INTRODUCTION TO INTERNAL CONTROLS
What are Internal Controls?
To put it simply, internal controls are an exercise of common sense. You are practicing good internal controls when you:
· Balance your checkbook
· Save for a car or retirement
· Keep copies of your tax return
· Compare your monthly credit card statement to the credit card receipts
· Lock your car doors
Internal controls are an integral part of any organization’s financial and business policies and procedures. Internal controls consists of all the measures taken by the organization for the purpose of: (1) protecting its resources against waste, fraud and inefficiency; (2) ensuring accuracy and reliability of accounting and operating data; (3) ensuring compliance with relevant laws and regulations and with the policies of the organization; and (4) evaluating the level of performance in all organizational units of the organization.
Important concepts concerning internal controls are:
· Internal control is a process. It is a means to an end, not an end itself.
· Internal control is effected by people. It’s not merely policy manuals and forms, but people functioning at every level of the institution.
· Internal control is geared to the achievement of objectives in several overlapping categories.
· Internal control only provides reasonable assurance to an institution’s leaders regarding achievement of operational, financial reporting and compliance objectives.
Everyone has a part in the internal control system at Stony Brook. The roles vary depending upon what level of responsibility and the nature of involvement by the individual. The President and senior executives establish the presence of integrity, ethics, competence and a positive control environment. The directors, department heads, deans have oversight responsibilities for internal controls within their areas. Managers and supervisors are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of their unit. Each employee within a area must be made aware of and understand proper internal control procedures associated with their specific job function.
Internal control consists of the following five interrelated components:
· Control Environment- The control environment sets the tone of an organization, influencing the control consciousness of its employees. Control environment factors include the integrity, ethical values and competence of the employee; management’s philosophy and operating style; the manner by which management assigns authority and responsibility, and organizes and develops its employees; and the attention and direction provide by the University. Remember the core of any educational institution is its people.
· Risk Assessment- Management must be able to identify, analyze and manage any risk that prevents them from achieving their objectives. Basically you should ask yourself what could go wrong and what assets do we need to protect. Risk will increase during a time of change (i.e. personnel turnover and adding a new service).
· Control Activities- These are the policies and procedures that help to ensure that actions necessary to achieve the University’s objectives are effectively carried out. These policies and procedures should be written and communicated to employees. Examples of controls are separation of duties, authorization and approval, verification, review of operating performance, physical control, reconciliation, training and guidance and monitoring. Remember that when determining whether a particular control should be implemented, the risk of failure and the potential effect must be considered along with the cost of establishing the control. Excessive control is costly and counterproductive. Too little control presents undue risk. There should be a conscious effort to arrive at an appropriate balance.
· Information and Communication- These allow the University’s employees to identify, capture and exchange pertinent information in a form and timeframe that enable people to perform their duties. This not only includes information systems reports but it also includes the day-to-day communication among employees, supervisors and senior management. Remember information and communication must flow up and down the organization and also flow across departments and divisions.
· Monitoring- The controls put in place must be periodically reviewed and assessed to ensure that they are effective and adequate. This is done through ongoing monitoring and separate evaluations of internal controls.