SOURCE: California State University - University Auditor Show You may have heard the term "internal control(s)," but what exactly is it? Evaluating internal controls is one of internal auditing's primary responsibilities. The Institute of Internal Auditors (IIA) defines control and control processes as follows: A control is any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Control processes are the policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process. Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives. A broadly accepted definition of internal control comes from the Committee of Sponsoring Organizations (COSO)1 of the Treadway Commission's report entitled The Control-Integrated Framework (COSO Report) as follows: Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objective in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Key points about internal control include:
In the California State University (CSU) environment, internal controls serve the following purposes:
Generally, controls are of two types:
The COSO Report further defines five interrelated components of internal control:
Who is responsible for internal controls?The auditors, right? Wrong! Everyone plays a part in the CSU's internal control system. Ultimately, it is CSU management's responsibility to ensure that controls are in place. That responsibility is delegated to each area of operation, which must ensure that internal controls are established, properly documented, and maintained. Every employee has some responsibility for making this internal control system function. Therefore, all CSU employees need to be aware of the concept and purpose of internal controls. Internal audit's role is to assist management in their oversight and operating responsibilities through independent audits and consultations designed to evaluate and promote the systems of internal control. What is internal auditing?The IIA defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity evaluates the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. Internal audit reviews include the reliability and integrity of financial and operational information, effectiveness and efficiency of operations, safeguarding of assets, and compliance with laws, regulations, and contracts. These reviews also ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization, as well as the extent to which results are consistent with established goals and objectives and whether operations and programs are being implemented or performed as intended. 1. COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. Who maintains internal control?Management Responsibility: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment.
Who is responsible to implement and maintain a proper system of internal control?Although ultimate responsibility for good internal control rests with management, all employees have a role in the effective operation of internal control that has been set by management. Understanding of internal control can be enhanced by focusing on two basic aspects of internal control: objectives and techniques.
Who implements internal control?The area to implement internal controls is the Internal Audit Department and/or the Accounting Area. If you have more than 350 employees in your organization, you should have an Accounting Department and an Internal Audit Department. Note, the Internal Audit Department should report to the board of directors.
What are the 4 types of internal controls?Pre-approval of actions and transactions (such as a Travel Authorization) Access controls (such as passwords and Gatorlink authentication) Physical control over assets (i.e. locks on doors or a safe for cash/checks) Employee screening and training (such as the PRO3 Series to increase employee knowledge)
|