Internal Controls & Risk Assessment
Why do we need strong Internal Controls?
Internal Controls, though often thought of as a necessary evil, are designed to protect yourself as well as your employees. The goal of internal controls is to protect assets from the time they are received to the point at which they are booked and also to the point at which they are removed from the books.
The USG Compliance Program states, “All members of the USG community should contribute to the success of the USG in a manner consistent with their duties and responsibilities. Effective internal controls are one method that can be employed to assist the USG in achieving its mission. Internal controls are the processes employed at all levels to help ensure that USG business is carried out in accordance with BOR policies and procedures, institutional policies and procedures, applicable laws and regulations and sound business practices. Good internal controls promote efficient operations, accurate financial reporting, safeguarding of assets and responsible fiscal management” (Section 18.104.22.168).
One tool that can be used to protect yourself while ensuring efficient operations is to make use of Appearance and Reasonable Tests.
- For all potential expenditures from all sources of funds, the “appearance test” should be used, i.e., how would this purchase look to external constituents if placed on the front page of a newspaper.
- Another test that is useful is to ask the question, “Is this expenditure necessary for a faculty/staff member to do his/her job or for the university to carry on its normal business?” The utilization of these tests should help to guide faculty/staff members in their decision-making. At all times, faculty/staff are encouraged to avoid the appearance of poor management of funds as well as the reality of poor management of funds.
Components of Internal Control
1. Control environment - establishes the foundation for the internal control system by providing fundamental discipline and structure
2. Risk assessment - involves the identification and analysis by management—not the internal auditor—of relevant risks to achieving predetermined objectives
3. Control activities - the policies, procedures, and practices that ensure management objectives are achieved and risk mitigation strategies are carried out
4. Information and communication - a component that supports all other control components by communicating control responsibilities to employees and by providing information in a form and time frame that allows people to carry out their duties
5. Monitoring - covers the external oversight of internal controls by management or other parties outside the process, or the application of independent methodologies, such as customized procedures or standard checklists, by employees within a process
For more examples of risks and related controls please view the GA Department of Audits and Accounts.