Standards
OVERVIEW OF INTERnal Controls
This portion of the book is focused on standards related to establishing and maintaining internal controls at Indiana University.
Internal control is a process, effected by an entity’s management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, financial reporting, and compliance. In order for IU to maintain strong internal controls, each employee plays a vital role.
Financial responsibilities are distributed throughout the university’s environment. Each university employee with an oversight role for the use of university funds and for financial transactions, operations, and/or budgets is accountable for upholding control principles and is responsible for ensuring that internal controls are established, documented, and functioning to achieve IU’s and the unit’s mission and objectives.
UCO-IRR-1.00: Internal Controls
Prerequisites
Prior to reading the standard on Internal Controls, it is beneficial to review the below items to gain foundational information:
- FIN-ACC-470 Internal Controls
- UCO-IRR-1.01 Financial Process Narrative Standard
- Accounting Fundamentals Standards
- Financial Statements Standards
Preface
This standard discusses what internal controls are and how they are used internally within Indiana University. Information presented below outlines a general understanding of internal controls and requirements specifically related to internal controls.
Introduction
What are Internal Controls?
As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “an internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
Internal Control Objectives
- Operational Objectives – pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
- Reporting Objectives – pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.
- Compliance Objectives – pertain to adherence to laws and regulations to which the entity is subject.
Importance and Impact of Internal Controls
Establishing and using the proper internal controls is vital for universities of any size and can help set the ethical tone in an organization. While internal controls cannot always prevent fraud, particularly if the fraud is being carried out by upper management, in normal circumstances they can help detect and deter fraudulent activity. An organization that does not properly establish internal controls is far more likely to experience issues such as fines, penalties, and/or loss assets and reputation.
Internal controls can also ensure that financial statements are prepared both timely and accurately, while also addressing any assertions made in the completed financial statements. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the university’s financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Material weakness or significant deficiency identified during the external financial statement audit has implications to the audit opinion. The opinion is published as part of the annual financial report, which is reviewed by government agencies, bond rating agencies, accrediting agencies, suppliers, creditors, and other interested parties external to the university such as donors.
Internal Controls – Discussed in Detail
Types of Internal Controls
- Preventive Controls – are generally more efficient and designed to discourage errors or irregularities.
- Detective Controls – are designed to identify errors or irregularities after they have occurred.
- Corrective Controls – are implemented after the internal detective controls discover a problem.
Components of Internal Control
The system of internal controls must be designed, implemented, and functioning to support the following components:
- Control Environment – the set of standards, processes, and structures that provide the basis for carrying out internal control across the university.
- Risk Assessment – the process to identify, analyze, and assess risks to the achievement of objectives.
- Control Activities – the actions established through policies and procedures to mitigate risks to the achievement of institutional objectives.
- Information and Communication – the use of relevant information to disseminate clear messages. Sound internal controls establish expectations and procedures to support the reliability and integrity of financial information and reporting.
- Monitoring Activities – the use of evaluations to ascertain whether internal controls are present and functioning.
Requirements
- All Constituent Reporting Units (CRUs) must annually attest to their financial activity, internal control structure, and overall adherence to IU accounting standards through the university’s financial sub-certification process.
- Financial process narratives should be updated on an annual basis in preparation for the audit cycle and related internal controls evaluation.
- Departments are required to follow all internal control standards posted by the Office of the University Controller.
UCO-IRR-1.01: Financial Process Narrative
Prerequisites
Prior to reading the Financial Process Narrative standard, it is beneficial to review the below items to gain foundational information:
Preface
This standard defines what a financial process narrative is and how they are used by both internal Indiana University constituents and external parties affiliated with Indiana University. Information presented below outlines a general understanding of financial process narratives and requirements for when financial process narratives are needed.
Introduction
Per IU Policy FIN-ACC-470 Internal Controls, “All units are responsible for ensuring internal controls exist for all critical operations or activities. Financial controls must adhere to the internal control procedures outlined in the IU accounting standards, including required documentation for existing and new financial activities.”
Those charged with campus and unit-level fiscal oversight are responsible for the following:
- Ensuring a structure of internal controls is established, documented, and functioning to achieve university and unit-level mission(s) and objectives.
- Implementing a structure of internal controls and proper segregation of duties to avoid mismanagement, fraud, theft, or personal use of system resources/assets.
- Ensuring staff are appropriately credentialed for their financial roles.
- Ensuring staff are well-versed in university financial policies and IU accounting standards.
- Adhering to and implementing procedures set forth in the IU accounting standards.
All documented financial internal control procedures are subject to review upon request by the Office of the University Controller, Internal Audit, and any external auditors/agencies.
All employees are responsible for safeguarding university financial resources and assets to ensure they are used only for authorized purposes. All employees are also responsible for reporting fraudulent activities or misconduct according to IU Policy FIN-ACC-35 Fraud and IU Policy FIN-ACC-30 Fiscal Misconduct.
Importance and Impact of Financial Process Narrative
Financial process narratives are an essential part of the internal controls review process. They help to identify potential control weaknesses and gaps, clarify responsibilities, and document expectations. Compiling a financial process narrative can also help improve efficiency and productivity by outlining the process in detail.
Financial Process Narrative Discussed in Detail
Process narratives are required if certain conditions are met for financial activity. Please see the requirements and best practices portion of this standard for guidance.
Overview of Financial Process Narrative Process
- A department believes one of the below requirements warrants a process narrative.
- The department will reach out to their assigned Campus Controller or UA Controller to determine if a process narrative is required.
- If requirements are met, the department will draft a process narrative using the Financial Process Narrative Outline and the Financial Process Narrative Template and send to their assigned Campus Controller or UA Controller for review and comments.
- Once the draft process narrative is considered complete, the department will send the process narrative to the Internal Controls Manager for review and comments.
- Process narratives are required to be reviewed and updated by the department and assigned Campus Controller or UA Controller on an annual basis for audit purposes or as changes to processes occur.
Requirements and Best Practices
Requirements
- Departments must complete a financial process narrative and submit to UCO for the following:
-
- Significant Routine Financial Processes
- Routine ongoing processes with over $10 million in annual operational activity or routine individual transactions at or exceeding $5 million.
- Non-Routine transactions, individual contracts over $10 million, and non-routine individual transactions at or exceeding $5 million must complete a material transactions coversheet for review. Campus Controllers will work with UCO to determine if a process narrative is necessary.
- Payment or billing processes that deviates from enterprise-wide processes.
- All payments should be processed through BUY.IU and all billings should be processed through the KFS AR module.
- Any deviations require prior UCO approval and a process narrative.
- Significant Financial Subsidiary Systems
- In advance of technical development or software acquisition, any non-enterprise-wide system that is expected to feed into the general ledger or serves as source documentation for transactions requires a process narrative and prior approval by UCO.
- Examples include, but are not limited to, the following:
- API Feeds
- System Integrations
- Significant enterprise-level workflow, system access management, and/or functional changes
- Subsidiary systems that serve as source documentation for GL transactions
- For additional information on API’s and Integrations, please see API’s and Integrations. To request a new API or Integration, please utilize the API and Integration Request Form.
- Significant Automated Processes Affecting Financial Compliance or Controls
- Any significant automated process which may affect financial compliance or controls should be documented in a process narrative.
- Examples include:
- Robotic Process Automation (commonly referred to as software robots or bots) within subsidiary systems.
- Data collection and management tools which may house documentation supporting general ledger activity, tax compliance, and/or other financial compliance.
- Tangible Cash and Payment Card Handling Processes
- Any process involving tangible cash or cash equivalents requires a financial process narrative.
- Examples include, but are not limited to, the following:
- Cash Tender/Petty Cash
- Gift Cards
- Research Participant/Human Subject Payments
- Custodial Funds
- Purchasing Card (P-Card), Meeting Card (MC), and Ghost Card (GC)
- Significant Routine Financial Processes
2. Departments are required to review and update financial process narratives on an annual basis for audit purposes, as changes to processes occur, and prior to the annual sub-certification process.
Best Practices
- Departments should document and retain any financial processes over $1 million and review with their respective Campus Controller.
- As a general control, departments should maintain instructional documentation for all fiscal processes.
UCO-IRR-1.02: Financial Sub-Certification
Prerequisites
Prior to reading the standard on Financial Sub-Certification, it is beneficial to review the below items to gain foundational information:
- FIN-ACC-1 Role of Fiscal Officer, Account Manager and Account Supervisor
- FIN-ACC-470 Internal Controls
- FIN-ACC-650 Financial Compliance: Authority and Accountability
- UCO-IRR-1.00 Internal Controls Standard
- Closing Standards
Preface
This standard is an overview of the Financial Sub-Certification process for Indiana University. Information presented below will provide a general understanding of the Financial Sub-Certification, reporting requirements, and best practices.
Introduction
Indiana University (IU) is committed to procedures that enhance our institution’s internal control environment. According to FIN-ACC-470: Internal Controls, “All Constituent Reporting Units (CRUs) must annually attest to their financial activity, internal control structure, and overall adherence to IU Accounting Standards through the university’s Sub-Certification process.” As part of this process, IU has developed a Financial Sub-Certification requirement for all Constituent Reporting Unit (CRU)s. The Financial Sub-Certification process serves two primary objectives:
- To provide reasonable assurance of a sufficient and effective internal control structure which can identify weaknesses in financial processes and systems, and
- To support the Vice President and Chief Financial Officer’s basis for the annual financial attestation (Management Representation Letter) by providing reasonable assurance of the underlying financial activity reported in the university’s financial statements.
Importance and Impact of Financial Sub-Certification
As outlined in FIN-ACC-650 Financial Compliance: Authority and Accountability, the Indiana University Finance Office, “formally delegates to the Office of the University Controller (UCO) oversight authority for the university’s external financial audits, fiscal internal controls, and related compliance. This delegation encompasses financial policy, standards, transactions, systems, and reporting, as it relates to external financial compliance for the university as a whole. UCO oversees the Fiscal Governance, Compliance, and Accountability Standards within the IU Accounting Standards which further delegates institutional responsibilities by the Indiana University Finance Office for university financial compliance. The IU Accounting Standards serve as the authoritative and comprehensive guide on accounting, financial reporting, fiscal compliance, and controls at Indiana University.”
Indiana University’s Vice President and Chief Financial Officer is required, in connection with the annual financial audit, to attest via the external audit Management Representation Letter that the university’s financial statements present fairly, in all material respects, the financial position of the university. The Vice President and Chief Financial Officer is further required to attest responsibility for adoption of sound accounting policies, establishing and maintaining effective internal controls over financial reporting, and preventing and detecting fraud.
Financial Sub-Certification is a means to focus on accountability and compliance with internal control responsibilities across the institution. This is especially important in a decentralized operational and financial decision-making organizational structure.
Financial Sub-Certification Overview
What is a Financial Sub-Certification
The Financial Sub-Certification is a rating of the effectiveness of the Constituent Reporting Unit’s (CRU) internal controls. The individual completing the Financial Sub-Certification will use the following rating scale to assess each financial area listed.
For each area assessed as “yellow” or “red,” the individual completing the Financial Sub-Certification will be asked to identify the gaps or weaknesses and briefly articulate the steps that will be taken to resolve the identified gaps or weaknesses. If substantial explanation is required, please attach a further explanation and an action plan to the Financial Sub-Certification. If a section does not apply, please indicate N/A.
Who Should Complete a Financial Sub-Certification
The Office of the University Controller (UCO) only requires Financial Sub-Certification of the Constituent Reporting Units (CRUs). As a best practice, CRUs may require the Financial Sub-Certification of smaller units for internal assurance purposes.
Once the document is completed, it must be signed by the CRU’s:
- Unit Leader (Dean, VP, etc.)
- CRU Fiscal Officer and
- Campus Vice-Chancellor for Finance (or equivalent)
In the event that a responsible party has not been in their current position for the duration of the reporting period, the signature can be deferred to Campus Vice-Chancellor for Finance or equivalent.
When Should a Financial Sub-Certification Be Completed
A Financial Sub-Certification should not be finalized until ALL closing activities are complete.
Final Steps of the Financial Sub-Certification Process
Once the Financial Sub-Certification process is completed, the CRU should forward the signed completed Financial Sub-Certification to their Campus Controller by the specified time on the closing calendar. For UA units, please send directly to the Accounting & Reporting Services team at uars@iu.edu. Additional reviews will be completed by UARS and the UCO Internal Controls Manager.
Requirements and Best Practices
This section outlines general requirements and best practices related to Financial Sub-Certification.
Requirements
- As outlined in FIN-ACC-470 Internal Controls, “All Constituent Reporting Units (CRUs) must annually attest to their financial activity, internal control structure, and overall adherence to IU Accounting Standards through the university’s Sub-Certification process.
Best Practices
- An optional version of the Financial Sub-Certification form, the Unit Level Sub-Certification Form, can be used for non-reporting units reporting up to a CRU as an additional assurance tool. However, UCO will not be collecting this version of the form.
Transactions that happen on a recurring basis.
An isolated transaction that will not recur on a regular basis.
A defined segment (organization or grouping of organizations) within Indiana University that have revenues, expenses, or net assets over a predetermined threshold as defined by the Office of the University Controller closing procedures.