What are Internal Controls?

Internal controls, in the broadest sense, include the activities and procedures adopted by management to help meet their goals. Internal controls include processes for planning, organizing, directing, controlling, and reporting on the organization’s operations. Internal controls are an integral component of an organization’s operations that provide reasonable assurance that the following objectives are being achieved:

  • Achievement of the organization’s strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets, to include the economical and efficient use of University resources.
  • Compliance with laws, regulations, policies, procedures, and contracts.

What are the Components of Internal Controls?

Management is responsible for developing and maintaining internal control activities that comply with the following five interrelated components:

The control environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal controls. When designing, evaluating, or modifying the organizational structure, management must clearly demonstrate their commitment to competence in the workplace. Within the organizational structure, management must clearly:

  • Define areas of authority and responsibility.
  • Appropriately delegate authority and responsibility throughout the organization.
  • Establish a suitable hierarchy for reporting.
  • Support appropriate human capital policies for hiring, training, evaluating, counseling, advancing, compensating, and disciplining personnel.
  • Uphold the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties.
  • Understand the importance of maintaining effective internal control within the organization.

The organizational culture is also crucial within this standard. The culture should be defined by management’s leadership in setting values of integrity and ethical behavior, but is also affected by the relationship between the organization and the Board of Regents. Management’s philosophy and operational style will set the tone within the organization. Management’s commitment to establishing and maintaining effective internal controls should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems.

Management should identify internal and external risks that may prevent the organization from meeting its objectives. When identifying risks, management should take into account relevant interactions within the organization as well as outside the organization. Management should also consider previous findings; e.g., auditor identified, internal management reviews, or noncompliance with laws and regulations when identifying risks. Identified risks should then be analyzed for their potential effect or impact on the organization.

Control activities include policies, procedures, and mechanisms in place to help ensure that organization objectives are met. Examples of control activities include:

  • Proper segregation of duties (separate individuals who authorize transactions from those who process and review transactions).
  • Physical controls to safeguard assets.
  • Proper approval of transactions and events.
  • Appropriate documentation and access to that documentation.

Internal controls also need to be in place over information systems, including general and application controls. General controls apply to all information systems, such as the mainframe, network, and end-user environments, and include organization-wide security program planning, management, control over data center operations, system software acquisition, and maintenance. Application controls should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at application interfaces to verify inputs and outputs, such as edit checks. General and application controls over information systems are interrelated and both are needed to ensure complete and accurate information processing. Due to the rapid changes in information technology, controls must also adapt and evolve to remain effective.

Information should be communicated to relevant personnel at all levels within an organization. The information should be relevant, reliable, and timely.  It is also crucial that an organization communicate with outside organizations as well, whether providing information or receiving it.  

Examples include:

  • Receiving updated guidance from central oversight agencies.
  • Management communicating requirements to the operational staff.
  • Operational staff communicating with the information systems staff to modify application software to extract data requested in the guidance.

Monitoring the effectiveness of internal controls should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal controls, which should be ingrained in the organization’s operations. If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year.

Deficiencies found in internal controls should be reported to the appropriate personnel and management responsible for that area. Deficiencies identified, whether through internal review or by an external audit, should be evaluated and corrected. A systematic process should be in place for addressing deficiencies.