What are Internal Controls?

Internal controls encompass the plan of organization and all of the coordinate methods adopted within a business to
safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency and
encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal control
extends beyond those matters which relate directly to the functions of the accounting and financial departments.

Simply put, internal controls are anything we do to help us achieve our objectives. They are the policies, procedures,
practices and organizational structures implemented in order to:

Protect the Universitys assets (including the Universitys reputation);

Ensure records are accurate;
Promote operational efficiency; and
Encourage adherence to policies and procedures.
Are there Different Types of
Internal Controls?
Yes, generally speaking there are two types: preventive and detective controls. Both types of controls are essential to an effective
internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize
quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as
intended.

Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to
ensure departmental objectives are being met. Examples of preventive controls are:

Segregation of Duties: Duties are segregated among different people to

reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording
transactions (accounting) and handling the related asset (custody) are divided.
Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to
execute certain transactions within limited parameters. In addition, management specifies those activities or transactions
that need supervisory approval before they are performed or executed by employees. A supervisors approval (manual or
electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies
and procedures.
Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is
restricted; assets are periodically counted and compared to amounts shown on control records.
Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:

Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior
periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify
unexpected results or unusual conditions that require follow-up.
Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes
corrective action, when necessary.
Physical Inventories
Audits
Who is Responsible for
Internal Controls?
Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal
controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a
role in either strengthening or weakening the Institutions internal control system. Therefore, all employees need to be aware of
the concept and purpose of internal controls.
Internal Controls Myths &
Facts
Because there are many misconceptions about internal controls, knowledge sharing is vitally important to an effective control
system. Part of the educational process is to dispel the myths about internal controls. Here are a few myths and the corresponding
facts

Myth Fact

Internal controls result from a strong set of Internal controls are based on a strong control environment and solid
policies and procedures (i.e., If a policy doesnt business practices that, in most cases, will be supported by policies;
exist, we dont have to do it). however, lack of formal policies does not preclude good business
practices.

Internal controls? Thats why we have internal Management and departmental personnel are the owners of internal
auditors. controls.

Internal controls are all about finance and Internal controls are integral to every aspect of business.
accounting. We do what the Office of Financial
Affairs or the Department of Finance tells us to
do.

Internal controls are essentially negative, like a Internal controls make the right thing happen the first time.
list of thou shalt nots.

Internal controls are a necessary evil. They take Internal controls should be built into, not onto, business processes.
time away from our core activities and
responsibilities.

If controls are strong enough, we can be sure that Internal controls provide reasonable, but not absolute, assurance that
errors and irregularities will always be detected. the organizations objectives will be achieved.
How Can My Department
Contribute to the Control
Environment?
The control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their
activities and carry out their control responsibilities. An effective control environment is an environment where competent people
understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is
right and doing it the right way. They are committed to following an organizations policies and procedures and ethical and
behavioral standards.
As a Business Administrator/manager/employee of a department, you can do the following to enhance your departments control
environment:

Make sure job descriptions exist, clearly state responsibility for internal control, and correctly translate desired
competencies.
Implement segregation of duties where duties are divided, or segregated, among different people to reduce risk of error or
inappropriate actions. No one person has control over all aspects of any financial transaction.
Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with
policy and funds are available. [Make sure authority levels in Privilege Management system are appropriate and
accurate.]
Ensure records are routinely reviewed and reconciled by someone other than the preparer or transactor, to determine that
transactions have been properly processed. [Make sure the MD091 review and reconciliation is performed and the
Edog sign-off is completed.]
Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and
compared with item descriptions shown on control records.
Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their
job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for
reporting suspected improprieties. For example, if your department is a recipient of sponsored funds, make sure that
individuals administering funds are well trained on federal rules and regulations regarding the use of grant funds.
Make sure University and departmental level policies and operating procedures are formalized and communicated to
employees. Documenting policies and procedures and making them accessible to employees (in either hard copy or internet
based form) helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged
employee absences or turnover.
Make sure that employees comply with the VU Conflict of Interest Policy and disclose potential conflicts of interest.
Make sure employee performance evaluations are conducted periodically. Good performance should be valued highly and
recognized in a positive matter.
Make sure that appropriate counseling and/or disciplinary action is taken when an employee does not comply with policies
and procedures and/or behavioral standards.