Internal Controls

What are Internal Controls?

Internal Controls are processes, effected by the KCTCS Board of Regents, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations.

Is Segregation of Duties the Primary Component of Internal Controls?

Internal Control can be achieved in both a small department with limited personnel, as well as larger departments with more personnel available to achieve segregation of duties. Internal Control consists of five interrelated components:

  • Control Environment - This includes factors such as integrity, ethical values and the competence of personnel. Management's philosophy and operating style also play a factor. The attention and direction of Senior Management or the Board significantly affects the control environment.
  • Risk Assessment - Every organization or department faces a variety of risks from external and internal sources. Management must be able to identify and manage those risks relevant to achieving the organization's objectives. Management must also be able to deal with the risks associated with changing economic, industry, regulatory, and operating conditions.
    Control Activities - Control Activities are the policies and procedures that help ensure management directives are carried out. In addition to segregation of duties, control activities include approval processes, authorizations, verifications, reconciliations, review of operating performance, and security of assets.
  • Information and Communication - Pertinent information must be identified, captured and communicated in a form and timeframe than enables people to carry out their responsibilities. This component of internal control is critical. It not only includes information systems produced reports of operational, financial and compliance-related information, but it also includes the day-to-day communication processes among employees, supervisors and Senior Management. It is also important that the information and communication flows up and down the organizational structure and flows across departments and divisions.
  • Monitoring - A process to assess the quality of internal control systems over time is essential. This can be accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring activities include management and supervisory activities that take place every day. Either management or Internal Audit may undertake separate evaluations.

Who is Responsible for Internal Controls?

The answer is NOT the Internal Audit Department. Yes, we play a significant monitoring role and we can provide consultation and advice. However, ultimately, the President and members of Senior Management are responsible for the internal control system. Department Heads and Senior Managers are responsible for internal control policies and procedures specific to their unit or department. However, to some degree, every employee in the organization plays a part in the internal control system. All KCTCS personnel are responsible for communicating upward problems in operations as well as complying with internal and external policies and regulations.

What are Some Good Internal Control Practices?

Listed below are examples of strong internal controls:

  • Authority limits are clearly defined in writing and communicated throughout the department.
  • Accounts are reconciled on a timely basis to their underlying source data.
  • Equipment, supplies, inventory, cash and other assets are physically secured and periodically counted and compared to records.
  • Department policies are documented and reviewed periodically for current processes. In addition, policies are effectively communicated to all department staff.
  • Department management closely monitors department operating statistics or other benchmarks. Negative trends are identified and addressed promptly.
  • The Department Head, Administrator, or other designee reviews expense related documents, including timesheets, for completeness, accuracy and compliance with policies and procedures.
  • Performance appraisals are completed to reflect an objective assessment of each employee's abilities and their measured achievements of goals and objectives.
  • Adequate training is provided for all employees.
  • Changes in laws and regulations are identified and communicated to appropriate employees.

How do you Evaluate Internal Controls?

There are many different tools and methodologies to evaluating internal controls. A good example is the following matrix:

 Control Objective Risk Factors Risk Likelihood  Control Activities Control Assessment 

The key to evaluating internal controls is identifying all of the unit or department's operating, financial and compliance objectives. Once the objectives are identified, you need to identify all the risk factors that exist that could prevent the objectives from being realized (i.e. what can go wrong?). Ranking the likelihood of each risk factor (high, low, or medium) will help with the cost justification of the control activities. Identifying the control activities to manage each of the risk factors is often supplemented with flowcharts and/or narratives of the departmental processes. The final control assessment (strong, adequate, or weak) is the judgment as to whether the control activities are sufficient to manage the risk factors, given the likelihood of the risk.

It should be noted that no system of internal control is expected to eliminate all risks. In addition, a strong system of internal controls does not ensure that the department's objectives will be met. However, it can help a department get to where it wants to go, and avoid pitfalls and surprises along the way.