University of Michigan Seal University of Michigan Office of University Audits

About Us
Mission and Vision
Authority
Services
Audit Processes
Internal Control Guidance
Education and Training
Employment
Search/Sitemap
HOME
For Audits Staff

Financial Internal Control Guide

The Internal Control Guide discusses internal controls and the role of managers in developing, implementing, and monitoring them. Evaluating internal controls is a core management responsibility and should not be viewed as an extraneous obligation. We do not suggest, however, that this Guide is all-inclusive. Managers should use it as a starting point and make their own decisions about the internal controls necessary within the programs or activities that they manage. We have, accordingly, prepared this document and the related internal control Self Assessment Questionnaires to assist managers in fulfilling their responsibilities relating to internal controls.

The Guide is primarily based on the definition of internal control developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. COSO consists of the following organizations: the American Institute of Certified Public Accountants, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.

  1. Purpose of the Internal Control Guide
    Fiscal management is a shared responsibility at many levels of the organization. Because the University is a large and decentralized organization, it is essential that appropriate reporting and review procedures be established throughout the University. University units are responsible for managing public resources and a major factor in fulfilling this responsibility is ensuring that adequate internal controls exist. Since University units vary in size, complexity, and degree of centralization, internal control procedures are not universally applicable.

    Managers should use this guide as a framework for developing their control systems, consistent with the mission of the University and their department's operations. Management's involved support is essential to the proper functioning of internal controls. No system of internal control functions properly without the knowledge and support of management at all levels.

    Internal controls should be viewed as a continuous series of decisions affected by changing circumstances that require periodic review and modification, rather than as a static system. When managers evaluate internal controls, they must first determine whether controls are functioning as designed and whether existing controls are applicable within the current operating environment. Based on the results of the review, managers determine what changes are necessary. When evaluating, consider internal and external changes, personnel turnover, new programs, administrative activities, and priorities. Managers need to assess internal controls annually.

  2. What are Internal Controls?
    The Committee of Sponsoring Organizations of the Treadway Commission developed the most commonly used internal control framework in the United States. The commission defines internal control as follows:
    "Internal control is a process effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories
    • effectiveness and efficiency of operations,
    • reliability of financial reporting, and
    • compliance with applicable laws and regulations."

    A less technical definition might state that internal controls are tools that help managers be effective and efficient while avoiding serious problems such as overspending, operational failures, and violations of law.

    Internal control has been further defined as consisting of two main types of control activities. Controls can either be preventive, for example, requiring supervisory sign-off on payroll time reports, or detective, for example, reviewing Gross Payroll Registers to ensure that all payments are appropriate. However, the existence of detective controls can also serve to prevent irregularities. An individual tempted to use department payroll funds inappropriately may be deterred by the knowledge that Gross Payroll Registers are regularly reconciled.

  3. Limitations of Internal Control
    Internal controls, no matter how well designed and operated, can provide only reasonable assurance to management regarding the achievement of an entity's objectives, the reliability of reports, and compliance with laws and regulations. Certain limitations are inherent in all internal control systems.

    Costs may prevent management from implementing a risk-free control environment. Management will, correctly, choose to take certain risks because the cost of preventing such risks cannot be justified. A second limitation to internal controls is human failure such as poor judgment, error, or mistake. For example, management may fail to anticipate certain risks, and thus fail to design and implement appropriate controls. A third limitation to internal controls is that control procedures may be circumvented by collusion of two or more people. Finally, policy exceptions made by management can pose a significant risk if not effectively limited.

    Despite these limitations, the reasonable assurance that internal control does provide helps enable the University to focus on reaching its objectives while minimizing irregularities. Effective internal controls promote efficiency, reduce the risk of asset loss, and help ensure the reliability of financial statements and compliance with laws and regulations.

  4. Department Responsibility
    Once managers identify and assess risks, they need to evaluate and develop control activities to minimize these risks. By control activities, we mean the structure, policies, and procedures, which an organization establishes so that identified risks do not prevent the department from reaching its objectives. Approvals, authorizations, verifications, reconciliations, and reviews of operating performance, do not, of course, exist only for internal control purposes. These activities are basic management practices. Department managers should use a wide range of control activities in developing their own specific policies and procedures. Presented below are six control activities managers commonly use to safeguard a department's assets, assure the accuracy of its information, promote effectiveness and efficiency, and comply with regulations.

    1. Segregate Job Duties
      The principle of segregation of duties is especially important because it ensures separation of different functions and defines authority and responsibility over transactions. The fundamental premise of segregated duties is that an individual should not be in a position to initiate, approve, and review the same action. These are called incompatible duties when performed by the same individual. If control activities are properly planned, implemented, and adhered to, departments can safeguard assets against a single individual's "irregularity". Maintaining segregation of duties is especially challenging for units with small numbers of employees. Managers of such departments must consider this principle when designing and defining job duties and they must implement control procedures to assure segregation of duties exists.

    2. Authorize Transactions
      To maintain control over business activity, persons acting within the scope of their responsibility must review and approve most financial transactions to ensure appropriateness and compliance with University policies. It is stated in several Standard Practice Guide sections that authorization authority should be granted to individuals of higher administrative authority that know enough about the transaction to ensure its accuracy and consistency with University policy. Higher administrative authority is defined as the person to whom an employee reports, either functionally or administratively, or it may be a person at a higher level of administrative authority in the reporting chain, or a person who has been designated by the Unit Director or Department Head as authorized to approve certain transactions. Under no circumstances may individuals approve transaction requests they prepared or those prepared by persons to whom they report functionally or administratively.

    3. Control Access to Resources
      Internal control systems should involve procedures to restrict access to and enhance control over resources. Resources include money, equipment, supplies, inventory, and the records that account for these assets. Maintaining accountability for the use and custody of resources involves assigning responsibilities to specific individuals. Department managers must periodically compare the physical resources and the accounting records to reduce the risk of unauthorized use or loss of resources from wasteful and wrongful acts.

      Departments should control access and maintain a secure computer environment for financial and other sensitive University records. See the Computer Security Guide available on this Web site for more information on this subject.

    4. Supervision
      Provide qualified and continuous supervision to all staff to ensure that internal control objectives are achieved. Supervisors should assign tasks and establish written procedures for completing assignments, systematically review each staff member's work, approve work at critical points to ensure quality and accuracy, and provide documentation of supervision and review such as initialing examined work. Adequate and timely supervision is especially important in small departments, where limited personnel may inhibit a thorough segregation of duties.

      Department managers are obligated to ensure that staff is trained in appropriate use of the M-Pathways enterprise-wide systems. System training classes and access requirements are available at the following Michigan Administrative Information Services Web Site http://www.mais.umich.edu/access/train-access.html. Departments should provide appropriate management training by enrolling managers in the Fundamentals of Supervision Program offered by the Human Resources Department. Details of that program and other class offerings are available at the following Web Site http://www.umich.edu/~hrd/. Unfamiliarity with University policies and procedures can result in employees either acting without authority, or not knowing what is expected of them.

    5. Recording, Verifying & Analyzing Financial Information
      Department managers are responsible for ensuring that transactions are recorded accurately, in a timely manner, and within financial system guidelines and applicable external agency rules such as those used by federal agencies funding University programs. Accurate recording includes adequate descriptions of transactions and the correct use of M-Pathways chartfield strings. Accountability and procedures must be assigned in each department to ensure that inaccuracies or incomplete financial information identified during the reconciliation and verification process are investigated and corrected in a timely manner. Materiality, compliance risk, transaction volume, knowledge and experience of personnel performing analyses, and other factors should be considered in the design and implementation of procedures for verifying financial information.

      Department managers should examine a sample of individual financial transactions, review University budget reports, and analyze results of operations to validate their expectations and trust in department business processes and staff. Analytical techniques should include the use of key data reports for financial business processes available at the following Michigan Administrative Information Services Web Site http://www.mais.umich.edu/reporting/. These reports provide transaction analysis, comparisons between budget and actual expenditures and revenues, comparisons between financial data from year to year, and are essential in discovering financial trends that may be used for decision-making and for detecting errors and irregularities. A complete listing of all predefined data reports is available at the following Michigan Administrative Information Services Web Site http://www.mais.umich.edu/reporting/roadmapdb.html.

    6. Document Internal Controls
      Departments should prepare a written internal control plan. An internal control plan is a description of how a department expects to meet its various goals and objectives by using policies and procedures to minimize risks. Documenting policies and procedures will clearly communicate specific responsibilities to individual staff, facilitate training new staff, and enable departments to review and monitor their internal control system. Internal control plans can take many different forms. In general, however, the internal control plan would
      • discuss the goals and objectives of the department,
      • describe the risks to meeting goals and objectives,
      • explain how department structure, policies, and procedures act to control the risk, and
      • briefly state the ethical values expected of all staff, and especially, the ethical values top management expects of itself.
      In a small department, the plan might include all the department's policies and procedures. In a large department, the plan might incorporate the various policy and procedure documents by reference. As previously mentioned in Section I, department policies and procedures need to be reviewed and updated annually. The department internal control plan should include a completed Self Assessment Questionnaire developed by our office to identify and correct common internal control weaknesses. A link to that questionnaire can be found on the home page of this web site.

      Department managers have an obligation to administer and safeguard the resources that are entrusted to their care. They are accountable to deans and directors, to the state legislature if they receive general funds and the taxpayers who provide the resources that the state uses, program constituents, executive officers and the Board of Regents. An internal control plan helps managers meet this vital responsibility.

  5. What is University Audits' Responsibility?
    University Audits is a resource available to departments for guidance on designing and implementing internal controls. University Audits also provides an independent evaluation of the adequacy of internal controls and reports the results to University administration and the Board of Regents. Auditors look at how departmental internal controls work together to make up the internal control structure. The auditor gathers information about the mission and processes of the unit, discusses the major objectives with the department manager, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur. The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the manager focus on control risks, manager insights, and potential control enhancements.

    Departments must submit a written response to the audit report within thirty days of the report's issue date. The response must address any internal control weaknesses identified in the report and include a timetable for completing corrective actions. After reviewing the written response, the auditor verifies that all corrective actions were implemented.

-
U-M Seal
University of Michigan OFFICE OF UNIVERSITY AUDITS
Wolverine Tower, 3rd Floor
3003 South State Street
Ann Arbor, Michigan 48109-1286
Phone (734) 647-7500   FAX (734) 647-7501

Contact Us   ©Copyright 1999-2002 The Regents of the University of Michigan