Internal Controls

What are Internal Controls?

Internal controls, in the broadest sense, include the activities and procedures adopted by management to help meet their goals. Internal controls include processes for planning, organizing, directing, controlling, and reporting on the organization’s operations. Internal controls are an integral component of an organization’s operations that provide reasonable assurance that the following objectives are being achieved:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

What are the Components of Internal Controls?

Management is responsible for developing and maintaining internal control activities that comply with the following five interrelated components:

  • Control Environment

    The control environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal controls.  When designing, evaluating, or modifying the organizational structure, management must clearly demonstrate their commitment to competence in the workplace.  Within the organizational structure, management must clearly:

    • Define areas of authority and responsibility.

    • Appropriately delegate authority and responsibility throughout the organization.

    • Establish a suitable hierarchy for reporting.

    • Support appropriate human capital policies for hiring, training, evaluating, counseling, advancing, compensating, and disciplining personnel.

    • Uphold the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties.

    • Understand the importance of maintaining effective internal control within the organization.

    The organizational culture is also crucial within this standard.  The culture should be defined by management’s leadership in setting values of integrity and ethical behavior, but is also affected by the relationship between the organization and the Board of Regents.  Management’s philosophy and operational style will set the tone within the organization. Management’s commitment to establishing and maintaining effective internal controls should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems.

  • Risk Assessment
    Management should identify internal and external risks that may prevent the organization from meeting its objectives. When identifying risks, management should take into account relevant interactions within the organization as well as outside the organization. Management should also consider previous findings; e.g., auditor identified, internal management reviews, or noncompliance with laws and regulations when identifying risks. Identified risks should then be analyzed for their potential effect or impact on the organization.
  • Control Activities

    Control activities include policies, procedures, and mechanisms in place to help ensure that organization objectives are met. Examples of control activities include:

    • Proper segregation of duties (separate individuals who authorize transactions from those who process and review transactions).

    • Physical controls to safeguard assets.

    • Proper approval of transactions and events.

    • Appropriate documentation and access to that documentation.

    Internal controls also need to be in place over information systems, including general and application controls. General controls apply to all information systems, such as the mainframe, network, and end-user environments, and include organization-wide security program planning, management, control over data center operations, system software acquisition, and maintenance. Application controls should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at application interfaces to verify inputs and outputs, such as edit checks. General and application controls over information systems are interrelated and both are needed to ensure complete and accurate information processing. Due to the rapid changes in information technology, controls must also adapt and evolve to remain effective.

  • Information and Communications

    Information should be communicated to relevant personnel at all levels within an organization.  The information should be relevant, reliable, and timely.  It is also crucial that an organization communicate with outside organizations as well, whether providing information or receiving it.  

    Examples include:

    • Receiving updated guidance from central oversight agencies.

    • Management communicating requirements to the operational staff.

    • Operational staff communicating with the information systems staff to modify application software to extract data requested in the guidance.
  • Monitoring

    Monitoring the effectiveness of internal controls should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal controls, which should be ingrained in the organization’s operations. If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year.

    Deficiencies found in internal controls should be reported to the appropriate personnel and management responsible for that area. Deficiencies identified, whether through internal review or by an external audit, should be evaluated and corrected. A systematic process should be in place for addressing deficiencies.

©
Assistive Options

Top of page


Assistive Options

Open the original version of this page.

Usablenet Assistive is a Usablenet product. Usablenet Assistive Main Page.