Internal Controls
AA Roundup
April 30, 2008
Mary G. Elizondo
Comptroller
Internal Control Components





Monitoring
Control Environment
Risk Assessment
Control Activities
Information & Communication
Internal Control Components:
Monitoring
Monitoring includes the following:
 Supervising
 Observing
 Testing
 Reporting to Responsible Individuals
Internal Control Components:
Monitoring Activities Include
 Evaluation of Trends
 Reviews of Outstanding
Encumbrances
 Surprise Cash and Asset Counts
 Follow-up on complaints
 Review of Financial Reports
 Spot Checking of transactions to
ensure compliance with policies and
procedures
Internal Control Components:
Risk Assessment …
Is the identification and analysis of relevant
risks associated with the achievement of
objectives
Is an ongoing process that is a critical
component of an effective internal control
system
Risk Assessment
External Risk Factors
 Economic changes
 Changing student & community needs
 New/changed legislation & regulations
 Technological developments
 Natural catastrophes
 Competitive conditions
Risk Assessment
Internal Risk Factors








New Personnel
Low Morale
Competency & Integrity of Personnel
New or Revamped Information Systems
Size of Organization
Complexity & Volatility of Activities
Geographical Dispersion of Operations
Changes in Management Responsibilities
Risk Assessment
Risk Analysis
Administrators must determine …




What can go wrong
What areas have the most risk
What assets are at risk
Who is in a position of risk
Addressing Identified Risk:
Control Activities
Control activities are the
policies and procedures that
help ensure that management
directives are carried out
Examples of
Control Activities





Authorizations
Segregation of Duties
Recording
Safeguarding
Reconciliations
Internal Control
As Defined by COSO Is …
(Committee of Sponsoring Organizations)
A process, affected by an entity’s board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in
the following categories:

Reliability of financial reporting;

Effectiveness and efficiency of operations; and

Compliance with applicable laws and regulations
Internal Control Is …
 A Process … Not Merely Policies,
Procedures and Forms
 Affected by People
 Directed Toward the
Achievement of Objectives
Internal Control
Primary Objectives

Compliance

Accomplishment of Goals & Objectives

Reliability & Integrity of Information

Economical & Efficient Use of Resources

Safeguarding of Assets
Internal Controls
Responsibility For …
 Everyone has a role in regard to
internal controls
 Roles will vary depending on level of
responsibility and the nature of
involvement by the individual
Internal Controls Responsibility
Individual
 Each individual is
responsible for being
cognizant of proper
internal control
procedures related to
their job.
What are Internal Controls and
why are they important?
 Internal Controls are methods employed to help ensure
the achievement of an objective.
 Common Internal Controls are:



Writing procedures to encourage compliance
Locking your office to discourage theft
Reviewing your on-line budget of account to verify transaction
 Methods used to constitute the internal control structure
of South Texas College include:



policies
organizational design
physical barriers
Preventive and Detective
Controls
Most internal controls can be classified as a preventive or a
detective.

Preventive Controls are designed to discourage errors or
irregularities. Examples include:

A computer application which checks validity prevents the entry
of an invalid account number.

Reading and understanding College Policies and Procedures.

An administrator’s review of purchases for propriety and validity
prior to approval prevents inappropriate expenditures.
Preventive and Detective
Controls(cont’d)

Detective Controls are designed to identify an error or
irregularity after it has occurred. Examples Include:
 An exception report detects and lists incorrect or
invalid entries or transactions.
Maintaining written procedures for manual processing
will ensure that operations can continue in the event of
computer failure.
What is the Administrator’s
responsibility?
As an administrator, you are responsible for ensuring that
Internal controls are established and functioning to achieve
the mission and objectives of your unit. To evaluate internal
controls, first think about the following general objectives
then identify your unit’s specifics objectives within these
broad categories:
What is the Administrator’s
responsibility? (Cont’d)
 Propriety of Transactions for all
activity within accounts for which the
administrator is responsible
 Reliability and Integrity of
Information for internal management
decisions and external agency reports
What is the Administrator’s
responsibility? (Cont’d)
 Compliance with South Texas College Policies and
Procedures, including but not limited to: Human
Resources, Financial, Purchasing, granting agencies, and
state federal government
 Safeguarding Assets, Including Physical objects and
College data
 Economy and Efficiency of Operations to optimize
the use of limited resources in accomplishing the mission
of the unit and South Texas College.
What can jeopardize internal
controls?
While many circumstances may compromise the
effectiveness your internal control structure , a few of the
most common and serious of these warrant special mention:
 Inadequate Segregation of Duties-Separating
responsibility for physical custody of an asset from the
related record keeping is critical.
What can jeopardize internal
controls? (Cont’d)
 Persons who can authorize purchase orders
should not be capable of processing payments.
 The person who prepares the deposit should not
post the receipts to the to the customers
accounts
 The person who prepares the payroll voucher
should not distribute or have custody of the
payroll checks
What can jeopardize internal
controls? (Cont’d)
 Inappropriate Access to Assets- internal
controls should provide safeguards for physical
objects, restricted information, critical forms,
and update applications.
 An employee who only needs to view
computer information should be restricted to
Read only.
 Only authorized individuals should be issued
keys for restricted areas
What can jeopardize internal
controls? (cont’d)
 Inadequate Knowledge College Policies- the college
is not a static environment- new policies and policy
revisions are part of our continual evolution. College
policies and procedures are available electronically.
 Fiscal Misconduct- if any employee knows or
suspects that other college employees are
engaged in theft, fraud, embezzlement,
fiscal misconduct or violation of college
financial policies, it is their responsibilities.
What can jeopardize internal
controls? (cont’d)
 Form Over Substance- controls can appear
to be well designed but still lack substance, as
is often the case with required approvals.
 The administrator’s signature attests to the
accuracy of the voucher information, but if
the administrator doesn’t have assurance
that the supporting time records are
accurate, the approval process lacks
substance.
What can jeopardize internal
controls? (cont’d)
 Control Override-Exceptions to established policies are
sometimes necessary to accomplish a specific task, but
can pose a significant risk if not effectively monitored
and limited.
What can jeopardize internal
controls? (cont’d)
 Inherent Limitations- There is no such thing as a
perfect control system. Staff size limitations may
obstruct efforts to properly segregate duties, which
requires the implementation of compensating controls to
ensure that objectives are achieved. A limitation
inherent in any system is the element of human error
(misunderstandings, fatigue, and stress).
 An administrator who encourages
employees to take earned vacation time can
improve operations through cross training
while enabling employees to overcome or
avoid stress and fatigue.
How much do internal controls
cost?
The cost of implementing a specific control shouldn’t exceed
the expected benefit control.
 The potential loss of a computer printer may justify the
cost of a door lock, but not an alarm system.
 Computer screen savers with passwords are inexpensive,
effective methods of protecting sensitive data on a
computer
How much do internal controls
cost? (Cont’d)
Sometimes there is no out-of-pocket cost to
establish an adequate control. A realignment of
duty assignments may be all that is necessary to
accomplish the objective.
 Checks received in the mail are immediately
separated from supporting documentation for
restrictive endorsement and deposit. The
supporting documentation is given to a different
employee(with a copy of the check, if needed ) for
crediting the payment or filling an order.
How much do internal controls
cost? (cont’d)
A well designed internal control structure can
enhance operations by improving you unit’s
overall efficiency and effectiveness, as well
as, reducing the risk of loss or theft.
How much do internal controls
cost? (cont’d)
In analyzing the pertinent costs and benefits, managers
Should also consider the possible ramifications for South
Texas College at large and attempts to identify the weigh
the intangible as well as tangible consequences.
 It may be difficult to determine the cost of poor public
relations and lost goodwill if an ex-employee steals cash
because the manager did not change the safe
combination or retrieve College keys upon the
employee’s determination.
QUESTIONS?