INTERNAL AUDIT
Guide to Internal Controls
Introduction





Definition of Internal Control
Control Tools - Examples
Responsibility for Internal Controls
Role of the Internal Audit Department
Suspected Theft or Misuse of Assets
DEFINITION OF INTERNAL CONTROL
“Internal control is broadly defined as a process, effected by an entity’s board of directors,
management and other personnel designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
 Effectiveness and efficiency of operations.
 Reliability of financial reporting.
 Compliance with applicable laws and regulations.”
Committee of Sponsoring Organizations of the Treadway Commission (COSO), September 1992
Controls can be preventive or detective. An internal control can be thought of as anything
that prevents or detects errors or omissions.
The Institute of Internal Auditors defines a control as “any action taken by management to
enhance the likelihood that established objectives and goals will be achieved.”
Preventive controls attempt to prevent or deter undesirable acts from occurring. They are
proactive controls, designed to prevent a loss, error, or omission. Examples of preventive
controls are separation of duties, proper authorizations, adequate documentation, and
physical security over cash and other assets.
Detective controls attempt to detect undesirable acts that have occurred. They provide
evidence after-the-fact that a loss or error has occurred, but do not prevent them from
occurring. Examples of detective controls are variance analyses, supervisory reviews of
account activity, reconciliations, and physical inventories.
Directive controls cause or encourage a desirable event to occur. These proactive controls
include employee orientation and policies and procedures.
|
Mitigating or compensating controls are designed to compensate – at least partially – for a
missing or excessively costly control. Examples include supervisory review where separation
of duties is impractical, and monitoring budget variances in lieu of transaction processing
controls.
All four of these types of controls are essential for an effective internal control system.
As employees become familiar with the types of controls they are more apt to use the tools
and adhere to the policies set forth by management, and watch with a sharper eye for gaps in
the control system. In addition, they will be predisposed to work within the framework
dictated by these types of controls. This is all a part of creating a control conscious
environment.
A control-conscious environment is necessary. It is an environment that supports ethical
values and business practices. Management is responsible for “setting the tone” for their
areas and encouraging the highest levels of integrity and ethical behavior, as well as
exhibiting leadership behavior that promotes internal control and accountability. The
following steps are examples of this leadership behavior:
 Communicate to employees that fraud and conflicts of interest will not be tolerated.
 Communicate to employees that Health System policies and procedures are
important and will be followed.
 Make employees fully aware of their responsibilities, including internal controls.
 Monitor the internal controls system on an on-going basis.
CONTROL TOOLS – EXAMPLES
Following are a few of the many control tools available to you:










Ethical “tone at the top,” communicated in words and deeds
Organization structure which promotes the flow of information
Clear definition of responsibilities
Delegation of authority commensurate with responsibility
Mechanisms to hold people accountable for results
Reward mechanisms
Qualified and well-trained personnel, particularly in key positions
Positive, motivating work environment
Effective empowerment of employees
An atmosphere of mutual trust
|
















Frequent interaction between senior and operating management
Appropriate policies and procedures for hiring, training, promoting and
compensating employees
Written policies and procedures
Performance standards
Procedures for authorizing and processing transactions
Reviews: budget to actual comparison, current to prior period comparison,
performance indicators, project management reports, etc.
Independent verification of performance
Reconciliations
Security for assets and records
Supervisory review
Segregation of duties (separation of initiation, authorization, recording and
custody; at least two set of eyes involved in every transaction).
Checklists
Formal compliance (Business Integrity) program, including a designated
“compliance (Business Integrity) officer”
Forms control (e.g., prenumbered documents, maintaining integrity of numerical
sequence, limited access to key forms)
Exception reports (e.g., receivables past due, overtime, duplicate payments,
discounts not taken)
Information systems controls:
o Environmental controls (heat, humidity, fire extinguishers, etc.)
o Data security system
o Backup and recovery policies and procedures
o Disaster recovery or business continuance plan (tested periodically)
o Input controls – authorization, validation, error notification and correction
(e.g., blocked transactions, transaction limits, error listings, field checks,
self-checking digits, sequence checks, validity checks, completeness
checks)
o Processing controls (e.g., edit checks, control totals and other programmed
steps within applicable software, audit trails)
o Output controls (e.g., output review, exception reports, master file change
reports)
o Software license compliance controls
RESPONSIBILITY FOR INTERNAL CONTROLS
Every individual within the Health System has some role in effecting internal control. Roles
vary in responsibility and involvement. Managers are ultimately responsible for the
|
appropriate use and control of the assets entrusted to them. Management is accountable to
the Health System Board, which provides governance, guidance and oversight.
Management is also often accountable to the IRS and state and federal agencies such as
Health Services Cost Review Commission (HSCRC) and Centers for Medicare and Medicaid
Services (CMS). In certain cases, management may be directly liable.
ROLE OF THE INTERNAL AUDIT DEPARTMENT
The Internal Audit Department is responsible for planning and performing internal audits at
the Health System. Internal audits assist management by providing independent and
objective analyses of activities and controls. Audit scopes can range from a single process to
all business activities in a division, department, or school. Internal Audit makes
recommendations as a result of these analyses.
The Executives for Finance (for profit and Hospital) and the Health System Internal Audit
and/or Director of Business Integrity are responsible for coordinating the on-site activities
of all external auditors including federal, state, and local government agencies, CPA firms,
etc., and will serve as liaisons between external auditors and Health System departments
when appropriate. If your office is contacted by any external audit agency, contact the
appropriate person as follows: Executive for Finance at 301-665-4520 (for profit) or 301790-8880 (hospital) or the Health System Internal Auditor 301-790-8812 or Director of
Business Integrity at 301-790-8878.
Internal Audit is also responsible for investigating financial irregularities. See next section on
“Suspected Theft or Misuse of Assets.”
SUSPECTED THEFT OR MISUSE OF ASSETS
The Business Integrity Department is responsible for investigating financial-related fraud at
the Health System. Where appropriate, such investigations are coordinated with the Health
System’s General Counsel, Vice President for Finance, Human Resources, and the Security
Department.
 If you, as a member of the Health System community, are aware of or suspect such
fraud, theft, embezzlement or misuse of Health System assets, we ask that you report
the problem to your supervisor and the Business Integrity Department.
Any information you provide will be handled confidentially.
|