Internal Control Tools
After assessing and prioritizing the financial and compliance risks, the next step of the process is to identify the appropriate controls to manage the risks. Managers need to focus on their high risk, high priority areas. The next section will present the tools managers can use to design their internal control systems.
Think of internal control as a map that helps managers to get to their destination. Obviously, just because managers have a "map", there is no "guarantee" that they will get there, but it does provide "reasonable assurance". Internal controls help keep a company on course to achieve goals, carry out management directives, reduce surprises, increase reliability of information, promote effectiveness and efficiency, safeguard assets, and comply with rules and regulations.
In the same way that managers are primarily responsible for identifying the financial and compliance risks for their operations, they also have line responsibility for designing, implementing and monitoring their internal control system. Internal Audit and the Controller's Office are available to provide advice and expertise. Managers are encouraged to consult with these offices when evaluating internal controls, especially with regard to areas deemed to be high risk.
Trust is a key component in managers' interactions in the academic and medical environments. Employing honest, trustworthy personnel is critical; however, trusting employees is not a replacement for an internal control system. An internal control system does not rely solely on trust, but is an "objective" set of procedures to help ensure that goals are met. Any override of controls provides an "opportunity" for someone to take advantage of the system which management is responsible for.
The following internal control tools will be discussed in this section:
- Creation of a Control-Conscious Environment
- Separation of Duties
- Authorization/Approval
- Reviews
- Reconciliations
- Asset Security
- Information and Communication
- Monitoring
Controls can be either preventive or detective. The intent of these control types is different. Preventive controls attempt to deter or prevent undesirable acts from occurring. They are proactive controls that help to prevent a loss. Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets.
Detective controls, on the other hand, attempt to detect undesirable acts. They provide evidence that a loss has occurred but do not prevent a loss from occurring. Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits.
Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses.
Last Updated: November 17, 2008 (vm).
