Understanding Internal Controls
How can you, in your role at the university, safeguard assets and be part of a structure that enhances fiscal accountability? Does your department have a standard practice in place to prevent fraudulent activity or errors that everyone in your area is aware of and understands? Internal controls, when properly designed and executed, will help ensure your area has optimal safeguards against loss, errors, or fraud.
The internal control definition, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), has three key points. Internal control is:
- An ongoing process (not just checking a box one time)
- Effected by people from the board of trustees, to managers, to front-line employees (the people and their actions are what is important, not the form, system or procedure manual)
- Designed to provide reasonable assurance regarding the achievement of the University’s objectives (absolute assurance is not possible)
It is important to note how adaptable and flexible the definition is – it can be applied university-wide, or an operating unit.
COSO issued the original internal control framework in 1992, which is still widely accepted worldwide. The framework includes five components with underlying principles, which combine and interact to create a strong system of internal control. The five components of the internal control framework are shown below:
- Control Environment: The control environment is just that – the environment of standards, processes and structures in the University. Together, these guide people at all levels in carrying out their responsibilities for internal control and decision-making. A foundation of the control environment is the “Tone at the Top,” which tells employees what the University of Florida values and the importance placed on ethical, honest, behavior. It is set by the Board of Trustees and senior management, and reinforced by leaders at all levels.
- Risk Assessment: Management must determine what risks are possible and what risk can be tolerated. Risk assessment is a dynamic process based on objectives, although sometimes (like with financial reporting) there are external requirements that must be taken into consideration as well.
- Control Activities: Control activities are the policies and procedures that take place to ensure risks are minimized and objectives are accomplished. It is important to understand the “why” behind the control! Remember, controls do not prevent fraud or errors – it is the people that effectively understand and execute those controls on a daily basis.
- Information & Communication: Relevant and quality information is essential to carry out internal control responsibilities and achieve objectives. Internally, communication allows employees to understand their internal control responsibilities, potential risks, the “Tone at the Top” and the objectives of the University. Externally, the University can obtain and share relevant information with stakeholders.
- Monitoring Activities: Monitoring is performed to assess the effectiveness of the controls and determine if a change is needed. Unmonitored controls tend to break down over time, so monitoring is needed to identify and correct potential issues on a timely basis. In addition, the system of internal control will evolve as objectives change or controls become obsolete. If controls are created and then unmonitored, then the functioning system is likely to break down at some point.
As the definition says, internal controls depend on the participation of all employees at every level. Therefore, all of us share the responsibility of establishing and following appropriate policies and procedures on internal control. Employee competence and professional integrity are essential components of a sound internal control program, and the training class PRO303 – Internal Controls at UF is highly recommended for all fiscal staff.
Employees are responsible for complying with internal controls by:
- Successfully fulfilling the duties and responsibilities established in the job description;
- Monitoring work to ensure it is done properly and that errors are corrected promptly;
- Meeting applicable performance standards;
- Taking all reasonable steps to safeguard assets against waste, loss, unauthorized use and misappropriation;
- Adhering to all applicable policies and procedures;
- Attending education and training programs to increase awareness and understanding; and
- Reporting concerns, including breakdowns in internal controls, missing internal controls, or other issues, to the supervisor or manager
Managers and supervisors are responsible for executing control policies and procedures within their departments by:
- Maintaining a positive office environment that encourages internal controls through the “tone at the top,”
- Documenting policies and procedures that are to be followed in performing work functions;
- Encouraging and supporting employees who report concerns or opportunities for improvement;
- Ensuring employees attend education and training programs applicable to their jobs;
- Understanding all applicable regulations, policies and directives that impact the work functions;
- Identifying the control objectives for each function and implementing effective controls designed to meet those objectives, and
- Regularly testing the controls to verify they are performing as intended.
Our office does not have the goal to make each person an expert in internal controls, but to increase awareness and understanding of why we need them and how to use them.
For questions, assistance or concerns, please do not hesitate to reach out to either Internal Controls and Quality Assurance (firstname.lastname@example.org, (352) 392-1321) or the Office of Internal Audit (email@example.com or (352) 392-1391).
03/31/2023: updated to include framework
Internal Controls and Quality Assurance: (352) 392-1321