Audit & Advisory Services is committed to assisting all levels of management and staff in the achievement of UCSF's goals and objectives by striving to provide a positive impact on the efficiency and effectiveness of operations. To that end, the internal controls information provided below covers the basic concepts of internal controls and their application to UCSF, including:
Internal controls summary
Internal control structure
Internal control types
Internal controls in my department
Internal controls summary
Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance:
- That information is reliable, accurate and timely
- Of compliance with applicable laws, regulations, contracts, policies and procedures
- Of the reliability of financial reporting
Internal controls are intended to prevent errors and irregularities, identify problems and ensure that corrective action is taken. In many cases, process owners within your department perform controls and interact with the control structure on a daily basis, sometimes without even realizing it because controls are built into operations.
Control definition reflects certain fundamental concepts:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is effected by people. It is not merely policy manuals and forms, but also people at every level of an organization.
- Internal control can be expected to provide only reasonable, not absolute, assurance to an entity’s management and board.
Internal controls are established to further strengthen:
- The reliability and integrity of information
- Compliance with policies, plans, procedures, laws and regulations
- The safeguarding of assets
- The economical and efficient use of resources
- The accomplishment of established objectives and goals for operations or programs
Internal control structure
The internal control structure is derived from the way management runs an operation or function and is integrated with the management process. Although the components apply to the entire University, small and mid-size departments may implement them differently than large ones do. Together, they are designed to provide reasonable assurance that overall established objectives and goals are met.
The internal control structure consists of five inter-related components:
- Control environment – The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include (1) the integrity, ethical values and competence of the entity's people; (2) management's philosophy and operating style; (3) the way management assigns authority and responsibility and organizes and develops its people; and (4) the attention and direction provided by the University. Additional examples are:
- Tone from the top
- University policies
- Organizational authority
- Risk assessment – Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Examples include:
- Monthly meetings to discuss risk issues
- Internal audit risk assessment
- Formal internal departmental risk assessment
- Control activities – Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Additional examples are:
- Purchasing limits
- Approvals
- Security
- Specific policies
- Information and communication – Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that makes it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across and up the organization. Examples include:
- Vision and values or engagement survey
- Issue resolution calls
- Reporting
- University communications (e.g., emails, meetings)
- Monitoring – Internal control systems need to be monitored, a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the Regents. Examples include:
- Monthly reviews of performance reports
- Internal audit function
Internal control types
Different risks and environments require different controls. The control types described below can be used in combination to mitigate risks to the organization.
Preventive and detection controls
- Preventive controls attempt to deter or stop an unwanted outcome before it happens. Examples include use of passwords, approval, policies and procedures.
- Detection controls attempt to uncover errors or irregularities that may already have occurred. Examples include reconciliations, monitoring of actual expenses vs. budget, prior periods and forecasts.
Hard vs. soft controls
- Hard controls are formal and tangible. Examples include organizational structure, policies, procedures and segregation of duties
- Soft controls are informal and intangible. Examples include tone at the top, ethical climate integrity, trust and competence
Manual vs. automated controls
- Manual controls are manually performed, either solely manual or IT-dependent, where a system-generated report is used to test a particular control.
- Automated controls are performed entirely by the computer system.
Key vs. secondary controls
- Key controls are those that must operate effectively to reduce the risk to an acceptable level.
- Secondary controls are those that help the process run smoothly but are not essential.
To identify the correct control(s) to implement, you must know what risks are present. To know what risks are present, you need to understand what objectives are being sought. Therefore, Objectives → Risks→ Controls.
Internal controls in my department
Control activities within your department may include the following:
- Implementing segregation of duties where duties are divided (segregated) among different people, to reduce the risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.
- Making sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
- Ensuring records are routinely reviewed and reconciled, by someone other than the preparer or transactor, to determine that transactions have been properly processed.
- Making certain that equipment, inventories, cash and other property are secured physically, counted periodically and compared with item descriptions shown on control records.
- Providing employees with appropriate training and guidance to ensure that they (1) have the knowledge necessary to carry out their job duties, (2) are provided with an appropriate level of direction and supervision and (3) are aware of the proper channels for reporting suspected improprieties.
- Making sure University- and departmental-level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day-to-day guidance to staff and promotes continuity of activities in the event of prolonged employee absences or turnover.
Remember, everyone in your department has responsibility for internal controls.
Note: The above internal controls definition was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is recognized by UCSF Audit & Advisory Services.