Internal Audit

  • Introductionplus or minus

    Internal controls are an integral part of the University of Scranton's financial and business policies and procedures.

    Internal controls consist of all the measures taken by the University to (1) protect its resources against waste, fraud, and inefficiency, (2) ensure accurate and reliable accounting and operating data, (3) ensure compliance with University policies and government laws and regulations, and (4) evaluate the level of performance in University units/departments.

    Internal controls are simply good business practices.

    Internal controls can be detective, corrective, or preventive by nature. 1. Detective controls are designed to detect errors or irregularities that may have occurred. 2. Corrective controls are designed to correct errors or irregularities that have been detected. 3. Preventive controls, on the other hand, are designed to keep errors or irregularities from occurring in the first place.

  • Responsibilityplus or minus

    Everyone within the University has some role in internal controls. The roles vary depending upon the level and type of responsibility of each individual.

    The University's Board of Trustees, President, Provost and Vice Presidents establish the presence of integrity, ethics, competence and positive control environment. This presence is grounded within the University's 2010-2015 Strategic Plan that, in part, states:

    "We [the University] will achieve our strategic aspirations and maintain essential operations through integrated financial planning, efficient and sustainable use of resources, and opportunistic approaches to generating new revenue that are consistent with our mission."

    Directors and department heads have oversight responsibility for internal controls within their units. Managers and supervisory personnel are responsible for executing control policies and procedures at the detail level within each specific unit. Each individual within a unit is to be cognizant of proper internal control procedures associated with their specific job responsibilities.

    The Office of Internal Audit's role is to examine the adequacy and effectiveness of the University internal controls and make recommendations where control improvements are needed. The Office of Internal Audit may also be consulted regarding the establishment of adequate internal controls.

    Since the Internal Auditor is to remain independent and objective, the Office of Internal Audit does not have the primary responsibility for establishing or maintaining internal controls. However, the effectiveness of the internal controls are enhanced through the reviews performed and recommendations made by the Internal Auditor.

  • Elements of Internal Controlplus or minus

    Internal control systems operate at different levels of effectiveness.

    Determining whether a particular internal control system is effective is a judgment resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

    Control Environment

    The importance of establishing and maintaining a good control environment is reflected by the actions of the University's Board of Trustees, President, Provost and Vice Presidents. This increases the control awareness of all University employees.

    Directors and department heads establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include:

    • Integrity and ethical values;
    • Commitment to competence;
    • Leadership philosophy and operating style;
    • The way management delegates authority, assigns responsibility, and organizes and develops its people;
    • Policies and procedures.

    Risk Assessment

    The University faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of goals and objectives that are linked at different levels and internally consistent.

    As part of the University's 2000-2005 Strategic Plan, goals and objectives were established that were linked to 10 strategic planning themes. Risk assessment is the identification and analysis of relevant risks taken to achieve these objectives, forming a basis for determining how the risks should be managed.

    Objectives must be established before administrators can identify and take necessary steps to manage risks.

    Operating objectives relate to effectiveness and efficiency of the operations, including performance and financial goals and safeguarding resources against loss. Financial reporting objectives pertain to the preparation of reliable published financial statements, including prevention of fraudulent financial reporting. Compliance objectives pertain to adherence to University policy and to laws and regulations which establish minimum standards of behavior.

    Identifying and analyzing risk is an ongoing process. Economic, regulatory, competitive, technological, and operating conditions will continue to change. Mechanisms are needed to identify and deal with the special risks associated with change.

    The Office of Internal Audit conducts a periodic University-wide risk assessment survey of diverse University administrators. The survey asks the participants to assign a risk score to each of over 100 auditable areas at the University based on prescribed risk factors. The survey report ranks each auditable area by its average risk score. The areas receiving higher relative risk scores are given priority in preparing the annual audit plan.

    Control Activities

    Control activities occur throughout the University - at all levels and in all functions. They include approvals, verifications, reconciliations, reviews of operating performance, appropriate restrictions on access to information systems and physical assets, segregation of duties, and independent monitoring procedures.

    More information about individual control activities are found under the heading Components of Internal Control Activity.

    In many cases control activities involve a policy establishing what should be done and procedures to effectuate the policy. All policies must be applied consistently. Exceptions must be identified and the reasons determined. Exceptions due to errors or improper application of a University policy must be corrected. Exceptions that occur for valid reasons must be approved at the proper level.

    Information and Communication

    All personnel must receive a clear message from top management that control responsibilities are to be taken seriously. Employees must understand their own role in the internal control system, as well as how their individual activities relate to the work of others. They must have a means of communicating significant information upstream.

    Monitoring

    The University monitors its internal control systems - a process that assesses the quality of the system's performance over time.

    Ongoing monitoring occurs in the ordinary course of operations. This includes regular management and supervisory activities and other actions personnel take in performing their duties that assess the quality of internal control system performance.

    The University's Internal Auditor monitors and evaluates the operations of internal control systems of a particular area or process as part of each internal audit. In addition to and distinct from monitoring internal control systems, the Internal Auditor performs regular periodic monitoring of transactions in certain financially material areas considered to be inherently high risk and/or where less than ideal controls exist, usually due to staffing limitations or to achieve higher efficiency.

    The University recognizes that internal control systems change over time. The way controls are applied may evolve. Effective procedures can become less effective due to the arrival of new personnel, varying effectiveness of training and supervision, time and resources constraints, or additional pressures.

    Furthermore, circumstances for which the internal control system was originally designed also may change. The University must continue to determine whether the internal control system remains relevant and able to address new risks.

  • Components of the Internal Control Activityplus or minus

    Internal controls seek to establish and maintain checks and balances within and between all areas of University operations. Specific components of control activity follow:

    Personnel need to be competent and trustworthy, with clearly defined lines of authority and responsibility documented in written job descriptions and procedures manuals. The University's Organizational Chart provides a visual presentation of lines of authority and periodic updates of job descriptions ensure that employees are aware of the duties they are expected to perform.

    Authorization Procedures need to ensure that transactions are carried out in accordance with management's authorization and in compliance with University policy. Proper authorization of transactions should be verified by a review of supporting documentation or ensured by setting up Banner access restrictions.

    Segregation of Duties reduce the likelihood of errors and irregularities.

    Generally, an individual should not have responsibility for more than one of three transaction components: authorization, custody of assets and record keeping.

    An example of a lack of segregation of duties is when a single employee has the responsibility for both physical custody and recordkeeping of an inventory of books, or responsibility for both approving an account write off and recordkeeping of receivables.

    In some cases less than ideal segregation of duties may be allowed to exist when either (1) there is effective monitoring procedures in place (such as a periodic independent review of a sample of transactions) or (2) the cost of setting up ideal controls exceed the expected benefit.

    When the work of one employee is checked by another employee there is appropriate segregation of duties. This does not mean every transaction is checked. An independent review of a sample of bank reconciliations for unusual items or an independent follow up of items appearing on an exception report are examples of one employee checking the work of another.

    Effective segregation of duties helps detect errors in a timely manner, deter improper activity, improve operational efficiency, and enhance communication between units.

    Physical Restrictions and Information Security Systems are important protective measures for safeguarding University assets, processes and data. University information security systems include establishing and maintaining appropriate program access restrictions.

    For example, an employee's access to Banner forms should be directly linked to his or her current job responsibilities. All program access for terminated employees should be canceled immediately.

    Documentation and Record Retention policies and procedures will provide reasonable assurance that all University information and transactions of value are accurately recorded and retained in a secure manner for an established period of time.

    Where applicable, record retention periods required by external regulatory entities must be complied with.

    Monitoring Operations is essential to verify that controls are operating properly. Reconciliations, exception reports, and internal audit reviews are some examples of monitoring operations.

  • Internal Control Limitationsplus or minus

    There are inherent limitations in all control systems.

    As discussed earlier, where less than ideal segregation of duties exist due to a limited staff size, compensating controls must be established. This is often done through some sort of monitoring activity. Even where effective segregation of duties exists collusion may sometimes circumvent this control. Additionally, high level personnel may be able to override controls.

    Employee error, misunderstanding, fatigue and stress may also limit the effectiveness of an internal control system. Encouraging employees to take earned vacation may help employees to overcome or avoid stress and fatigue, while at the same time improve operations through cross-training.

    As mentioned earlier, the cost of a control must not exceed its expected benefit. Sometimes a realignment of duty assignments may be all that is necessary to achieve adequate controls. Automating and/or streamlining processes may improve efficiency, as well as reduce errors.

  • Questionsplus or minus

    This information about internal controls is intended to give employees some background. Please address any questions you may have about the internal controls to the University's Internal Auditor.

    The Internal Auditor welcomes your comments and suggestions for continuously improving the University's internal controls.