Internal Control Framework Key Terms
When discussing internal controls, there are some terms that are important to consider in this context. Below are important terms organized by the framework component as well as definitions and correlations to the University of Florida.
The control environment is just that – the environment of standards, processes and structures in the University.
Tone at the Top
Management leads by example to demonstrate a commitment to integrity and ethical values. At the University of Florida, the Tone at the Top is set by the Board of Trustees and senior management, and reinforced by leaders throughout the entire organization. The Tone at the Top tells employees what importance is placed on honesty and integrity, and can also be considered the “company culture.”
Risks to achieving the University’s objectives must be identified and analyzed. The identification of risks helps management and employees in decision-making and carrying out their internal control responsibilities.
The possibility that an error or irregularity will happen to negatively affect the achievement of objectives related to operations, reporting, or compliance.
The risk to an organization that may lead to potential financial loss, inaccuracies, noncompliance or other errors, in the absence of response to the risk. This can be thought of as “what can go wrong?”
The risk remaining after a response to the inherent risk.
Setting the acceptable level of variation from objectives that management is willing to tolerate. It is impossible to entirely remove risk, so management must determine what level is tolerable.
Using the identified risks and the level of risk tolerance, management designs responses and actions, including the following:
- Acceptance: No action is taken because the risk is considered insignificant
- Avoidance: Take action to entirely or partially stop the process causing the risk
- Reduction: Take action to reduce the possibility or extent of the risk
- Sharing: Take action to transfer or share risk across the organization or with external parties
Fraud involves obtaining something of value through willful misrepresentation. Fraud can include fraudulent financial reporting, misappropriation of assets or corruption. The fraud triangle – consisting of pressure, opportunity and rationalization – demonstrates the primary risk factors for fraud.
Control activities are what is commonly thought of when people think of internal controls – they are the actions directed by management through policies and procedures to minimize identified risks to tolerable levels. They are performed at all levels throughout the University and at different steps in the process, including IT systems.
A control designed with an operation process to prevent or detect a significant risk. Monthly reconciliations are considered a key internal control at the University of Florida.
The goal to be achieved for a control that is designed and implemented for a process.
Policies versus Procedures
A policy is a statement of what must be done to effect control. A procedure is the action that implements the policies. For example, at the University of Florida a policy is what expenses require receipts for reimbursement during travel. The procedure is how you process the expense report and get it approved.
Information and Communication
Relevant and timely information must be obtained and communicated to both internal and external parties to support the internal control system. The method of communication should always be considered – meetings, emails, training, newsletter, etc.
The targeted recipients of the information to be delivered. Who needs to receive this information? Is it a big group or small group? Are they subject matter experts or unfamiliar with the topic? You want to tailor your communication and use a method appropriate for your audience.
Nature of the Message
The type of information being communicated. What is the purpose of the information? Is it complicated? The nature of the message should impact the method used for communication.
The timing needed for people to act on the information being communicated. How quickly do we need to get this information to people? Do we need them to act on it right away? Again, this will impact the method of communication, as an urgent issue requiring immediate action would not be communicated in a quarterly newsletter.
Monitoring is a key part of assessing internal control effectiveness. The internal control system will evolve as objectives change and controls become obsolete. Monitoring is how we make sure the control is really happening in the way it was intended.
These monitoring evaluations are routine and built in to normal business processes. They will often identify problems faster, such as regular comparisons and reconciliations or automated tools.
These monitoring evaluations are conducted at periodic intervals by objective management personnel, internal audit, our department, or external parties. It is typically not as frequent as ongoing evaluation, but will provide objective feedback.
A potential or actual internal control issue, or an opportunity to strengthen the internal control system, based on observation and/or direct testing.
03/31/2023: updated content
Internal Controls and Quality Assurance: (352) 392-1321