NSU | Office Of Internal Audit - Internal Control Narrative

Northwestern State University
NSU Home Page About Internal Audit FAQ Internal Audit Charter Rules of the Board Internal Controls Control Self Assessment	Internal Control	Audit Alerts! Internal Audit Related Websites Research Links Office of Legislative Auditor Internal Auditing Terms
	Internal Control Defined
	Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations
	The collective effort made toward the achievement of organizational objectives is referred to as the internal control system. Individuals at all levels of the organization affect internal controls. A weak link at any level of the organization compromises the integrity of the internal control system. The primary objectives of the internal control system are as follows: Compliance with policies and procedures Accomplishment of objectives and goals Reliability and integrity of information Economical and efficient use of resources Safeguarding of assets
	Internal Controls In Your Everyday Life
	Most people utilize internal controls everyday and are not aware of them. When you left home today, did you lock your door? Do you balance your bank statement? Do you review your monthly credit card statement? Do you count the change given to you by store clerks? These are but a few examples of things that people do in order to reasonably assure that the desired results (protected home, accurate bank and credit card balances, and correct change) are achieved.
	Components Of The Internal Control System
	The internal control system consists of five components: the control environment, risk assessment, control activities, information and communication, and monitoring. The control environment is the attitudes, abilities, awareness, and actions of the board and management regarding the significance of control within the organization, i.e. the “tone at the top”. It provides the discipline and structure for the overall system of internal controls. The control environment includes the following: Integrity and ethical values of management Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility within the organization Human resources policies and practices Competence of personnel hired within the organization Risk assessment is the identification and analysis of relevant risks associated with the achievement of objectives. When assessing risk, both external and internal factors must be considered. External risk factors are outside the organization, usually beyond management’s control. Examples include economic changes, technological developments, and natural catastrophes. Internal risk factors are within the organization, usually within management’s control. Examples include new personnel, low morale, and new or upgraded information systems. Risk assessment takes into consideration what can go wrong, and the likelihood of occurrence. Control activities are the policies and procedures, which help ensure that management directives are carried out. Control activities can be categorized as authorizations, segregation of duties, record keeping, safeguarding and reconciliations. Authorizations – Transactions must be authorized and executed in accordance with management’s intent. Segregation of duties – Segregation of duties is adequate when no one person is in a position to initiate and conceal errors and/or irregularities in the normal course of their duties. Record keeping – Adequate record keeping ensures that assets are properly controlled and transactions are properly recorded as to account, amount and period. Safeguarding – Limiting access to and controlling the use of assets and records are ways to safeguard those assets and records. Reconciliations – Reconciliations are independent verifications, which help to ensure that the other four control activities are functioning as intended. Information and communication systems provide management with reports detailing facts about operational, financial, and compliance matters. Information must be relevant and communicated to appropriate personnel timely for it to be useful. Information must flow in all directions within the organization. The information and communication system helps to ensure that employees are aware of what is expected of them in accomplishing the organization’s goals and objectives. Monitoring is a process that assesses the performance of the system of internal control over time, ensuring that it is operating as expected. Supervisory personnel should perform the monitoring function, focusing on high-risk areas. Monitoring includes observation and testing activities. Internal control systems change over time (e.g. new personnel and technological advancements). An internal control system that is adequate can become obsolete or less effective. Monitoring ensures that as change occurs, the internal control system is adjusted to fit current circumstances.
	Types Of Controls
	Controls are any action taken by management to increase the likelihood that established goals and objectives are achieved. Adequate control is present when management has planned and organized in a manner that provides reasonable assurance that goals and objectives are achieved efficiently and effectively. Controls can be grouped into three broad categories: preventive, detective and directive. Preventive controls deter undesirable events from occurring. Preventive controls should be designed to discourage errors and irregularities from occurring. Restricting access to records and shredding documents containing confidential information prior to discard are examples of preventive controls. Detective controls uncover and correct undesirable events that have occurred. Detective controls should be designed to identify an error or irregularity after if has occurred. Reviewing long distance telephone charges for personal calls and preparing reconciliations are examples of detective controls. Directive controls cause or encourage a desirable event to occur. Directive controls should be designed to assist in the accomplishment of goals and objectives. Training seminars and written job descriptions are examples of directive controls.
	Internal Control And Auditors
	Internal control is a term that is widely discussed and evaluated by the auditing profession. There are three general classifications of auditors: independent, internal, and government. Independent auditors (external auditors) are retained by an entity to perform financial statement audits to meet the needs of investors, creditors, and regulatory bodies (e.g. Securities and Exchange Commission). Independent auditors evaluate the system of internal controls in order to determine the amount of reliance (trust) to place on the financial statements prepared by management of the entity being audited. Independent auditors must obtain a sufficient understanding of the internal control system of the entity in order to plan the audit engagement and to determine the nature, timing, and extent of tests to be performed. In theory, the more reliance placed on the system of internal controls, the less substantive testing is required in order to form an opinion on the accuracy and fair presentation of the financial statements. Internal auditors are employed by the entities in which they audit. One of the primary functions of an internal auditor is to examine their organization’s internal control structure and evaluate how adequate and effective it is. Internal auditors assist management in the effective discharge of their duties and responsibilities. They help their organization accomplish its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of risk management activities, control activities, and governance processes. Government auditors, which are employed by agencies of federal, state, and local governments, can function as independent or internal auditors, depending on the entity they are auditing. When the audit involves the governmental agency that employs them, the government auditor functions as an internal auditor. When they audit recipients of governmental funds (including other governmental agencies), they function as an independent auditor.
	Definitions Used In Document
	Effectively – Performed in a manner in which the organization’s goals and objectives are actually achieved. Back to Top Efficiently – Performed in a manner in which goals and objectives are accomplished in an accurate, timely fashion with a minimal use of resources. Back to Top Error – An error is an unintentional act or omission of significant information. Back to Top Irregularity – An irregularity is an intentional act or omission of significant information or fraud in accounting records, financial statements, other reports, documents or records. Back to Top Reasonable assurance – Reasonable assurance is a concept that recognizes that the cost of an entity’s internal control system should not exceed the expected benefits. Cost limitations and inherent limitations within the internal control system result in it providing only reasonable, not absolute, assurance that its objectives will be accomplished. Inherent limitations, such as mistakes in judgment, carelessness, fatigue, management override, and distraction, reduce the effectiveness of the internal control system. Back to Top Risk – Risk is the uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood of occurrence. Back to Top Substantive tests – Substantive tests are tests of details and analytical procedures performed to detect material misstatements in account balance, transaction class, and disclosure components of financial statements. Back to Top

Northwestern State University is a member of the University of Louisiana System