Internal Audit Office

Whether or not your unit has ever been audited, you may have heard of Internal Controls. Here is a brief, practical discussion of Internal Controls for administrators: 

What are internal controls and why are they important? 
Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used by administrators everyday. 

Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly purchase card statement and on-line budget of account to verify transactions are common internal controls employed to achieve specific objectives. 

All administrators, from the unit level to the President of the College, use internal controls to help assure that their units operate according to plan. And the methods they use--policies, procedures, organizational design, and physical barriers--constitute the internal control structure of Central Piedmont Community College.

Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.  Examples are:

• A computer application which checks validity prevents the entry of an invalid account number.
• Reading and understanding college Policies and Procedures.
• An administrator’s review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.

Detective controls are designed to identify an error or irregularity after it has occurred. Examples are:

• An exception report detects and lists incorrect or invalid entries or transactions.
• A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts.
• The administrator’s review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.

Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable level of assurance that the processes and products for which you are responsible are adequately protected.

• Maintaining written procedures for manual processing will ensure that operations can continue in the event of computer failure.

What is the administrator's responsibility? 
As an administrator, you are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit. 

To evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories:

• Propriety of Transactions for all activity within accounts for which the administrator is responsible.
• Reliability and Integrity of Information for internal management decisions and external agency reports
• Compliance with Central Piedmont Community College Policies and Procedures, including but not limited to: Human Resources, Financial, Purchasing, granting agencies, and state and federal government
• Safeguarding Assets, including physical objects and College data
• Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the unit and Central Piedmont Community College.

Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your unit. 

What is Internal Audit's responsibility?
Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to Central Piedmont Community College administration and the Board of Trustees. Auditors look at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes of the unit, discusses the major objectives with the administrators, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur. 

The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the administrator focus on control risks, administrator insights, and potential control enhancements. The greater the risk, the more extensive the control that is warranted. 

The auditor's evaluation includes an examination of the following internal control elements:

• Personnel - should be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals.
  • Organizational charts provide a visual presentation of lines of authority.
  • Periodic updates of job descriptions ensure that employees are aware of the duties they are expected to perform.
• Authorization Procedures - should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with Central Piedmont Community College Policies and Procedures. CPCC Policies and Procedures Manual
  • Time records should be signed by the employee and supervisor with direct knowledge of the employee's work schedule.
  • An account manager may delegate signature authority only to an exempt employee or an appointed biweekly employee.
• Segregation of Duties - should reduce the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.
  • Authorization for the assessment of class fees (Registrar) is segregated from the collection of those fees (Bursar).
• Physical Restrictions - are the most important type of protective measure for safeguarding College assets, processes, and data.
  • Safe combinations should be changed periodically and anytime a staff member knowing the combination terminates employment.
  • Critical forms, such as custodial fund checkbooks, should be adequately secured.
  • Alarm systems may be necessary to adequately protect large amounts of cash, other valuable assets, or sensitive data.
• Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.
  • The CPCC Off-campus Use Agreement/Authorization documents the authorized removal of equipment from campus and provides assurance that an individual has accepted responsibility for the item.
• Monitoring Operations - is essential to verify that controls are operating properly. Reconciliation, confirmations, and exception reports can provide this type of information.
  • Periodic equipment inventories provide assurance that assets physically exist and are available for use.
  • Timely bank reconciliations and follow up on outstanding reconciling items provide assurance that assets are safeguarded and accounted for.
  • Account managers must verify the propriety of transactions within their accounts.

What can jeopardize internal controls?
While many circumstances may compromise the effectiveness of your internal control structure, a few of the most common and serious of these warrant special mention:

• Inadequate Segregation of Duties - (Most common audit finding) - Separating responsibility for physical custody of an asset from the related record keeping is a critical control.
  • Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable).
  • The person who prepares the deposit should not post the receipts to the customer accounts.
  • The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
• Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.
  • An employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access.
  • Only authorized individuals should be issued keys for restricted areas.
• Inadequate Knowledge of College Policies -The College is not a static environment--new policies and policy revisions are a part of our continual evolution. College Policies and Procedures are available electronically. Administrators must stay abreast of these changes and understand their responsibilities.
  • Fiscal Misconduct - If any employee knows or suspects that other college employees are engaged in theft, fraud, embezzlement, fiscal misconduct or violation of College financial policies, it is their responsibility to immediately notify the executive vice president. [College Policies and Procedures 4.04 – Employment Requirements -CPCC Policies and Procedures Manual]
• Form Over Substance - Controls can appear to be well designed but still lack substance, as is often the case with required approvals.
  • The administrator's signature attests to the accuracy of the payroll voucher information, but if the administrator does not have assurance that the supporting time records are accurate, the approval process lacks substance.
• Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.
  • Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.
• Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).
  • An administrator who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.

How much do internal controls cost?
The cost of implementing a specific control should not exceed the expected benefit of the control.

• The potential loss of a computer printer may justify the cost of a door lock but not an alarm system.
• Computer screen savers with passwords are inexpensive, effective methods of protecting sensitive data on a computer.

Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective.

• Checks received in the mail are immediately separated from supporting documentation for restrictive endorsement and deposit. The supporting documentation is given to a different employee (with a copy of the check, if needed) for crediting the payment or filling an order.
• Voided receipts are approved by someone other than the person preparing receipts.

A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as, reducing the risk of loss or theft.

• A bank lock box establishes accountability and restricts access to cash, in addition to streamlining operations by providing immediate deposits and (possibly) electronic application updates.

In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for Central Piedmont Community College at large and attempt to identify and weigh the intangible as well as the tangible consequences.

• It may be difficult to determine the cost of poor public relations and lost goodwill if an ex-employee steals cash because the manager did not change the safe combination or retrieve College keys upon the employee's termination.

Help
Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not a simple task and cannot be accomplished through a short set of quick fixes. However, we hope that this guide has helped to explain the basic internal control concepts and has given you some ideas for improving your unit's controls. We can also supply an internal control video and booklet and/or you can request one of our auditors to give a demonstration upon request. This video was designed specifically for colleges and universities and is suitable for individual, group, or staff meeting viewing.

These tips are specifically for sponsor audits or other external audits, but they may also be used for guidance to prepare for an internal audit.

Planning and Preparation

• Designate an audit liaison person within your organization who will act as the auditors’ main contact.  This should be an experienced person with strong project management and communication skills.
• Send a general communication to the process owners and affected faculty and staff stating that if the auditors contact them directly, they should notify the liaison.
• Notify Information Technology personnel of an upcoming audit and keep the key ITS contacts up to date of upcoming service requests and support needed related the audit.
• Review policies and procedures and official documents related to an audit, update them prior to the audit if needed and make them available to necessary staff.
• Have the liaison develop a list of contacts who must be kept informed of the audit progress
• Have the liaison develop a list of people who can provide support on technical issues and gather documentation.
• If necessary, schedule and conduct a general training session with individuals who may be asked to participate in the audit either to produce documents, be interviewed by the auditors or participate in findings discussions.
• Contact auditors and set up entrance conference. Clarify the purpose of the audit and ask that audit requirements be in writing. Develop a list of questions for the entrance conference.
• Alert the Compliance & Audit Office of the upcoming audit. Ask if an internal audit was performed in recent years for the processes included in this audit. If answer is yes, review the audit report ensuring that if there were any findings they were addressed or develop a plan to address them with a time line.
• Meet with key employees and discuss the state of the control environment or ask the internal auditors to perform a quick review. If control weaknesses are found, prepare a log of control weaknesses and document your remediation plans along with firm date for implementing these plans. This document can be shared with the external auditors to demonstrate that you are proactive in identifying and fixing control weaknesses.
• Review documentation, ensuring current information is available. Remove obsolete and/or outdated duplicate versions of documents (shred what is not required to be retained per record retention requirements or per current laws and regulations) to avoid uninvited scrutiny by auditors and to make work areas looking professional and clutter free.
• Make necessary arrangements for the audit team’s entrance conference – meeting rooms, internet access, preliminary interview schedule, entrance conference specifics including attendees.
• Arrange for access to all the areas and systems that auditors might need access to during their field visits and for the tour during entrance conference. Arrange for parking for auditors unless it is easily available. Send auditors maps to entrance conference location and parking information.

Entrance Conference

• Introduce auditors to the team. Go over housekeeping e.g. Restrooms, evacuation route, meeting agenda, schedule and information such as snacks, lunch etc.
• Discuss the list of questions developed prior to the meeting including the purpose, objectives and scope of the audit; the awards to be included and sampling techniques; timelines including beginning and end of the fieldwork and expected report date; and communication process, future meeting schedules to review audit status and any concerns/questions need to be addressed during the review.
• Consider giving the auditor(s) a tour of the Campus, specifically areas they might be visiting during the field work.
• Determine staffing and space requirements, including whether the auditor will need internet access during fieldwork; arrange for auditor on-site space; modify meeting room needs as necessary.

Fieldwork

• Obtain the list of requested records and develop an approach for pulling the information on a timely basis.  Give a target date for providing records to the auditors.
• Review the records prior to submission to the auditor.  Consider if the records provide the necessary support.  Anticipate what questions the records may provoke.
• Maintain a list of all records provided to the auditor/auditors and have them sign off on it.
• Meet (In person or virtual meeting) with auditors at least weekly to learn of the status of the audit and potential issues that are identified.
• Verify the facts on which issues are based; perform re-calculations and review source documents, if necessary.
• Communicate at least weekly with those within the organization who need status updates
• Liaison should attend meetings between faculty/non-financial staff and external auditors unless the auditor insists otherwise.
• Set up exit interview.

Exit Interview

• Ask for a copy of each finding or draft report prior to the interview.
• Based on the nature of the issues, ask representatives from other groups to participate, e.g. internal audit, office of sponsored programs, financial services , legal counsel, etc.
• Agree on valid findings; negotiate those findings where the facts are not representative of the control weakness.
• Discuss with the auditors the disposition of the audit issue, i.e. verbal comment, report item, management letter.
• Escalate any disputed issues to supervisors.

Audit Report

• Ask for the final draft report for review.
• Draft management responses and circulate to management for approval.
• Understand the follow-up process.
• Perform a post-audit evaluation to determine weaknesses in the process and potential changes to approach in the future.