Before designing an internal control plan, you should understand the basic types of internal controls and how they are intended to function. When deciding on the types of controls to implement, consider the unit's objectives and business goals and the associated risks and materiality. All controls require the appropriate training, communication, and oversight by unit management to ensure they are being implemented appropriately and operating consistently.
Frequency of Controls
Depending on the underlying processes or functions, associated risks, and desired control objectives, control activities may be designed to operate at varying frequencies: recurring, daily, weekly, monthly, quarterly, annually, or as-needed (ad hoc). You may need more frequent controls for higher risk processes or functions.
Primary Types of Control Activities
Depending on when they are intended to function, there are two basic types of internal control activities: preventative and detective. An optimal system of internal controls will have both.
Preventative Controls
Preventative controls protect the university by helping to identify and address problems before they happen.
Examples:
- Segregation of duties
- Authorization requirements to prevent improper use of university resources
- Enforcement of clear recordkeeping and documentation procedures
- Protections for passwords and other information
- Physical control over assets
Detective Controls
Detective controls are designed to find errors or fraud in transactions after they have occurred, as well as identify missing assets or invalid transactions. Properly designed and operating detective controls will also help determine if preventative controls are functioning properly.
An important detective control is reconciliation, which compares two sets of data to one another, and identifies/investigates differences.
Other detective control examples include:
- Reviewing procurement card statements for appropriateness, allowability, and proper allocation.
- Conducting post-transaction reviews on such things as exception reports as well as conducting analytical reviews, routine budget-to-actual reviews, and key metrics monitoring.
- Reviewing transactions after the fact for reasonableness and proper approvals.
- Conducting physical asset counts.
When controls find errors or improper activities, unit management must take sufficient remedial actions, including root-cause analysis and error correction, and implement necessary corrective measures to prevent such issues from recurring.
Other Types of Controls
You should also consider including these important characteristics of internal controls when designing controls to implement in unit-level internal control plans:
Manual vs. Automated Controls
Depending on the control objective, available data and resources (e.g., software), and other factors, controls may be manual or automated.
- Manual controls rely on human actions. For instance, a human must review and give approval for certain proposed transactions.
- Automated controls rely on computerized
(electronic) actions. For instance:
- Authentication measures are put in place to authorize access to a system or process a transaction.
- Edit functions can ensure data accuracy and completeness.
- Transaction matching can be automated to facilitate reconciliations between two sources or systems.
- Automated alerts can notify a user of activity based on pre-established parameters.
- Analytical routines can identify transactions that are outside of policy compliance.
Compared to manual controls, automated controls are generally more consistent and efficient and may be built into software used for business processes; however, automated controls are dependent upon design/programming and limited to discrete control objectives. Manual controls allow for the use of judgment in performing control activities.
You can use a combination of manual and automated practices, as well. For instance, you can automate reconciliations with electronic transaction matching but require a manual investigation and resolution of unreconciled amounts and a manual review of the completed reconciliation following established protocols.
Transaction vs. Summary-Level Controls
Controls intended to function at the transaction or process level typically involve assessing discrete functions or transactions, while controls operating at a summary level evaluate an aggregation of transactions or functions. Examples include the following:
- Transaction/process level: Reviewing travel expense reimbursements, reviewing procurement card transactions, and accompanying receipts, or approving an individual’s access to an IT system.
- Summary level: Comparing budget to actual spending at the account or object code levels or reviewing financial statements or reports for unusual or unexpected activity or fluctuations.
Centralized vs. Decentralized Controls
Certain control activities take place in centralized functions (e.g., Accounting, Sponsored Financial Services), while others occur in distributed (decentralized) units (e.g., department or business service center transaction reviews and approvals). To ensure that identified risks are addressed, you must understand where a given control takes place. For example, business service centers and the units they support must maintain service-level agreements that detail key responsibilities for financial controls between the unit and the service center.
Note: Effectively implemented internal controls are predicated on sufficient and appropriate communications, training, policies, etc. that direct employees’ actions.
Internal controls should be documented sufficiently to demonstrate that controls are in place and functioning as intended (e.g. enable auditors to test performance of the control).
Third-Party Risk Management/Controls
External vendors are a vital component of various business operations. Suppliers may have access to a wide range of information (including financial) from the supported unit. Once shared with a supplier using cloud-based software, data storage, or other outsourced services; direct control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual considerations must be made, and mitigating control processes must be established with all external suppliers that have access to a unit’s financial information. Examples of such processes include:
- Ensure the existence of a data sharing agreement that clearly defines roles and responsibilities; particularly with respect to data security, data backup and disaster recovery, and the return of data in the event of contract termination.
- Monitor and continually assess provider performance and compliance. Where available, request from the supplier and evaluate a copy of the annual Service and Organization Controls (SOC) Report, where available. This is an independent report on the design and effectiveness of the controls the supplier has in place that are relevant to the unit’s internal control over financial reporting and data security.
- When reviewing the SOC Report, it is important to note any control deficiencies identified and determine how the unit’s internal control environment is impacted. In addition, it is important to review the “User Control Considerations” section, which details the internal control processes that are expected to be in place at the unit level to allow for the supplier’s control environment to function appropriately.