Screenreader Navigation - [ Skip to Content | Skip to Main Navigation ]
[FSU Seal Image] - Return to Home
Florida State University - Return to Home

Page supergraphic

Controller's Office / Departmental Business Management Guide / Departmental Business Management Guide - Internal Controls & Fraud Prevention

Departmental Business Management Guide - Internal Controls & Fraud Prevention



Objectives of Internal Control

Internal controls are the methods and procedures designed by management to provide reasonable assurance regarding the achievement of the following:

  • Efficient and effective operations
  • Reliable financial and operational reports
  • Compliance with applicable rules, laws and regulations
  • Safeguarding of resources against loss due to waste, abuse, mismanagement, errors and fraud

In plain language, a system of internal controls is essentially a system of checks and balances.


Departmental Role in Internal Control

1. Establish the “tone at the top” and promote an ethical business environment by providing structure, feedback, and discipline.

2. Assess risks specific to your operations and develop a control system to address risks that could prevent achieving established goals.

3. Establish and maintain control activities such as reconciliations, approvals, and reviews of operating activities.

4. Ensure appropriate access to and use of university information and systems.

5. Monitor control system and activities to identify and correct breakdowns timely.


Types of Internal Controls and Common Control Activities

Preventive and Detective are two major types of controls.

Preventative controls - Designed to forestall errors or irregularities and thereby avoid the cost of corrections. Examples of common preventive control activities include:

  • Segregation of duties
  • Proper authorization to prevent improper use of organizational resources
  • Standardized forms
  • Physical control over assets
  • Computer passwords
  • Computerized techniques such as transaction limits and system edits

Detective controls - Designed to measure the effectiveness of preventive controls and detect errors or irregularities when they occur. These controls are less effective and more expensive than preventive controls because they occur at the back end of the process. Examples of common detective control activities include:

  • Performance and quality assurance reviews
  • Reconciliations
  • Cash counts
  • Physical inventory counts and comparisons with inventory records


Internal Control Process Objectives

A well-designed process with appropriate internal controls should meet most if not all of the system’s control objectives. A system of internal control can be evaluated by assessing its ability to achieve seven commonly accepted control objectives:

  1. Authorization – All transactions are pre-approved by responsible personnel.
  2. Completeness – All valid transactions are included in the accounting records.
  3. Accuracy – All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner.
  4. Validity – All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.
  5. Physical Safeguards and Security – Access to physical assets and information systems are controlled and properly restricted to authorized personnel.
  6. Error Handling – Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.
  7. Segregation of Duties – Duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.


Components of Internal Control

Internal control consists of five interrelated components: the control environment, risk assessment, control activities, information and communications, and monitoring. Each of these components is an integral part of the management process and plays a specific role in departmental internal control procedures.

Control Environment – The attitude toward internal control and conscientious management (i.e. the “tone at the top”). Control Environment factors include the integrity, ethical values and competence of the organization's people, management's philosophy and operating style, and the way management assigns authority and responsibility and organizes and develops its human resources.

Risk Assessment The identification of risks that could impede the efficient and effective achievement of organizational goals and objectives. An important first step in this internal control component is the establishment of clear and consistent objectives. Additionally, an approach should be developed for risk management in order to help assure that these risks are appropriately mitigated.

Control Activities – The policies, procedures, techniques and mechanisms implemented by management to ensure management directives are carried out to meet organizational objectives. Control activities occur throughout the organization, at all levels and in all functions. Each department is unique and only the most basic of control activities are specifically outlined in University policies and procedures. As such, managers are responsible for identifying other appropriate control activities so that their departments’ unique risks are properly mitigated.

Information and Communication A system that identifies, captures, and communicates pertinent information timely and effectively, enabling people to carry out their responsibilities. Effective communication must flows down, across, and up the organizational structure. The department must also effectively communicate with external parties, such as students, sponsors of research, alumni, and administrative departments. The administrative departments are here to assist departments in achieving operational goals without violating applicable laws, regulations, or university policies.

Monitoring – The assessment of the quality of performance over time in order to assure that findings of audits and other reviews are promptly resolved and that internal controls continue to operate effectively. This assessment should include ensuring that managers know their responsibilities for internal control and control monitoring. It should also include the performance of separate evaluations of internal controls by central units, Audit Services and/or other independent parties.


Fraud Detection and Prevention

No matter how well internal controls are designed, they can only provide reasonable assurance that objectives will be achieved. Specifically, internal controls cannot be designed with the expectation that they will discover all instances of fraud. However, effective internal controls are extremely useful in safeguarding the University against not only fraud, but also waste, abuse and misuse of resources.

The University has a “zero tolerance” for fraudulent, unethical and other dishonest activities. If fraud is expected or discovered, employees are required by University policy to immediately notify their supervisor who is then, in turn, required to notify the Office of Audit Services (OAS) or, if the actions appear criminal, the supervisor should notify the University Police Department. If you have reason to suspect that your supervisor may be involved in the fraudulent activity, you should immediately notify OAS or the FSU Police, if appropriate.

It is important to remember that employees who, in good faith, report these types of wrongful activity are protected from retaliation by University policy and, in some cases, by the Florida “Whistle-blower’s” Act (Florida Statute Section 112.3187). The law also provides for your identity to remain confidential.


The Internal Control Checklist – An Assessment Tool

An extensive Internal Controls Checklist is available, which covers control issues in the following areas:

  • Control Environment
  • Budgeting, Accounting, and Financial Reporting
  • Collections, Deposits and Cash Refunds
  • Property Accounting
  • Facilities
  • Payroll
  • Human Resource Management
  • Purchasing and Disbursement
  • Travel
  • Research Management and Support
  • Information Technology

Managers should complete this questionnaire on an annual basis in order to provide a mechanism to assess awareness of requirements related to adequate internal control standards and evaluate your organization’s business practices relative to these requirements.





Departmental Business Management Guide Home