Internal controls are methods used by an organization to help ensure the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Safeguarding of assets
- Compliance with applicable laws and regulations
Controls can be either manual or automated.
- Manual controls are performed by hand without a computer or other mechanization. An example: Management personnel approves an expense report.
- Automated controls are embedded into the processing logic of a computerized application. Access to certain transactions are limited by security controls. An example: Only certain users can initiate payment to a vendor.
Controls can be either detective or preventive.
- Detective controls are actions taken to search for and correct undesirable outcomes. An example: Monthly bank account reconciliation. Another example: Computer operations log of programmed "jobs" that abnormally ended.
- Preventive controls are actions that function in a precautionary or deterring manner. An example: Access controls will only log you on your computer with a correct ID and password.
Controls satisfy the following business objectives:
- Completeness - All transactions are processed only once.
- Accuracy - All transactions are processed correctly.
- Validity - All transactions are approved or authorized by the appropriate person.
- Restrictiveness - Access to certain functions are limited to authorized people.
Key Internal Control Activities
Segregation of Duties - Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for receiving cash or checks, preparing the deposit to the Student Account Services and University Billing Office, and reconciling the deposit to the Receivable Accounting Office receipt and accounting report should be separated.
Authorization and Approval - Transactions should be authorized and approved to help ensure the activity is consistent with departmental or institutional goals and objectives. For example, a department may have a policy that all purchase requisitions and invoice vouchers must be approved by the director. The important thing is that the person who approves transactions must have the authority to do so and the necessary knowledge to make informed decisions.
Reconciliation and Review - Performance reviews of specific functions or activities may focus on compliance, financial or operational issues. Reconciliation involves comparing transactions or activity recorded to other sources to help ensure that the information reported is accurate. For example, revenue and expense activity recorded on accounting reports should be reconciled or compared to supporting documents to ensure that the transactions are recorded in the correct account and for the right amount.
Physical Security - Equipment, inventories, cash, checks and other assets should be secured physically, and periodically counted and compared with amounts shown on control records. For example, the periodic confirmation of equipment by individual departments is a physical security control.
See Quick Reference Guide for university policies or best practices that Internal Audit believes will help create good internal controls.