Concepts of Internal Controls
AMAS has adopted the internal control concepts defined by the Committee of Sponsoring Organizations (COSO). The information provided here is intended to help you understand the purpose behind internal control and develop strong internal controls.
The Tufts University Learning Center also offers a good tutorial which addresses concepts of internal controls. Log in to watch the tutorial “AMAS Concepts of Internal Controls.”
What is Internal Control?
Internal control is defined as a process which provides reasonable assurance regarding the achievement of certain objectives:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with laws and regulations
This definition reflects certain fundamental concepts:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
- Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
Elements of Internal Control
Internal Control comprises five interrelated components. Here is how each relates to Tufts University:
- Control Environment: The core of any university is its people – their individual attributes, including integrity, ethical values, and competence – and the environment in which they operate. They are the foundation on which everything rests.
- Risk Assessment: Tufts University establishes academic, research and administrative objectives, integrated with revenue and cost containment goals. Risk assessment helps in identifying, analyzing, and managing risks that could prevent the achievement of these objectives.
- Control Activities: Policies and procedures are necessary to help management control risks and ensure the specified goals are achieved.
- Information and Communication: Surrounding these activities are information and communication systems. These systems enable the capture and exchange of information needed to conduct, manage, and control the institution’s operations.
- Monitoring: The entire process should be monitored, and modifications made if necessary. By doing so, internal controls can be adjusted dynamically and changed as conditions warrant.
Who is responsible for Internal Control?
University management is responsible for designing and maintaining an adequate system of internal control. Evaluating your internal controls provides assurance that the internal control system is effective. Evaluations may take the form of self-assessments, where the responsible individuals from a particular Tufts unit or function determine the effectiveness of controls for their activities. AMAS is available to assist you with this process.
We also perform internal control evaluations as part of our internal audits or at the request of management.
What are the major categories of Internal Control?
- Authorization and Verification: Authorizations may be specific or general. A purchase requisition approval is an example of a “specific” authorization. Specific authorizations relate to individual transactions and require formal approval by university personnel having proper approval authority. It is important to remember that approving a transaction is assuming responsibility for the authenticity of that transaction or verifying it. An example of a general authorization is the matching of vendor invoices to receiving reports and purchase orders prior to payment to ensure that the university is only paying for items actually received and in accordance with negotiated terms and prices.
- Accuracy and Completeness: Reconciliations are critical controls which ensure the accuracy and completeness of transactions. They are particularly important where standalone subsystems exist. For example, a subsystem used to process revenue transactions should be reconciled to bank deposit totals and PeopleSoft financial reports to ensure that payments received are properly deposited in university bank accounts and recorded accurately in the financial records.
- Separation of Duties: If two components of a transaction are processed by different individuals, each person provides a check over the other. Separation of duties also acts as a deterrent to fraud or concealment because collusion with another individual is required to complete the fraudulent act. Separating responsibility for physical security of assets from related record keeping is a critical control.
- Physical Safeguards: Physical safeguards should be designed to prevent unauthorized access to Tufts University assets and accounting records. Examples of physical security mechanisms include a safe, vault, locked doors/desk drawers, computer passwords, and card key systems.
Depending on the type of internal control, they are considered to be either Detective (used to identify errors), Preventive (used to stop errors from occurring), or Corrective (fix errors once detected). - Information Technology: IT controls prevent unauthorized access to Tufts University management information systems (including cloud based) or the deliberate corruption of data. Controls include: authentication, access, incident management, backup and recovery processes, secure configuration, patch management, anti-virus software.