Frequently Asked Questions

Internal Controls FAQ

Internal controls encompass the plan of organization and all of the coordinated methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal control extends beyond those matters which relate directly to the functions of the accounting and financial departments.

Simply put, internal controls are anything we do to help us achieve our objectives. They are the policies, procedures, practices and organizational structures implemented in order to:

  • Protect the University's assets (including the University's reputation);
  • Ensure records are accurate;
  • Promote operational efficiency; and
  • Encourage adherence to policies and procedures

Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the Institution's internal control system. Therefore, all employees need to be aware of the concept and purpose of internal controls.

Yes, generally speaking there are two types: preventive and detective controls. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended.

Preventive Controls

Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are:

  • Segregation of Duties: Duties are segregated among different people to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided.
  • Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures.
  • Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records.

Detective Controls

Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are:

  • Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up.
  • Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary.
  • Physical Inventories
  • Audits
  • The control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization’s policies and procedures and ethical and behavioral standards.

    As a Business Administrator/manager/employee of a department, you can do the following to enhance your department’s control environment:

    • Make sure job descriptions exist, clearly state responsibility for internal control, and correctly translate desired competencies.
    • Implement segregation of duties where duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.
    • Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.
    • Ensure records are routinely reviewed and reconciled by someone other than the preparer or transactor, to determine that transactions have been properly processed.
    • Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.
    • Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting suspected improprieties. For example, if your department is a recipient of sponsored funds, make sure that individuals administering funds are well trained on federal rules and regulations regarding the use of grant funds.
    • Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees (in either hard copy or internet based form) helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover.
    • Make sure that employees comply with UTA’s Conflict of Interest Policy and disclose potential conflicts of interest.
    • Make sure employee performance evaluations are conducted periodically. Good performance should be valued highly and recognized in a positive matter.
    • Make sure that appropriate counseling and/or disciplinary action is taken when an employee does not comply with policies and procedures and/or behavioral standards.

    Myth

    Fact

    Internal controls result from a
    strong set of policies and procedures (i.e., "If a policy doesn't exist, we don't have to do it").
    Internal controls are based on a strong control environment and
    solid business practices that, in most cases, will be supported by policies; however, lack of formal policies does not preclude good business practices.
    Internal controls? That's why we have internal auditors. Management and departmental
    personnel are the owners of internal controls.
    Internal controls are all about finance and accounting. We do what the Office of Financial Affairs or the Department of Finance tells us to do. Internal controls are integral to
    every aspect of business.
    Internal controls are essentially negative, like a list of "thou shalt nots." Internal controls make the right thing happen the first time.
    Internal controls are a necessary evil. They take time away from our core activities and responsibilities.

    Internal controls should be built into, not onto, business processes.

    If controls are strong enough, we can be sure that errors and irregularities will always be detected. Internal controls provide
    reasonable, but not absolute, assurance that the organization's objectives will be achieved.

    General FAQ

    UT System Policy UTS 129, Internal Audit Activities, http://www.utsystem.edu/policy/policies/uts129.html clarifies the roles of University Compliance Services and Internal Audit in managing institutional risks.

    The Office of Audit and Consulting Services is an independent function of the governance process of the University of Texas System. It provides periodic assurance to the Board of Regents and executive management on the component institution's ability to achieve its objectives.

    University Compliance Services is part of the control structure of the organization, whereas Internal Audit evaluates the control structure - a key difference between the two functions.

    The Office of Audit and Consulting Services may provide consulting and assurance services to the compliance function. Consulting services may include: providing information and best practices in the design of the compliance function; providing advice and information in the design of monitoring plans; providing training and educational services; and providing facilitation services for self-assessments of the compliance function. The Office of Audit and Consulting Services services may include: audits of the compliance program design; audits of University Compliance Services' monitoring plans; audits of compliance issues; and inspections of the monitoring plans.

    For additional information on UT Arlington's University Compliance Services, please visit their website at http://www.uta.edu/compliance/

    The University conducts a regular, ongoing examination of its internal controls, and as part of this process, the Department of Internal Audit conducts approximately 20 audits annually. Primary considerations in establishing which units will be audited include evaluation of risk, the results and length of time of previous internal and external audits, and specific requests from administrators. Audits for many high risk units are scheduled on a three-year cycle, while other units are randomly selected for audits. In addition, internal audits are initiated to investigate possible irregularities.

    The Director of Internal Audits prepares an annual plan which is reviewed and approved by the Audit Committee and The University of Texas System Audit Office to ensure that objectives, scope and allocated audit hours support management goals. The plan is primarily developed based on the assessment of various risk factors such as: significant financial investment or impact, required regulatory or legal compliance, complex transactions or environment, new technology or processes and prior audit experience. Management requests, external audit support and standard annual audits are also included. Additionally, there are always projects we undertake that were unanticipated when the annual plan was developed.

    Auditors are not specifically searching for the existence of fraud. However, while conducting audits in accordance with the Institute of Internal Auditor's "Standards for the Professional Practice of Internal Auditing," improper activities may be identified.

    A good system of internal controls and a control conscious organizational environment will reduce this risk.

    Oversight of the Office of Audit and Consulting Services is performed by the Institutional Audit Committee and the UT System Audit Office. In addition, a Quality Assurance Review, or peer review, is performed every three years by qualified auditors (external to the organization) in accordance with Professional Standards.

    Also, in most instances, audit clients have an opportunity to evaluate the quality of service provided by our department by completing an evaluation form which we use to identify ways to improve our services.