INTERNAL CONTROLS
What are Internal
Controls? Internal
Controls are processes, effected by the KCTCS Board of Regents,
management and other personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following categories:
-
Effectiveness and
efficiency of operations.
-
Reliability of
financial reporting.
-
Compliance with
applicable laws and regulations.
Is Segregation of
Duties the Primary Component of Internal Controls?
Internal Control can
be achieved in both a small department with limited personnel, as well
as larger departments with more personnel available to achieve
segregation of duties. Internal Control consists of five
interrelated components:
-
Control
Environment - This includes factors such as integrity, ethical
values and the competence of personnel. Management's
philosophy and operating style also play a factor. The
attention and direction of Senior Management or the Board
significantly affects the control environment.
-
Risk Assessment
- Every organization or department faces a variety of risks from
external and internal sources. Management must be able to
identify and manage those risks relevant to achieving the
organization's objectives. Management must also be able to
deal with the risks associated with changing economic, industry,
regulatory, and operating conditions.
-
Control
Activities - Control Activities are the policies and procedures
that help ensure management directives are carried out. In
addition to segregation of duties, control activities include
approval processes, authorizations, verifications, reconciliations,
review of operating performance, and security of assets.
-
Information and
Communication - Pertinent information must be identified,
captured and communicated in a form and timeframe than enables
people to carry out their responsibilities. This component of
internal control is critical. It not only includes information
systems produced reports of operational, financial and
compliance-related information, but it also includes the day-to-day
communication processes among employees, supervisors and Senior
Management. It is also important that the information and
communication flows up and down the organizational structure and
flows across departments and divisions.
-
Monitoring - A
process to assess the quality of internal control systems over time
is essential. This can be accomplished through ongoing
monitoring activities, separate evaluations or a combination of the
two. Ongoing monitoring activities include management and
supervisory activities that take place every day. Either
management or Internal Audit may undertake separate evaluations.
Who is Responsible for
Internal Controls?
The answer is NOT the
Internal Audit Department. Yes, we play a significant monitoring
role and we can provide consultation and advice. However,
ultimately, the President and members of Senior Management are
responsible for the internal control system. Department Heads and
Senior Managers are responsible for internal control policies and
procedures specific to their unit or department. However, to some
degree, every employee in the organization plays a part in the
internal control system. All KCTCS personnel are responsible for
communicating upward problems in operations as well as complying with
internal and external policies and regulations.
What are Some Good
Internal Control Practices?
Listed below are
examples of strong internal controls:
-
Authority limits
are clearly defined in writing and communicated throughout the
department.
-
Accounts are
reconciled on a timely basis to their underlying source data.
-
Equipment,
supplies, inventory, cash and other assets are physically secured
and periodically counted and compared to records.
-
Department
policies are documented and reviewed periodically for current
processes. In addition, policies are effectively communicated
to all department staff.
-
Department
management closely monitors department operating statistics or other
benchmarks. Negative trends are identified and addressed
promptly.
-
The Department
Head, Administrator, or other designee reviews expense related
documents, including timesheets, for completeness, accuracy and
compliance with policies and procedures.
-
Performance
appraisals are completed to reflect an objective assessment of each
employee's abilities and their measured achievements of goals and
objectives.
-
Adequate training
is provided for all employees.
-
Changes in laws
and regulations are identified and communicated to appropriate
employees.
How do you Evaluate
Internal Controls?
There are many
different tools and methodologies to evaluating internal controls.
A good example is the following matrix:
Control
Objective |
Risk
Factors |
Risk
Likelihood |
Control
Activities |
Control
Assessment |
| |
|
|
|
|
| |
|
|
|
|
| |
|
|
|
|
The key to evaluating
internal controls is identifying all of the unit or department's
operating, financial and compliance objectives. Once the
objectives are identified, you need to identify all the risk factors
that exist that could prevent the objectives from being realized (i.e.
what can go wrong?). Ranking the likelihood of each risk factor
(high, low, or medium) will help with the cost justification of the
control activities. Identifying the control activities to manage
each of the risk factors is often supplemented with flowcharts and/or
narratives of the departmental processes. The final control
assessment (strong, adequate, or weak) is the judgment as to whether the
control activities are sufficient to manage the risk factors, given the
likelihood of the risk.
It should be noted
that no system of internal control is expected to eliminate all
risks. In addition, a strong system of internal controls does not
ensure that the department's objectives will be met. However, it
can help a department get to where it wants to go, and avoid pitfalls
and surprises along the way.
|
