In the context of internal controls, paper or electronic documentation that supports completing the transaction lifecycle is satisfactory documentation. For these purposes, adequate documentation is anything that provides sufficient and appropriate evidence of (1) a transaction, (2) who performed each action pertaining to a transaction, and (3) the individuals in the process had proper authority to perform such activities. Proper documentation provides evidence of what has transpired and information for researching discrepancies.
Proper authorization is determined by a unit’s delegation plan, as required by University Policy 4.2, Transaction Authority and Payment Approval. The authority to complete the various stages of a transaction is determined by transaction type and dollar amount, as outlined in policy 4.2.
Authorization also involves access to information technology (IT) systems or resources. The main elements of IT authorization are as follows:
The basic transaction stages include recording (initiate, submit, process), approving (pre-approval and post-entry review), custody, and reconciling. No one person should initiate, authorize, record, and reconcile a transaction.
All organizations should separate incompatible functional responsibilities. Proper segregation of duties helps ensure that errors, omissions, or misstatements, whether intentional or unintentional, will be detected by another person. Where segregation of duties is not possible or practical, deploy alternative controls.
Internal control plans are physical documentation of a unit's material business processes and financial transaction cycles. They comprise process narratives and workflow diagrams, a materiality and risk assessment, and a management response plan, all developed using a standard set of templates.
Before designing an internal control plan, you should understand the basic types of internal controls and how they are intended to function. When deciding on the types of controls to implement, consider the unit's objectives and business goals and the associated risks and materiality. All controls require the appropriate training, communication, and oversight by unit management to ensure they are being implemented appropriately and operating consistently.
Every unit throughout the university must assess how to best utilize their limited resources when it comes to responding to the risks that have been identified during the development of an internal control plan.
Typically, there are four approaches that can be taken in responding to risks: