What are internal controls?

Discussing vulnerabilities is not passing judgment but rather exploring where we want to be.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSO Integrated Control Framework (Revised - 2013)

The title is COSO Internal Control-Integrated Framework Principals. In the center is a cube that is divided into three written sections on the top face, 5 on the forward face and 4 on the rightward face. The three sections on the top are operations, reporting and compliance. The 5 sections on the forward face starting at the top and going down are control environment, risk assessment, control activities, information & communication, and monitoring activities. Each of those on the forward face is color coded: control environment is yellow, risk assessment is green control activities is blue information & communication is purple and monitoring activities is gray. The top face is yellow as well. The rightward face’s 4 categories are perpendicular to normal writing and are, entity level, division, operating unit, and function. Below the cube there is a semicircle in different colors from left to right corresponding with that of the front face now left to right: yellow, green, blue purple, gray. There is then a small white line extending to 5 circles that are formulated in the same arc as the semicircle. The first is yellow and has 4 circles above the phrase control environment. All of the images inside the circles are white. The next is green with a pie chart above risk assessment. The next is blue with a bar graph and above that is control activities. The next is purple with a bar graph and under that is information & communication. The last at the far right is gray with a series of connected dots above monitoring activities. Each of the phrases on the front face are described from left to right below.  Control environment:  1) The organization demonstrates a commitment to integrity and ethical values. 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control  3) Management establishes, with board oversight structures reporting lines and appropriate authorities and responsibilities In pursuit of objectives.  4) The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives.  5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.  Risk Assessment:  6) The organization specifies objectives with sufficient clarity to enable the identification ans assessment of risks relating to objectives.  7) The organization identifies risks to the achievement of its objectives across the entity and analyses risk risks as a bias for determining how the risks should be managed.  8) The organization considers the potential for fraud in assessing risks to the achievement of objectives.  9) The organization identifies and assesses changes that could significantly affect the system of internal control.   Control Activities:  10) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable values.  11) The organization selects and develops general control activities over technology to support the achievement of objectives.  12) The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.   Information & Communication:  13) The organization obtains or generates and uses relevant quality information to support the functioning of internal control.  14) The organization internally communicates information including objectives and responsibilities for internal control, necessary to support the functioning of internal control.  15) The organization communicates with external parties regarding matters affecting internal control.   Monitoring activities: 16) The organization selects develops and performs ingoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.  17) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate.

"Internal Control is a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance." - Committee of Sponsoring Organizations of the Treadway Commission

"The COSO report provided a common language regarding controls, and created an integrated control framework for managing business risks. The framework consists of five interrelated components: 

  1. control environment,
  2. risk assessment,
  3. control activities,
  4. information and communication, and 
  5. monitoring.

The control environment component is considered the “framework.” It focuses on people, the ethical and moral values established by an organization’s leadership team, and competence. It emphasizes that people are the organization and are the key determinants of the organization’s success or failure.

The risk assessment component ensures that mechanisms exist throughout the organization to identify, manage, and mitigate unwarranted risks. Therefore, goal alignment is critical throughout the organization and is to be integrated throughout all significant activities.

The control activities component provides that policies and procedures should be established and followed to ensure all actions support the achievement of defined goals.

The information and communication component provides that communication and the sharing of information should occur up, down, and across the organization. It requires that information be timely and thorough in order for actions to be completed that support the achievement of stated goals.

The monitoring component provides that the entire process must be monitored in order to recognize problems to make necessary adjustments during the course of operations."

University Risk Management and Insurance Association, Enterprise Risk Management in Higher Education white paper, September 2007, http://www.urmia.org/home 

Internal controls can be classified in four ways:

Directive controls ensure a particular outcome is achieved.  Examples include guidelines, training and incentives.

Preventative controls limit the possibility of an undesirable outcome.  Examples include tone at the top, authorization, segregation of duties and password protection.

Corrective or compensating controls correct undesirable outcomes that have occurred or reduce risk to an acceptable level when other controls have failed or are not cost-effective.  Examples include close supervision and management review including reviewing cost center reports, personal expense reports, time cards, etc.

Detective controls spot errors, omissions and fraud after the events have taken place.  Examples include reconciliations and exception reports.

Controlling is a function of management and is an integral part of the overall process of managing operations. As such, it is the responsibility of managers at all levels of the organization to:

  1. Identify and evaluate the exposures to loss which relate to their particular sphere of operations.
  2. Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identified.
  3. Establish practical controlling processes that require and encourage directors, officers, and employees to carry out their duties and responsibilities in a manner that achieves the five control objectives outlined in procedures.
  4. Maintain the effectiveness of the controlling processes they have established and foster continuous improvement to these processes.

Control should be proportionate to the risk and within the university's risk appetite.

Here are some additional effective internal controls:

  1. Set a strong example of expected ethical behavior, compliance with laws and policies and routinely communicate these expectations.
  2. If you don't know if an action that you are considering is going to be compliant with University policies and procedures - ask!  Don't accidently violate a policy or inadvertently commit fraud.  Your actions do not need to be deliberate to commit fraud.  Not knowing policies is not a defense for your actions or inaction.
  3. Develop measurable goals based on your departments strategic plan and mission.  Have an action plan to achieve goals.
  4. Develop written procedures; starting with your core operations and unique risks.
  5. Separate duties into initiation and review and/or approval.  This reduces the possibility of errors. 

Here are some questions to ponder regarding managers enhancing performance:

  1. How am I ensuring that my team members individually understand that what they do everyday directly relates to results that must be achieved?
  2. How am I ensuring that each team member understands their specific (and ideally measurable) expectations?
  3. How are team members self-monitoring their own results?  
  4. How am I consistently monitoring my team members' results?
  5. How am I consistently providing constructive performance feedback?
  6. How are we frequently celebrating successes?
  7. Am I asking how I can help my teammates?
  8. Am I really listening, seeking to understand and doing something about it? 
  9. Am I reaching out to others that have qualities with which I struggle for input and advice?
  10. Are our goals "SMART"?
    1. Specific
    2. Measurable
    3. Achievable
    4. Results-Focused
    5. Time-Bound