Discussing vulnerabilities is not passing judgment but rather exploring where we want to be.
COSO Integrated Control Framework (Revised - 2013)
"Internal Control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance." - Committee of Sponsoring Organizations of the Treadway Commission
"The COSO report provided a common language regarding controls, and created an integrated control framework for managing business risks. The framework consists of five interrelated components:
- control environment,
- risk assessment,
- control activities,
- information and communication, and
The control environment component is considered the “framework.” It focuses on people, the ethical and moral values established by an organization’s leadership team, and competence. It emphasizes that people are the organization and are the key determinants of the organization’s success or failure.
The risk assessment component ensures that mechanisms exist throughout the organization to identify, manage, and mitigate unwarranted risks. Therefore, goal alignment is critical throughout the organization and is to be integrated throughout all significant activities.
The control activities component provides that policies and procedures should be established and followed to ensure all actions support the achievement of defined goals.
The information and communication component provides that communication and the sharing of information should occur up, down, and across the organization. It requires that information be timely and thorough in order for actions to be completed that support the achievement of stated goals.
The monitoring component provides that the entire process must be monitored in order to recognize problems to make necessary adjustments during the course of operations."
- University Risk Management and Insurance Association, Enterprise Risk Management in Higher Education white paper, September 2007, http://www.urmia.org/home
Internal controls can be classified in four ways:
Directive controls ensure a particular outcome is achieved. Examples include guidelines, training and incentives.
Preventative controls limit the possibility of an undesirable outcome. Examples include tone at the top, authorization, segregation of duties and password protection.
Corrective or compensating controls correct undesirable outcomes that have occurred or reduce risk to an acceptable level when other controls have failed or are not cost-effective. Examples include close supervision and management review including reviewing cost center reports, personal expense reports, time cards, etc.
Detective controls spot errors, omissions and fraud after the events have taken place. Examples include reconciliations and exception reports.
Controlling is a function of management and is an integral part of the overall process of managing operations. As such, it is the responsibility of managers at all levels of the organization to:
- Identify and evaluate the exposures to loss which relate to their particular sphere of operations.
- Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identified.
- Establish practical controlling processes that require and encourage directors, officers, and employees to carry out their duties and responsibilities in a manner that achieves the five control objectives outlined in procedures.
- Maintain the effectiveness of the controlling processes they have established and foster continuous improvement to these processes.
Control should be proportionate to the risk and within the university's risk appetite.
Here are some additional effective internal controls:
- Set a strong example of expected ethical behavior, compliance with laws and policies and routinely communicate these expectations.
- If you don't know if an action that you are considering is going to be compliant with University policies and procedures - ask! Don't accidently violate a policy or inadvertently commit fraud. Your actions do not need to be deliberate to commit fraud. Not knowing policies is not a defense for your actions or inaction.
- Develop measurable goals based on your departments strategic plan and mission. Have an action plan to achieve goals.
- Develop written procedures; starting with your core operations and unique risks.
- Separate duties into initiation and review and/or approval. This reduces the possibility of errors.
Here are some questions to ponder regarding managers enhancing performance:
- How am I ensuring that my team members individually understand that what they do everyday directly relates to results that must be achieved?
- How am I ensuring that each team member understands their specific (and ideally measurable) expectations?
- How are team members self-monitoring their own results?
- How am I consistently monitoring my team members' results?
- How am I consistently providing constructive performance feedback?
- How are we frequently celebrating successes?
- Am I asking how I can help my teammates?
- Am I really listening, seeking to understand and doing something about it?
- Am I reaching out to others that have qualities with which I struggle for input and advice?
- Are our goals "SMART"?