Definition
An Internal control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization's objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.
Internal Controls can generally be classified as preventive, detective, compensating or steering. Preventive controls are designed to avoid errors or irregularities. Detective controls are designed to identify errors or irregularities after they have occurred so corrective action can be taken. Compensating controls are designed to provide reasonable assurance where resource limitations preclude the implementation of more direct controls. Steering controls (i.e. policies) are designed to guide actions towards the desired objectives.
Control Elements
Internal Control activities are designed to meet specific risk-reduction objectives and generally fit within the following categories:
Documentation: All policies and procedures should be formally documented to ensure they are applied consistently by all staff and that the unit will not suffer unnecessarily by the departure of knowledgeable employees. Management decisions and financial transactions should be documented to provide reasonable assurance that university assets are adequately controlled and transactions are correctly recorded. Documentation should be retained in accordance with university policies.
Authorization: Approval authority should be commensurate with the nature and significance of the transactions and in compliance with university policy. Approval should only be given following a thorough review of supporting information to verify the propriety, accuracy and validity of transactions. Authorizations and delegations of signing authority should be documented in writing.
Reconciliations and Reviews: These should be performed at regular intervals by senior unit personnel to ensure that controls are operating effectively and to uncover any errors or irregularities. Managers and supervisors should reconcile and review Statement of Operations at least monthly for accuracy, correct account classification, compliance with applicable policies/procedures and propriety. Principal Investigators should perform the same function using Monthly PI Reports.
Personnel: Competence and integrity should be stressed for all employees. They should be adequately trained and supervised and receive written position descriptions to document their assigned authority and responsibility.
Access Restrictions: Access to physical assets and records should be physically restricted to only those who are authorized and require access. Access to electronic information and processes should be further restricted by the appropriate use of passwords and restricted user account profiles. These measures limit the risk of asset misappropriation, tampering or other misuse.
Segregation of Duties: At a minimum, to prevent errors and irregularities individuals should not have responsibility for more than one of the three components of a transaction: initiation, processing and reconciliation. Where staffing levels permit, it is preferable to segregate all three components.