubber-stamping” transactions – someone authorizes or approves a transaction without understanding the purpose and without asking the proper questions to determine that the transaction is valid.
• Lack of documentation – not requiring proper paperwork/documentation to support an action that has been or will be taken. Signing documents without sufficient “backup” paperwork.
• Lack of independent monitoring - no systematic approach to evaluating information and output from various sources.

Back to Top