Office of the Controller

Understanding Internal Controls

What is Internal Control?

Internal Control refers to the processes and procedures designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, compliance with applicable laws and regulations, and safeguarding assets.

Internal Controls Are Everyone's Responsibility

Managers and leaders at all levels of the University are responsible for ensuring that an appropriate and effective control environment is in place in their areas of responsibility. Although management is responsible for establishing  specific internal control policies and procedures, everyone at the University shares responsibility for internal control.

All employees play an important role in the achievement of the University's goals and objectives. Everyone is responsible for implementing and maintaining control practices to ensure achievement of these goals. It is impossible to eliminate all negative consequences, which are an inherent part of setting and meeting objectives. It is, however, possible and necessary to reduce the negative consequences to an acceptable level by implementing control practices.

Any employee suspecting fraud or other improprieties involving University resources must inform their supervisor or Audit Services. (See the UC Whistleblower Policy.)

Other groups play important roles. Audit Services evaluates control systems for effectiveness and efficiency. The Office of the Controller provides leadership in designing and implementing systems to ensure an effective financial accountability and control environment.

External auditors review control systems for the impact on financial reporting and compliance with requirements of external agencies.

Fundamental Concepts

Maintaining internal controls is a continuing process. Internal control is effected not only by policy manuals and forms, but by people functioning at every level of the institution. Internal control can be expected to provide only reasonable assurance regarding achievement of operational, financial reporting, and compliance objectives.

Control Principles

Authorization and Approval
Transactions are authorized by a person with delegated approval authority.

Documentation of Policies and Procedures
University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day to day guidance to staff and will promote continuity of activities in the event of prolonged employee absence or turnover.

Physical Security
Equipment, inventories, cash, and other property are secured physically, counted periodically, and compared with amounts shown on control records.

Proper Management of Costs and Expenses
Costs and expenses are monitored and controlled. Comparisons of actual expenses to budgeted amounts are performed on a regular basis, and all significant variances are researched.

Review and Reconciliation
Routine examination and reconciliation of transaction records to official University records is required to verify the accuracy of the records, the appropriateness of the transactions, and their compliance with policy.

Separation of Duties
Financial responsibilities are divided between different people to assure a single person does not perform every aspect of a financial transaction. Segregating responsibilities can reduce errors and prevent or detect inappropriate transactions.

Training and Supervision
Employees receive appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties. Employees are provided with an appropriate level of direction and supervision and are aware of the proper channels for reporting suspected improprieties.

Components of Internal Control

There are five interrelated components that make up an organization's internal controls. The Committee of Sponsoring Organizations (COSO) model is recognized throughout the world as a significant standard for discussing internal control. There is a direct relationship between institutional objectives and the components of internal control. For example, to achieve the objective of compliance with laws and regulations, all five components are necessary.

Control Environment
The control environment, as established by the organization's administration, sets the tone of an institution and influences the "control consciousness" of its people. Likewise, leaders of each department establish a local control environment. This is the foundation for all other components of internal control. Control environment factors include: integrity and ethical values, competence, leadership philosophy and operating style, and the way management assigns authority and responsibility.

Risk Assessment
The UC campuses must be aware of and address the risks they face. They must establish objectives. Risk Assessment is the identification and analysis of relevant risks to achievement of the objectives. This forms the basis for determining how the risks should be managed.

Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out. Control activities occur throughout the institution, at all levels and in all functions. They include such activities as approvals, reconciliations of budget to actual, segregation of duties, and security of assets.

Information and Communication
Communication systems enable the organization's people to capture and exchange the appropriate information needed to manage its operations responsibly.

Monitoring is a process that assesses the quality of the system's performance over time. It is accomplished through ongoing activities such as review of operating and financial reports, comparison of data to physical assets, separation of duties, and authorization procedures. Monitoring can also be accomplished through separate evaluations such as internal and external audits.