You may have heard of the term internal controls, but what exactly is it? Evaluating internal controls is one of Internal Audit’s primary responsibilities. One text book definition is as follows:
Internal control comprises the plan of organization, and all of the coordinate methods, adopted within the entity to safeguard its assets, check the accuracy and reliability of its financial and other data, promote operational efficiency, and encourage adherence to prescribed policies and procedures.
What does this mean in plain English? Perhaps it’s easiest to think of how each of us has developed what we can call our own “personal internal control system”. Consider the following:
When you came to work today, did you lock the doors to your house? If you did, that’s your own “internal control” to safeguard the assets you own. Congratulations, you are an internal control user.
Do you keep the PIN number for your ATM card in a safe place, i.e. away from the card itself? If you do, that’s an internal control that protects your funds from being stolen.
Do you balance your bank statements each month? If you do, then you are ensuring the accuracy of the transactions entered on your account statement. Once again, you are performing your own personal internal control.
There are five primary objectives of internal control that must be considered by Internal Audit, which are as follows:
Compliance with policies and procedures
Accomplishment of objectives and goals
Reliability and integrity of information
Economical and efficient use of resources
Safeguarding of assets
Internal controls are the tools that management uses to help achieve their business objectives. In meeting business objectives, management must consider not only internal factors, but also external factors, including government regulations and generally accepted standards of conduct. In recent years, management is increasingly aware of the risks inherent in ignoring external factors. These risks can include bad publicity, loss of funding, government intervention, and legal action (criminal charges or civil lawsuits). These risks can have a tremendous impact on the survival of the organization, and/or the financial results of its activities.
Generally, most controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities from occurring. Examples of preventive controls are as follows:
Vouchers are processed only after signatures have been obtained from appropriate personnel
Computer applications prevent the entry of an invalid account number with validity checks
Management prevents inappropriate expenditures by reviewing purchase orders for propriety and validity, prior to giving their approval
Detective controls are designed to identify an error or irregularity after it has occurred.
Examples of detective controls are as follows:
Exception reports detect and list incorrect or invalid entries or transactions
Validated Cash Receipts are compared to monthly financial statements to detect deposits not posted, or posted to the wrong account
Departmental telephone bills are reviewed for personal calls
The Internal Auditor, right? Wrong. Everyone plays a part in Bossier Parish Community College’s internal control system. Ultimately, it is BPCC management’s responsibility to ensure that controls are in place. That responsibility is delegated to each area of operation. Every employee has some responsibility for making this internal control system function properly. Therefore, all BPCC employees need to be aware of the concept and purpose of internal controls.
Upper administration is responsible for setting overall goals and objectives of the College. Department Heads are responsible for ensuring that internal controls are established and functioning to achieve the mission and objective of their particular budget unit. Individual employees are responsible for adhering to prescribed policy and procedures. Internal Audit provides an independent evaluation of the adequacy of internal controls, and reports the results to the College’s Chancellor and upper administration.
While many circumstances may compromise the effectiveness of the College’s internal control structure, a few of the most common and/or serious ones warrant special mention:
Inadequate Segregation of Duties
Separating responsibility for (a) authorizing transactions, (b) recording transactions, and (c) maintaining custody of the assets, is a critical control. No one person should be in a position to both initiate and conceal errors (unintentional mistakes) and irregularities (intentional acts or fraud).
Inadequate Knowledge of College Policy and Procedures
The College is not a static environment. As such, new policy and procedures and/or revisions to it are a part of our continual evolution. All employees should stay abreast of these changes, and understand their responsibilities.
Inappropriate Access to Assets
Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications. Only authorized individuals should be issued keys for restricted areas. An employee who needs to view computer information should be restricted to “Inquiry Only” access, and should not be granted “Update” access.
Exceptions to established policy and procedures are sometimes necessary to accomplish a specific task; however, this can pose a significant risk if not effectively monitored and limited. Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions helps to identify the need for policy or procedural changes.
There is no such thing as a perfect internal control structure. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any structure is the element of human error (misunderstandings, fatigue, and stress). Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management.
The cost of implementing a specific control should not exceed the expected benefit of the control. The potential loss of a computer printer may justify the cost of a door lock, but not an alarm system. The potential loss of $1,000 in annual revenue, for a specific department, would not justify the cost of hiring another employee to segregate all aspects of the cashiering function. On the other hand, a computer screen saver with a password is a relatively inexpensive, effective method of protecting sensitive data on a computer.
Sometimes, there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective.