Internal Controls

The university's policy on internal controls is IGP #133 - Internal Control.  All employees are responsible for following good internal controls.  The information below provides information about basic internal controls.  Please use the Basic Internal Control Assessment to evaluate your department's compliance with the university's policies and good internal controls.

Basic Types of Controls

  • Preventive - controls designed to discourage errors or irregularities from initially occurring.  Examples include segregation of duties, proper authorization, adequate documentation supporting transactions, and physical security of assets.
  • Detective - controls designed to identify an error or irregularity after it has occurred.  Examples include exception reports, reconciliations, reviews of performance, and annual physical inventory counts.
  • Compensating - controls designed to compensate for increased risk when preventative controls are not possible (sometimes due to small departments with a limited number of employees).  Compensating controls are often needed when segregation of duties do not exist.  An example would be increased supervision and oversight. 

Segregation of Duties

The goal of segregation of duties is to assign various steps of a process to different people.  The intent is to prevent instances where someone could engage in theft or fraud by having an excessive amount of control over a process.  An individual should not be in a position to initiate, approve, undertake and review the same action.  The following general functions should be split among different people.

Authorization Authorization is normally performed by a supervisor, office manager, or department head.  Examples include approving expenditures, approving budget transfers, approving time sheets and leave requests, and approving the disposition of inventory.
Record Keeping Record keeping is normally performed by an administrative employee.  Examples include preparing travel vouchers, maintaining expenditure files or revenue records, maintaining payroll files, and maintaining inventory records.
Asset Custody Asset custody duties are performed by any individual having access to or control over any physical asset.  Examples include access to any funds through collection of funds or processing of payments, maintaining inventories, access to safes, lock boxes, etc.
Reconciliation The reconciliation function is the process of reviewing and verifying transactions to ensure they are valid, properly authorized, and recorded on a timely basis.  Examples include comparing billing documents to billing summaries, collections to deposits, etc.

Threats to Internal Control Structure

Management Override A well-designed control system, if set aside at management's discretion, can be equivalent to no control in terms of risk.
Access to Assets The best way to safeguard assets is to control access to them.
Substance over Form Controls may appear to be well-designed and still lack substance.
Conflicts of Interest When an employee's loyalties are divided, there is a distinct risk the employee will choose a course of action detrimental to the organization.
Failure to Anticipate Certain Risks Management may fail to anticipate certain risks, and thus fail to design and implement appropriate controls.
Collusion Two or more employees may agree to circumvent internal controls.