Departmental Business Management Guide - Internal Controls & Fraud Prevention
- Objectives of Internal Control
- Departmental Role in Internal Control
- Types of Internal Controls and Common Control Activities
- Internal Control Process Objectives
- Components of Internal Control
- Fraud Detection and Prevention
- The Internal Control Checklist – An Assessment Tool
Internal controls are the methods and procedures designed by management to provide reasonable assurance regarding the achievement of the following:
- Efficient and effective operations
- Reliable financial and operational reports
- Compliance with applicable rules, laws and regulations
- Safeguarding of resources against loss due to waste, abuse, mismanagement, errors and fraud
In plain language, a system of internal controls is essentially a system of checks and balances.
1. Establish the “tone at the top” and promote an ethical business environment by providing structure, feedback, and discipline.
2. Assess risks specific to your operations and develop a control system to address risks that could prevent achieving established goals.
3. Establish and maintain control activities such as reconciliations, approvals, and reviews of operating activities.
4. Ensure appropriate access to and use of university information and systems.
5. Monitor control system and activities to identify and correct breakdowns timely.
Preventive and Detective are two major types of controls.
Preventative controls - Designed to forestall errors or irregularities and thereby avoid the cost of corrections. Examples of common preventive control activities include:
- Segregation of duties
- Proper authorization to prevent improper use of organizational resources
- Standardized forms
- Physical control over assets
- Computer passwords
- Computerized techniques such as transaction limits and system edits
Detective controls - Designed to measure the effectiveness of preventive controls and detect errors or irregularities when they occur. These controls are less effective and more expensive than preventive controls because they occur at the back end of the process. Examples of common detective control activities include:
- Performance and quality assurance reviews
- Cash counts
- Physical inventory counts and comparisons with inventory records
A well-designed process with appropriate internal controls should meet most if not all of the system’s control objectives. A system of internal control can be evaluated by assessing its ability to achieve seven commonly accepted control objectives:
- Authorization – All transactions are pre-approved by responsible personnel.
- Completeness – All valid transactions are included in the accounting records.
- Accuracy – All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner.
- Validity – All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.
- Physical Safeguards and Security – Access to physical assets and information systems are controlled and properly restricted to authorized personnel.
- Error Handling – Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.
- Segregation of Duties – Duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.
Internal control consists of five interrelated components: the control environment, risk assessment, control activities, information and communications, and monitoring. Each of these components is an integral part of the management process and plays a specific role in departmental internal control procedures.
Control Environment – The attitude toward internal control and conscientious management (i.e. the “tone at the top”). Control Environment factors include the integrity, ethical values and competence of the organization's people, management's philosophy and operating style, and the way management assigns authority and responsibility and organizes and develops its human resources.
Risk Assessment – The identification of risks that could impede the efficient and effective achievement of organizational goals and objectives. An important first step in this internal control component is the establishment of clear and consistent objectives. Additionally, an approach should be developed for risk management in order to help assure that these risks are appropriately mitigated.
Control Activities – The policies, procedures, techniques and mechanisms implemented by management to ensure management directives are carried out to meet organizational objectives. Control activities occur throughout the organization, at all levels and in all functions. Each department is unique and only the most basic of control activities are specifically outlined in University policies and procedures. As such, managers are responsible for identifying other appropriate control activities so that their departments’ unique risks are properly mitigated.
Information and Communication – A system that identifies, captures, and communicates pertinent information timely and effectively, enabling people to carry out their responsibilities. Effective communication must flows down, across, and up the organizational structure. The department must also effectively communicate with external parties, such as students, sponsors of research, alumni, and administrative departments. The administrative departments are here to assist departments in achieving operational goals without violating applicable laws, regulations, or university policies.
Monitoring – The assessment of the quality of performance over time in order to assure that findings of audits and other reviews are promptly resolved and that internal controls continue to operate effectively. This assessment should include ensuring that managers know their responsibilities for internal control and control monitoring. It should also include the performance of separate evaluations of internal controls by central units, Audit Services and/or other independent parties.
No matter how well internal controls are designed, they can only provide reasonable assurance that objectives will be achieved. Specifically, internal controls cannot be designed with the expectation that they will discover all instances of fraud. However, effective internal controls are extremely useful in safeguarding the University against not only fraud, but also waste, abuse and misuse of resources.
The University has a “zero tolerance” for fraudulent, unethical and other dishonest activities. If fraud is expected or discovered, employees are required by University policy to immediately notify their supervisor who is then, in turn, required to notify the Office of Audit Services (OAS) or, if the actions appear criminal, the supervisor should notify the University Police Department. If you have reason to suspect that your supervisor may be involved in the fraudulent activity, you should immediately notify OAS or the FSU Police, if appropriate.
It is important to remember that employees who, in good faith, report these types of wrongful activity are protected from retaliation by University policy and, in some cases, by the Florida “Whistle-blower’s” Act (Florida Statute Section 112.3187). The law also provides for your identity to remain confidential.
An extensive Internal Controls Checklist is available, which covers control issues in the following areas:
- Control Environment
- Budgeting, Accounting, and Financial Reporting
- Collections, Deposits and Cash Refunds
- Property Accounting
- Human Resource Management
- Purchasing and Disbursement
- Research Management and Support
- Information Technology
Managers should complete this questionnaire on an annual basis in order to provide a mechanism to assess awareness of requirements related to adequate internal control standards and evaluate your organization’s business practices relative to these requirements.
- University Policy OP-C-13 – Policy Against Fraudulent, Unethical and Other Dishonest Acts
- University Policy OP-A-9 - Internal Control Responsibility and Accountability
- University Policy OP-D-2-B3 – Cash Management Internal Control Requirements
- University Policy OP-D-2-E4 – Payroll Internal Controls
- University Internal Controls Checklist
- U.S. General Accounting Office Internal Control Management and Evaluation Tool
- State of Florida Office of the Auditor General
- FSU Office of the Inspector General
- FSU Hotline