What is internal control?

Internal control is a process, effected by an entity's board of directors, management and other personnel, that is designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.

Integrated components

All five of the following integrated components of internal control must be present and functioning effectively to conclude that internal control over operations is effective.

  • Control environment: "tone at the top"; factors including the integrity and ethical values of the university, competence of staff, management's philosophy and operating style, assignment of authority and responsibility, and direction provided by the Board of Regents.
  • Risk assessment: identification and analysis of risks that could impact the achievement of goals and objectives.
  • Control activities: policies and procedures to help ensure that management's directives are carried out and help ensure that necessary actions are taken to address impediments to achieving the entity's objectives.
  • Information and communication: information identified, captured and communicated in a form and timeframe to enable people to carry out their responsibilities.
  • Monitoring: the process that assesses the quality of the system's performance over time, which includes ongoing monitoring activities, separate evaluations or a combination of the two.

Key concepts

Key concepts for internal controls
  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It is not merely policy manuals and forms but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management and the Board of Regents.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Who is responsible for internal controls?

In most cases, internal controls are not expected to eliminate all risks. Controls should exist to reduce risks to a justified level. Analyzing both risks and internal controls is the responsibility of management.

Internal audit's role is to assist management in their oversight and operating responsibilities through independent appraisals designed to evaluate and promote the systems of internal control.

Note: The above definitions of internal control and related concepts are taken directly from Internal Control — Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO.

What is internal auditing?

The Institute of Internal Auditors defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by offering a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

The Department of Audit Services' scope encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of SFA's governance, risk management and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve SFA's stated goals and objectives. This includes:

Reliability and integrity of information

Internal auditors should review the reliability and integrity of financial and operating information and the means used to identify, measure, classify and report such information.

Information systems provide data for decision-making, control and compliance with external requirements. Therefore, internal auditors should examine information systems and, as appropriate, ascertain whether:

  • financial and operating records and reports contain accurate, reliable, timely, complete and useful information
  • and controls over record keeping and reporting are adequate and effective.

Compliance with policies, plans, procedures, laws and regulations

Internal auditors should review the systems established to ensure compliance with those policies, plans, procedures, laws and regulations that could have a significant impact on operations and reports, and should determine whether the organization is in compliance.

  • Management is responsible for establishing the systems designed to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.
  • Internal auditors are responsible for determining whether the systems are adequate and effective and whether the activities audited are complying with the appropriate requirements.

Safeguarding assets

Internal auditors should review the means of safeguarding assets and, as appropriate, verify the existence of such assets.

  • Internal auditors should review the means used to safeguard assets from various types of losses such as those resulting from theft, fire, improper or illegal activities, and exposure to elements.
  • Internal auditors, when verifying the existence of assets, should use appropriate audit procedures.

Economical and efficient use of resources

Internal auditors should appraise the economy and efficiency with which resources are employed.

Management is responsible for setting operating standards to measure an activity's economical and efficient use of resources. Internal auditors are responsible for determining whether:

  • operating standards have been established for measuring economy and efficiency
  • established operating standards are understood and are being met
  • deviations from operating standards are identified, analyzed and communicated to those responsible for corrective action
  • and corrective action has been taken.

Audits related to the economical and efficient use of resources should identify such conditions as:

  • underutilized facilities
  • nonproductive work
  • procedures that are not cost justified
  • and overstaffing or understaffing.

Accomplishment of established objectives and goals for operations or programs

Key terms:

Operations: Recurring activities of an organization directed toward producing a product or rendering a service. Such activities may include but are not limited to marketing, sales, production, purchasing, human resources, finance and accounting, and governmental assistance. An operation's results may be measured against established objectives and goals, which may include budgets, time or production schedules, and/or operating plans.

Programs: Special purpose activities of an organization. Such activities include but are not limited to the raising of capital, sale of a facility, fund-raising campaigns, new product or service introduction campaigns, capital expenditures, and special purpose government grants. Special purpose activities may be short-term or long-term, spanning several years. When a program is completed, it generally ceases to exist. Program results may be measured against established program objectives and goals.

Examination and evaluation:

Internal auditors should review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

Management is responsible for

  • establishing operating or program objectives and goals
  • developing and implementing control procedures
  • establishing criteria to determine if objectives and goals have been accomplished
  • and accomplishing desired operating or program results.

Internal auditors should ascertain whether

  • such objectives and goals conform with those of the organization
  • criteria have been established
  • criteria are considered adequate
  • and objectives and goals are being met.

If management has not established criteria, or if the established criteria, in the internal auditors' opinion, are less than adequate, internal auditors should report such conditions to the appropriate levels of management.

Internal auditors may recommend appropriate courses of action depending on the circumstances. Internal auditors may recommend alternative sources of criteria to management, such as:

  • acceptable industry standards
  • standards developed by professions or associations
  • and standards in law and government regulations.

If adequate criteria are not established by management, internal auditors may still formulate criteria they believe to be adequate in order to perform an audit, form an opinion and issue a report on the accomplishment of established objectives and goals.

The internal auditors' evaluation of the accomplishment of established objectives and goals may be carried out with respect to an entire operation or program or only a portion of it. Audit objectives may include determining whether:

  • the objectives and goals established by management for a proposed, new or existing operation or program are adequate and have been effectively articulated and communicated
  • the operation or program achieves its desired level of interim or final results
  • the factors that inhibit satisfactory performance are identified, evaluated and controlled in an appropriate manner
  • management has considered alternatives for directing an operation or program that may yield more effective and efficient results
  • an operation or program complements, duplicates, overlaps or conflicts with other operations or programs
  • controls for measuring and reporting the accomplishment of objectives and goals are established and are adequate
  • and an operation or program complies with policies, plans, procedures, laws and regulations.

Internal auditors should communicate the audit results to the appropriate levels of management. The report should state the criteria established by management and employed by internal auditors, as well as disclose the nonexistence or inadequacy of any needed criteria. If internal auditors formulated criteria by which to measure the accomplishment of objectives and goals, the report should clearly state that internal auditors formulated the criteria and then present the audit results.

Internal auditors can assist managers who are developing objectives, goals, and systems by determining whether the underlying assumptions are appropriate; whether accurate, current and relevant information is being used; and whether suitable controls have been incorporated into the operations or programs.

The audit process

An internal auditor conducts assurance using the following five-phase process:

1. Selection

Each year, an audit plan is developed based on a risk assessment process. Audits are selected based on risks; state, federal and other requirements; special requests; or changes in leadership. The audit plan is approved by the SFA Internal Audit Committee and, ultimately, the UT System Board of Regents. A copy of the most recent audit plan is located under Audit Plans and Reports.

2. Planning

Planning involves research performed to assess risks and determine existing controls in place. Most often, the audit team requests that the auditee submit an internal control questionnaire, used to determine the level of internal control in place.

In addition, auditors may conduct interviews and review other documentation to obtain a complete understanding of the audit area and finalize the scope and objectives of the engagement.

An entrance conference is held with management to discuss the scope, objectives and timing of the work to be performed.

3. Fieldwork

Fieldwork generally involves testing and evaluating the functions being audited. Auditors determine whether controls are adequate and whether operations are conducted in an efficient and effective manner. Sufficient evidence must be developed to support audit observations, and recommendations may be made for improving processes.

4. Reporting

The Department of Audit Services prepares a confidential pre-exit draft audit report to be reviewed with the relevant parties.

After an appropriate time is allowed for comments and suggestions, Audit Services prepares a confidential exit draft audit report for review with the president, vice president/executive and other pertinent parties in an exit conference.

Based on input received, a revised audit report is drafted if necessary. Appropriate time is allowed for a management response, which includes a management action plan and implementation date. The vice presidents/executive or appropriate party provides the response to Audit Services.

A confidential draft audit report is presented to the SFA Internal Audit Committee at the next possible committee meeting.

5. Follow up

The progress and implementation status of agreed-upon recommendations are assessed and verified.