Standards

OVERVIEW OF INTERnal Controls

This portion of the book is focused on standards related to establishing and maintaining internal controls at Indiana University.

IU Indianapolis students pausing for a selfie in North Hall.
IU Indianapolis students pausing for a selfie in North Hall.

Internal control is a process, effected by an entity’s management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, financial reporting, and compliance. In order for IU to maintain strong internal controls, each employee plays a vital role.

Financial responsibilities are distributed throughout the university’s environment. Each university employee with an oversight role for the use of university funds and for financial transactions, operations, and/or budgets is accountable for upholding control principles and is responsible for ensuring that internal controls are established, documented, and functioning to achieve IU’s and the unit’s mission and objectives.

Internal Controls

Prerequisites

Prior to reading the standard on Internal Controls, it is beneficial to review the below items to gain foundational information:

A sculpture stands outside of the Kelley Student Center at Indiana University Kokomo.
A sculpture stands outside of the Kelley Student Center at Indiana University Kokomo.
  1. FIN-ACC-470: Internal Controls
  2. Financial Process Narrative Standard
  3. Accounting Fundamentals Standards
  4. Financial Statements Standards

 

 

 

Preface

This standard discusses what internal controls are and how they are used internally within Indiana University. Information presented below outlines a general understanding of internal controls and requirements specifically related to internal controls.

Introduction

What are Internal Controls?

As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “an internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Internal Control Objectives

  • Operational Objectives – pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
  • Reporting Objectives – pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.
  • Compliance Objectives – pertain to adherence to laws and regulations to which the entity is subject.

Illustration of the internal controls objectives.

Importance and Impact of Internal Controls

Establishing and using the proper internal controls is vital for universities of any size and can help set the ethical tone in an organization. While internal controls cannot always prevent fraud, particularly if the fraud is being carried out by upper management, in normal circumstances they can help detect and deter fraudulent activity. An organization that does not properly establish internal controls is far more likely to experience issues such as fines, penalties, and/or loss assets and reputation.

Internal controls can also ensure that financial statements are prepared both timely and accurately, while also addressing any assertions made in the completed financial statements. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the university’s financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Material weakness or significant deficiency identified during the external financial statement audit has implications to the audit opinion. The opinion is published as part of the annual financial report, which is reviewed by government agencies, bond rating agencies, accrediting agencies, suppliers, creditors, and other interested parties external to the university such as donors.

Internal Controls – Discussed in Detail

Types of Internal Controls

  • Preventive Controls – are generally more efficient and designed to discourage errors or irregularities.
  • Detective Controls – are designed to identify errors or irregularities after they have occurred.
  • Corrective Controls – are implemented after the internal detective controls discover a problem.

Image of the three types of internal controls and a list of examples of each type of internal control. The examples of preventative controls include approvals prior to purchases, access controls, segregation of dudties, and firewalls and system backup features. Examples of detective controls include reconciliaitons and physical inventory, data and variance analysis, and internal audit function and reports. Examples of corrective controls include system restoration such as backup and recovery, control changes or additions, and training and staff awareness.

Components of Internal Control

The system of internal controls must be designed, implemented, and functioning to support the following components:

  • Control Environment – the set of standards, processes, and structures that provide the basis for carrying out internal control across the university.
  • Risk Assessment – the process to identify, analyze, and assess risks to the achievement of objectives.
  • Control Activities – the actions established through policies and procedures to mitigate risks to the achievement of institutional objectives.
  • Information and Communication – the use of relevant information to disseminate clear messages. Sound internal controls establish expectations and procedures to support the reliability and integrity of financial information and reporting.
  • Monitoring Activities – the use of evaluations to ascertain whether internal controls are present and functioning.

Image of the components of internal control to illustrate this is a continuous process.

Image of the components of internal control, a general description of each component, and examples of how each system is implemented at Indiana University.

Requirements

  1. All Constituent Reporting Units (CRUs) must annually attest to their financial activity, internal control structure, and overall adherence to IU accounting standards through the university’s financial sub-certification process.
  2. Financial process narratives should be updated on an annual basis in preparation for the audit cycle and related internal controls evaluation.
  3. Departments are required to follow all internal control standards posted by the Office of the University Controller.

Financial Process Narrative

Prerequisites

Prior to reading the Financial Process Narrative standard, it is beneficial to review the below items to gain foundational information:

  1. Internal Controls Standard
  2. FIN-ACC-470: Internal Controls

Preface

This standard defines what a financial process narrative is and how they are used by both internal Indiana University constituents and external parties affiliated with Indiana University. Information presented below outlines a general understanding of financial process narratives and requirements for when financial process narratives are needed.

Introduction

Per IU Policy FIN-ACC-470: Internal Controls, “All units are responsible for ensuring internal controls exist for all critical operations or activities. Financial controls must adhere to the internal control procedures outlined in the IU accounting standards, including required documentation for existing and new financial activities.”

Those charged with campus and unit-level fiscal oversight are responsible for the following:

Members of the public tour the Stone Family Center for Health Sciences in downtown Evansville.
Members of the public tour the Stone Family Center for Health Sciences in downtown Evansville.
  • Ensuring a structure of internal controls is established, documented, and functioning to achieve university and unit-level mission(s) and objectives.
  • Implementing a structure of internal controls and proper segregation of duties to avoid mismanagement, fraud, theft, or personal use of system resources/assets.
  • Ensuring staff are appropriately credentialed for their financial roles.
  • Ensuring staff are well-versed in university financial policies and IU accounting standards.
  • Adhering to and implementing procedures set forth in the IU accounting standards.

All documented financial internal control procedures are subject to review upon request by the Office of the University Controller, Internal Audit, and any external auditors/agencies.

All employees are responsible for safeguarding university financial resources and assets to ensure they are used only for authorized purposes. All employees are also responsible for reporting fraudulent activities or misconduct according to IU Policy FIN-ACC-35: Fraud and IU Policy FIN-ACC-30: Fiscal Misconduct.

Importance and Impact of Financial Process Narrative

Financial process narratives are an essential part of the internal controls review process. They help to identify potential control weaknesses and gaps, clarify responsibilities, and document expectations. Compiling a financial process narrative can also help improve efficiency and productivity by outlining the process in detail.

Financial Process Narrative Discussed in Detail

Process narratives are required if certain conditions are met for financial activity. Please see the requirements and best practices portion of this standard for guidance.

Overview of Financial Process Narrative Process

  • A department believes one of the below requirements warrants a process narrative.
  • The department will reach out to their assigned Campus Controller or UA Controller to determine if a process narrative is required.
  • If requirements are met, the department will draft a process narrative using the Financial Process Narrative Outline and the Financial Process Narrative Template and send to their assigned Campus Controller or UA Controller for review and comments.
  • Once the draft process narrative is considered complete, the department will send the process narrative to the Internal Controls Manager for review and comments.
  • Process narratives are required to be reviewed and updated by the department and assigned Campus Controller or UA Controller on an annual basis for audit purposes or as changes to processes occur.

Image of the financial process narrative flow chart

 

Requirements and Best Practices

Requirements

  1. Departments must complete a financial process narrative and submit to UCO for the following:
    • Significant Routine Financial Processes
      • Routine ongoing processes with over $10 million in annual operational activity or routine individual transactions at or exceeding $5 million.
      • Non-Routine  transactions, individual contracts over $10 million, and non-routine individual transactions at or exceeding $5 million must complete a material transactions coversheet for review. Campus Controllers will work with UCO to determine if a process narrative is necessary.
    • Payment or billing processes that deviates from enterprise-wide processes.
      • All payments should be processed through BUY.IU and all billings should be processed through the KFS AR module.
      • Any deviations require prior UCO approval and a process narrative.
    • Significant Financial Subsidiary Systems
      • In advance of technical development or software acquisition, any non-enterprise-wide system that is expected to feed into the general ledger or serves as source documentation for transactions requires a process narrative and prior approval by UCO.
      • Examples include, but are not limited to, the following:
        • API Feeds
        • System Integrations
        • Significant enterprise-level workflow, system access management, and/or functional changes
        • Subsidiary systems that serve as source documentation for GL transactions
      • For additional information on API’s and Integrations, please see API’s and Integrations. To request a new API or Integration, please utilize the API and Integration Request Form.
    • Significant Automated Processes Affecting Financial Compliance or Controls
      • Any significant automated process which may affect financial compliance or controls should be documented in a process narrative.
      • Examples include:
        • Robotic Process Automation (commonly referred to as software robots or bots) within subsidiary systems.
        • Data collection and management tools which may house documentation supporting general ledger activity, tax compliance, and/or other financial compliance.
    • Tangible Cash and Payment Card Handling Processes
      • Any process involving tangible cash or cash equivalents requires a financial process narrative.
      • Examples include, but are not limited to, the following:
        • Cash Tender/Petty Cash
        • Gift Cards
        • Research Participant/Human Subject Payments
        • Custodial Funds
        • Purchasing Card (P-Card), Meeting Card (MC), and Ghost Card (GC)

2. Departments are required to review and update financial process narratives on an annual basis for audit purposes, as changes to processes occur, and prior to the annual sub-certification process.

Best Practices

  1. Departments should document and retain any financial processes over $1 million and review with their respective Campus Controller.
  2. As a general control, departments should maintain instructional documentation for all fiscal processes.
definition

License

Internal Controls and Roles and Responsibilities Copyright © by The Trustees of Indiana University. All Rights Reserved.