Whether or not your unit has ever been audited, you may have heard of Internal Controls. Here is a brief, practical discussion of Internal Controls for administrators:
What are internal controls and why are they important?
Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used by administrators everyday.
Writing procedures to encourage compliance, locking your office to discourage theft, and reviewing your monthly purchase card statement and on-line budget of account to verify transactions are common internal controls employed to achieve specific objectives.
All administrators, from the unit level to the President of the College, use internal controls to help assure that their units operate according to plan. And the methods they use--policies, procedures, organizational design, and physical barriers--constitute the internal control structure of Central Piedmont Community College.
Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities. Examples are:
- A computer application which checks validity prevents the entry of an invalid account number.
- Reading and understanding College Policies and Procedures, such as those in Chapter 4 - Personnel, CPCC Policies and Procedures Manual.
- An administrator’s review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.
Detective controls are designed to identify an error or irregularity after it has occurred. Examples are:
- An exception report detects and lists incorrect or invalid entries or transactions.
- A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts.
- The administrator’s review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.
Through careful design, the system of internal controls can help your unit operate more efficiently and effectively and provide a reasonable level of assurance that the processes and products for which you are responsible are adequately protected.
- Maintaining written procedures for manual processing will ensure that operations can continue in the event of computer failure.
What is the administrator's responsibility?
As an administrator, you are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your unit.
To evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories:
- Propriety of Transactions for all activity within accounts for which the administrator is responsible.
- Reliability and Integrity of Information for internal management decisions and external agency reports
- Compliance with Central Piedmont Community College Policies and Procedures, including but not limited to: Human Resources, Financial, Purchasing, granting agencies, and state and federal government
- Safeguarding Assets, including physical objects and College data
- Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the unit and Central Piedmont Community College.
Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your unit.
What is Internal Audit's responsibility?
Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to Central Piedmont Community College administration and the Board of Trustees. Auditors look at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes of the unit, discusses the major objectives with the administrators, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur.
The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the administrator focus on control risks, administrator insights, and potential control enhancements. The greater the risk, the more extensive the control that is warranted.
The auditor's evaluation includes an examination of the following internal control elements:
- Personnel - should be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals.
- Organizational charts provide a visual presentation of lines of authority.
- Periodic updates of job descriptions ensure that employees are aware of the duties they are expected to perform.
- Authorization Procedures - should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with Central Piedmont Community College Policies and Procedures. CPCC Policies and Procedures Manual
- Time records should be signed by the employee and supervisor with direct knowledge of the employee's work schedule.
- An account manager may delegate signature authority only to an exempt employee or an appointed biweekly employee.
- Segregation of Duties - should reduce the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.
- Authorization for the assessment of class fees (Registrar) is segregated from the collection of those fees (Bursar).
- Physical Restrictions - are the most important type of protective measure for safeguarding College assets, processes, and data.
- Safe combinations should be changed periodically and anytime a staff member knowing the combination terminates employment.
- Critical forms, such as custodial fund checkbooks, should be adequately secured.
- Alarm systems may be necessary to adequately protect large amounts of cash, other valuable assets, or sensitive data.
- Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.
- The CPCC Off-campus Use Agreement/Authorization documents the authorized removal of equipment from campus and provides assurance that an individual has accepted responsibility for the item.
- Monitoring Operations - is essential to verify that controls are operating properly. Reconciliation, confirmations, and exception reports can provide this type of information.
- Periodic equipment inventories provide assurance that assets physically exist and are available for use.
- Timely bank reconciliations and follow up on outstanding reconciling items provide assurance that assets are safeguarded and accounted for.
- Account managers must verify the propriety of transactions within their accounts.
What can jeopardize internal controls?
While many circumstances may compromise the effectiveness of your internal control structure, a few of the most common and serious of these warrant special mention:
- Inadequate Segregation of Duties - (Most common audit finding) - Separating responsibility for physical custody of an asset from the related record keeping is a critical control.
- Persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable).
- The person who prepares the deposit should not post the receipts to the customer accounts.
- The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.
- Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.
- An employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access.
- Only authorized individuals should be issued keys for restricted areas.
- Inadequate Knowledge of College Policies -The College is not a static environment--new policies and policy revisions are a part of our continual evolution. College Policies and Procedures are available electronically. Administrators must stay abreast of these changes and understand their responsibilities.
- Fiscal Misconduct - If any employee knows or suspects that other college employees are engaged in theft, fraud, embezzlement, fiscal misconduct or violation of College financial policies, it is their responsibility to immediately notify the executive vice president. [College Policies and Procedures 4.04 – Employment Requirements -CPCC Policies and Procedures Manual]
- Form Over Substance - Controls can appear to be well designed but still lack substance, as is often the case with required approvals.
- The administrator's signature attests to the accuracy of the payroll voucher information, but if the administrator does not have assurance that the supporting time records are accurate, the approval process lacks substance.
- Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.
- Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.
- Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).
- An administrator who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.
How much do internal controls cost?
The cost of implementing a specific control should not exceed the expected benefit of the control.
- The potential loss of a computer printer may justify the cost of a door lock but not an alarm system.
- Computer screen savers with passwords are inexpensive, effective methods of protecting sensitive data on a computer.
Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective.
- Checks received in the mail are immediately separated from supporting documentation for restrictive endorsement and deposit. The supporting documentation is given to a different employee (with a copy of the check, if needed) for crediting the payment or filling an order.
- Voided receipts are approved by someone other than the person preparing receipts.
A well-designed internal control structure can enhance operations by improving your unit's overall efficiency and effectiveness, as well as, reducing the risk of loss or theft.
- A bank lock box establishes accountability and restricts access to cash, in addition to streamlining operations by providing immediate deposits and (possibly) electronic application updates.
In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for Central Piedmont Community College at large and attempt to identify and weigh the intangible as well as the tangible consequences.
- It may be difficult to determine the cost of poor public relations and lost goodwill if an ex-employee steals cash because the manager did not change the safe combination or retrieve College keys upon the employee's termination.
Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not a simple task and cannot be accomplished through a short set of quick fixes. However, we hope that this guide has helped to explain the basic internal control concepts and has given you some ideas for improving your unit's controls. We can also supply an internal control video and booklet and/or you can request one of our auditors to give a demonstration upon request. This video was designed specifically for colleges and universities and is suitable for individual, group, or staff meeting viewing.