Not everything can be addressed in university policies, procedures, and regulations. In the absence of formal requirements we rely on best practices as a way to implement the types of internal controls necessary to safeguard university assets. Audit Services can consult with you on implementing appropriate internal controls.
What are Internal Controls
Internal controls can be either preventative or detective. Preventive controls are proactive in that they attempt to deter or prevent undesirable events from occurring. Detective controls provide evidence that an error or irregularity has occurred. While preventive controls are preferred, detective controls are critical to provide evidence that the preventive controls are functioning as intended.
Types of Internal Controls
Examples of preventive controls include:
- Segregation of Duties
- Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.
- Approvals, Authorizations, and Verifications
- Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor's approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
- Security of Assets (Preventive and Detective)
- Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.
Examples of detective controls include:
- Reviews of Performance
- Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.
- An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action when necessary.
- Physical Inventory
- The periodic review of assets held by an organization to determine if theft has occurred. It requires someone with information detailing the number and location of items to actually determine if those items are still available. If items are missing, appropriate steps should be made to determine the cause and adjustments should be made to department records.
Control Self Assessment
Our goal is to provide you with information that will allow you to internally assess your operations and determine if your department has reasonable internal controls in place. The Control Self Assessment (CSA) is a guide to assist with improving business practices, so all departments can comply with institutional policies and procedures while limiting the potential for misappropriation of institutional resources. Implementation of the internal controls determined to be necessary upon completion of a CSA will enable you to establish a positive control environment. Ultimately, it is management's responsibility to establish and maintain adequate internal controls. The following link will take you to the self assessment. Control Self Assessment(PDF)