Materiality is assessed by determining how much of a unit’s financial information could be misstated, by error or fraud, without affecting the decisions of reasonable financial information users. Materiality is informed by management’s risk appetite and tolerance, considering quantitative as well as qualitative factors, which may include perceived reputational risk or compliance with regulations.
Risk appetite and tolerance is determined by management’s ability to tolerate deviation from acceptable outcomes relative to their objectives.
Reconciliation is the process of comparing two sources or systems (e.g., comparing the general ledger with another source, typically a subsidiary ledger, statement, or other source system). Further, reconciliation involves resolving any discrepancies that may have been discovered, including recording necessary adjustments to either source being reconciled.
Account and object code monitoring is the process of periodically assessing an account balance or object code for reasonableness and investigating underlying accounting activity for any unexpected results. The process should be used for all accounts and object codes, particularly those not reconciled on a regular basis. Monitoring is not as involved as the account reconciliation process. For more informaiton on this activity, see Monitoring Operating Activity on the Accounting website.
In the context of internal controls, paper or electronic documentation that supports completing the transaction lifecycle is satisfactory documentation. For these purposes, adequate documentation is anything that provides sufficient and appropriate evidence of (1) a transaction, (2) who performed each action pertaining to a transaction, and (3) the individuals in the process had proper authority to perform such activities. Proper documentation provides evidence of what has transpired and information for researching discrepancies.
Proper authorization is determined by a unit’s delegation plan, as required by University Policy 4.2, Transaction Authority and Payment Approval. The authority to complete the various stages of a transaction is determined by transaction type and dollar amount, as outlined in policy 4.2.
Authorization also involves access to information technology (IT) systems or resources. The main elements of IT authorization are as follows:
The basic transaction stages include recording (initiate, submit, process), approving (pre-approval and post-entry review), custody, and reconciling. No one person should initiate, authorize, record, and reconcile a transaction.
All organizations should separate incompatible functional responsibilities. Proper segregation of duties helps ensure that errors, omissions, or misstatements, whether intentional or unintentional, will be detected by another person. Where segregation of duties is not possible or practical, deploy alternative controls.
Internal control plans are physical documentation of a unit's material business processes and financial transaction cycles. They comprise process narratives and workflow diagrams, a materiality and risk assessment, and a management response plan, all developed using a standard set of templates.
Before designing an internal control plan, you should understand the basic types of internal controls and how they are intended to function. When deciding on the types of controls to implement, consider the unit's objectives and business goals and the associated risks and materiality. All controls require the appropriate training, communication, and oversight by unit management to ensure they are being implemented appropriately and operating consistently.
Every unit throughout the university must assess how to best utilize their limited resources when it comes to responding to the risks that have been identified during the development of an internal control plan.
Typically, there are four approaches that can be taken in responding to risks: