What Is Internal Control?

Internal Control is a process, effected by Jefferson’s Board of Trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting, and compliance.

Internal Control consists of five integrated components:

• Control Environment comprises the integrity and ethical values of Jefferson; the parameters enabling the Board to carry out its governance oversight responsibilities; the organization structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigors around performance measures, incentives, and rewards to drive accountability for performance.
• Risk Assessment is a dynamic and iterative process for identifying and assessing internal and external risks to the achievement of Jefferson’s strategic, operating, reporting, and compliance objectives.
• Control Activities are the preventative or detective measures (manual or automated) to mitigate risks. Examples include authorization and approval processes, verification, reconciliations, and business performance reviews. Segregation of duties, including system access controls, is a key consideration in the development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.
• Information and Communication are necessary to carry out internal control responsibilities. Management uses relevant and quality information from both internal and external sources to support the functioning of the other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information.
• Monitoring Activities is ongoing evaluations, separate evaluations, or some combination of the two, used to ascertain whether each of the five components of internal control is present and functioning. Deficiencies identified by monitoring activities are communicated to management and the Board of Trustees, as appropriate.

This may sound complex, but effective internal controls mean that the Board of Trustees, Senior Management, and Department Administration have reasonable assurance that:

• They understand the extent to which Jefferson’s operational objectives are being achieved;
• Published financial statements, operational dashboards and reports, and monthly budget variance reports contain reliable data; and;
• Jefferson is in compliance with applicable government regulations, accreditation standards, and contractual obligations.

Who Is Responsible for Internal Controls?

The answer is NOT the Office of Internal Audit. Yes, we play a significant monitoring role, and we can provide consultation and advice. However, ultimately, Senior Management is responsible for the internal control system. Department Heads and Senior Managers are responsible for internal control policies and procedures specific to their unit or department. However, to some degree, every employee in the organization plays a part in the internal control system. All personnel are responsible for communicating upward problems in operations, as well as complying with internal and external policies and regulations.

What Are Some Good Internal Control Practices?

Listed below are some indicators of strong internal controls. Are these controls present in your unit or department?

• Authority limits are clearly defined in writing and communicated throughout the department.
• Accounts are reconciled on a timely basis. For example, monthly procurement card statements are reconciled to the supporting documentation.
• Equipment, supplies, inventory, cash, and other assets are physically secured, and periodically counted and compared to records.
• Department policies are documented and reviewed periodically for current processes. In addition, policies are effectively communicated to all department staff.
• Department management closely monitors department operating statistics or other benchmarks. Negative trends are identified and addressed promptly.
• The Department Head, Administrator, or other designee reviews expense-related documents, including timesheets, for completeness, accuracy, and compliance with policies and procedures.
• Performance appraisals are completed to reflect an objective assessment of each employee’s abilities and their measured achievements of goals and objectives.
• Adequate training is provided for all employees.
• Changes in laws and regulations are identified and communicated to appropriate employees.
• Strong password controls are established, and access to systems is appropriately granted for minimum necessary functionality.
• Project management controls are in place for the implementation of new systems or procedures.
• Factors that are critical to achievement of unit-wide objectives are identified. Resources are appropriately allocated between critical success factors and objectives of lesser importance.

How Do You Evaluate Internal Controls?

There are many different tools and methodologies for evaluating internal controls. The key to evaluating internal controls is identifying all of the unit or department operating, financial, and compliance objectives. Once the objectives are identified, you need to identify all the risk situations that could prevent the objectives from being realized (i.e., what can go wrong?). Ranking the likelihood of each risk factor (high, medium, or low) will help with the cost justification of the control activities. Identifying the control activities to manage each of the risk factors is often supplemented with flowcharts and/or narratives of the departmental processes. The final control assessment (strong, adequate, or weak) is a judgment as to whether the control activities are sufficient to manage the risk factors, given the likelihood of the risk.

It should be noted that no system of internal control is expected to eliminate all risks. In addition, a strong system of internal controls does not ensure that the department’s objectives will be met. However, it can help a department get to where it wants to go, and avoid pitfalls and surprises along the way.

How Do I Get More Information About Internal Controls?

The Jefferson Office of Internal Audit may not be responsible for internal control, but we can provide consultation and advice. Please contact Laurie Riggs, Director, at 215-503-7320 for further information.