Before designing an internal control plan, you should understand the basic types of internal controls and how they are intended to function. When deciding on the types of controls to implement, consider the unit's objectives and business goals and the associated risks and materiality. All controls require the appropriate training, communication, and oversight by unit management to ensure they are being implemented appropriately and operating consistently.
Depending on the underlying processes or functions, associated risks, and desired control objectives, control activities may be designed to operate at varying frequencies: recurring, daily, weekly, monthly, quarterly, annually, or as-needed (ad hoc). You may need more frequent controls for higher risk processes or functions.
Depending on when they are intended to function, there are two basic types of internal control activities: preventative and detective. An optimal system of internal controls will have both.
Preventative controls protect the university by helping to identify and address problems before they happen.
Detective controls are designed to find errors or fraud in transactions after they have occurred, as well as identify missing assets or invalid transactions. Properly designed and operating detective controls will also help determine if preventative controls are functioning properly.
An important detective control is reconciliation, which compares two sets of data to one another, and identifies/investigates differences.
Other detective control examples include:
When controls find errors or improper activities, unit management must take sufficient remedial actions, including root-cause analysis and error correction, and implement necessary corrective measures to prevent such issues from recurring.
You should also consider including these important characteristics of internal controls when designing controls to implement in unit-level internal control plans:
Depending on the control objective, available data and resources (e.g., software), and other factors, controls may be manual or automated.
Compared to manual controls, automated controls are generally more consistent and efficient and may be built into software used for business processes; however, automated controls are dependent upon design/programming and limited to discrete control objectives. Manual controls allow for the use of judgment in performing control activities.
You can use a combination of manual and automated practices, as well. For instance, you can automate reconciliations with electronic transaction matching but require a manual investigation and resolution of unreconciled amounts and a manual review of the completed reconciliation following established protocols.
Controls intended to function at the transaction or process level typically involve assessing discrete functions or transactions, while controls operating at a summary level evaluate an aggregation of transactions or functions. Examples include the following:
Certain control activities take place in centralized functions (e.g., Accounting, Sponsored Financial Services), while others occur in distributed (decentralized) units (e.g., department or business service center transaction reviews and approvals). To ensure that identified risks are addressed, you must understand where a given control takes place. For example, business service centers and the units they support must maintain service-level agreements that detail key responsibilities for financial controls between the unit and the service center.
Internal controls should be documented sufficiently to demonstrate that controls are in place and functioning as intended (e.g. enable auditors to test performance of the control).
External vendors are a vital component of various business operations. Suppliers may have access to a wide range of information (including financial) from the supported unit. Once shared with a supplier using cloud-based software, data storage, or other outsourced services; direct control of this information is lost, regardless of sensitivity or value. As a result, appropriate technical and contractual considerations must be made, and mitigating control processes must be established with all external suppliers that have access to a unit’s financial information. Examples of such processes include: