What is Internal Control?
Internal control is a process, effected by management and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories:
- Operations -- relating to effective and efficient use of The University's resources;
- Financial reporting -- relating to preparation of reliable published financial statements; and
- Compliance -- relating to The University's compliance with applicable laws and regulations.
Internal control consists of five interrelated components as follows:
- Control environment -- Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Regents.
- Risk assessment -- A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of objectives, forming a basis for determining how the risks should be managed.
- Control activities -- Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
- Information and communication -- Pertinent information must be identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities, and conditions necessary for informed business decision-making and external reporting.
- Monitoring -- Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. It includes regular management and supervisory activities, and other actions personnel take when performing their duties.
All components are relevant to each objectives category. When looking at any one category, all five components must be present and functioning effectively to conclude that internal control over operations is effective.
Who is Responsible for Internal Controls?
Management establishes the goals for the program or department, and determines the policies and procedures which would achieve those goals. As such, management is responsible for the components of its internal control, i.e., establishes a control environment, assesses risks it wishes to control, specifies information and communication channels and content, designs and implements control activities, and monitors, supervises, and maintains the controls.
When is Internal Control Effective?
Internal control can be judged effective in each of the three categories, respectively, if management have reasonable assurance that they understand the extent to which:
- The entity's operational objectives are being achieved;
- Published financial statements are being prepared reliably; and
- Applicable laws and regulations are being complied with.
Note: The above definition of internal control and related concepts are taken directly from Internal Control -- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission.
Testing Internal Controls
The auditor should gain an understanding of and evaluate the auditee's internal control relative to the audit objectives. The auditor achieves this understanding during their gathering of background information and preliminary surveys/interviews. There will be situations which the auditor will need to develop an internal control questionnaire (ICQ) to assist them interview the auditee regarding the controls within a process. The auditor should review prior audit files and ask the management team to determine if an ICQ already exists. Standard questionnaires can be found in the notebook titled "I.C. Quest. Blanks" on the hall shelf.
The evaluation of the strengths or weaknesses in internal control allows the auditor to make decisions determining the nature, timing, and extent of the audit tests necessary to satisfy the objectives of the audit. The information obtained may be summarized in questionnaires, narrative memoranda, flowcharts, or decision tables. Significant weaknesses may require the revision of the scope. The auditor should also make constructive suggestions to improve controls where weaknesses are noted. Significant weaknesses may require the issuance of an Interim Audit Memorandum.
