Philadelphia University + Thomas Jefferson University

Internal Controls

What are Internal Controls?

Internal Controls are processes, effected by the University’s Board of Trustees, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations

This may sound complex, but if the Board of Trustees, Senior Administration, or even Department Administration have reasonable assurance that:

  • they understand the extent to which the University, Division or Department’s operations objectives are being achieved;
  • published financial statements, or monthly budget variance reports contain reliable data; and
  • Applicable laws are being complied with, then
  • Internal controls are considered effective.

Is Segregation of Duties the Primary Component of Internal Control?

Internal Control can be achieved in both a small department with limited personnel, as well as larger departments with more personnel available to achieve segregation of duties. Internal Control consists of five interrelated components:

  • Control Environment - This includes factors such as integrity, ethical values and the competence of personnel. Management’s philosophy and operating style also play a factor. The attention and direction of Senior Administration or the Board significantly affects the control environment.
  • Risk Assessment - Every organization or department faces a variety of risks from external and internal sources. Management must be able to identify and manage those risks relevant to achieving the organization's objectives. Management must also be able to deal with the risks associated with changing economic, industry, regulatory, and operating conditions.
  • Control Activities - Control Activities are the policies and procedures that help ensure management directives are carried out. In addition to segregation of duties, control activities include approval processes, authorizations, verifications, reconciliations, review of operating performance, and security of assets.
  • Information and Communication - Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. This component of internal control is critical. It not only includes information systems produced reports of operational, financial and compliance-related information, but it also includes the day-to-day communication processes among employees, supervisors and Senior Administration. It is also important that the information and communication flows up and down the organizational structure and flows across departments and divisions.
  • Monitoring – A process to assess the quality of internal control systems over time is essential. This can be accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring activities include management and supervisory activities that take place every day. Either management or Internal Audit may undertake separate evaluations.

Who is Responsible for Internal Controls?

The answer is NOT the Internal Audit Department. Yes, we play a significant monitoring roll and we can provide consultation and advice. However, ultimately, the President and Senior Officers are responsible for the internal control system. Department Heads and Senior managers are responsible for internal control policies and procedures specific to their unit or department. However, to some degree, every employee in the organization plays a part in the internal control system. All personnel are responsible for communicating upward problems in operations as well as complying with internal and external policies and regulations.

What are Some Good Internal Control Practices?

Listed below are some indicators of strong internal controls. Are these controls present in your unit or department?

  • Authority limits are clearly defined in writing and communicated throughout the department.
  • Accounts are reconciled on a timely basis. For example, monthly accounts payable reports should be reconciled to supporting documentation.
  • Equipment, supplies, inventory, cash and other assets are physically secured and periodically counted and compared to records.
  • Department policies are documented and reviewed periodically for current processes. In addition, policies are effectively communicated to all department staff.
  • Department management closely monitors department operating statistics or other benchmarks. Negative trends are identified and addressed promptly.
  • The Department Head, Administrator, or other designee reviews expense related documents, including timesheets, for completeness, accuracy and compliance with policies and procedures.
  • Performance appraisals are completed to reflect an objective assessment of each employee’s abilities and their measured achievements of goals and objectives.
  • Adequate training is provided for all employees.
  • Changes in laws and regulations are identified and communicated to appropriate employees.
  • Budget Variance reports are reviewed on a monthly basis and action is taken to address all negative variances.
  • Factors that are critical to achievement of unit-wide objectives are identified. Resources are appropriately allocated between critical success factors and objectives of lesser importance.

How Do You Evaluate Internal Controls?

There are many different tools and methodologies to evaluating internal controls. The TJU Internal Audit Department uses the following matrix to evaluate internal controls:

Risk Factors Risk

The key to evaluating internal controls is identifying all of the unit or department’s operating, financial and compliance objectives. Once the objectives are identified, you need to identify all the risk factors that exist that could prevent the objectives from being realized (i.e. what can go wrong?). Ranking the likelihood of each risk factor (high, low, or medium) will help with the cost justification of the control activities. Identifying the control activities to manage each of the risk factors is often supplemented with flowcharts and/or narratives of the departmental processes. The final control assessment (strong, adequate, or weak) is a judgment as to whether the control activities are sufficient to manage the risk factors, given the likelihood of the risk.

It should be noted that no system of internal control is expected to eliminate all risks. In addition, a strong system of internal controls does not ensure that the department’s objectives will be met. However, it can help a department get to where it wants to go, and avoid pitfalls and surprises along the way.

How Do I Get More Information about Internal Controls?

The TJU Internal Audit Department may not be responsible for internal control, but we can provide consultation and advice. Please contact us at extension 3-8853 for further information.