Internal Controls are operating practices or activities that are established to provide reasonable assurance that specific objectives will be achieved.
Primary objectives of an internal control system are:
- Compliance with applicable policies, procedures, plans, laws, regulations and contracts;
- Reliability and integrity of information;
- Economic and efficient use of resources; and
- Safeguarding of assets.
Accomplishment of these objectives increases the likelihood that the goals and objectives established by the University will be met.
The 5 "Components of Internal Control" represent those means by which the University can achieve its objectives:
- Control Environment - sets the overall tone of the organization;
- Risk Assessment - management's identification of risk;
- Information and Communication System - a means of recording transactions and communicating responsibilities;
- Monitoring - assessment of internal control over time; and
- Existing Control Activities -policies and procedures established to ensure that management's directives are carried out.
Controls are any action taken by management to increase the likelihood that established goals and objectives are achieved.
Controls can be directive, preventative or detective. Directive controls are those designed to establish desired outcomes; preventative controls are designed to prevent errors, irregularities or undesirable events from occurring; and detective controls are those designed to detect and correct undesirable events which have occurred. Below are several examples of each control.
- Policies and procedures
- Laws and regulations
- Training seminars
- Job descriptions
- Segregation of duties (authorization, recordkeeping & custody of the related assets should not be performed by the one same individual)
- Physical control over assets
- Locking office door to discourage theft
- Using passwords to restrict computer access
- Shredding documents with confidential information
- Exception reports which list incorrect or invalid entries or transactions
- Reviews and comparisons
- Physical counts of inventories
Internal Control is not always good if:
- It is excessive. A control that unnecessarily increases the complexity of a transaction process without adding value to the activity being controlled is ineffective and a waste of resources; and
- Have costs that outweigh the derived benefits.
Establishing and maintaining a system of internal controls is the responsibility of management. In order to maintain effective internal controls, management should:
- Maintain adequate policies and procedures;
- Communicate these policies and procedures; and
- Monitor compliance with policies and practices.