Information Sheet 1.1.

10: Review Internal Control System

Learning outcomes:
1. Check policy compliance
2. Prepare policy compliance report

Learning Objectives:
A. Identify different ways of internal control system
B. Explain importance of internal control system
C. apply compliance policy in reviewing financial reports
D. prepare policy compliance report

The Internal Accounting Control System

Internal accounting control is a series of procedures designed to promote and protect sound management
practices, both general and financial. Following internal accounting control procedures will significantly
increase the likelihood that:

financial information is reliable, so that managers and the board can depend on accurate
information to make programmatic and other decisions
assets and records of the organization are not stolen, misused, or accidentally destroyed
the organization s policies are followed
Government regulations are met.

Internal control includes all of the processes and procedures that management puts in place to help make
sure that its assets are protected and that company activities are conducted in accordance with the
organizations policies and procedures. For example, requiring that the contents of a warehouse be
periodically counted and reconciled to the inventory recorded on the companys books is a control over the
existence and accuracy of inventory.

Areas of Internal Accounting Control System

The first step in developing an effective internal accounting control system is to identify those areas where
abuses or errors are likely to occur. Many accountants can provide you with a checklist of areas and
questions to consider when you are planning your system. Price Waterhouse's booklet, Effective Internal
Accounting Control for Nonprofit Organizations: A Guide for Directors and Management, includes the
following areas and objectives in developing an effective internal accounting control system:

Cash receipts
To ensure that all cash intended for the organization is received, promptly deposited, properly
recorded, reconciled, and kept under adequate security.

Cash disbursements
To ensure that cash is disbursed only upon proper authorization of management, for valid business
purposes, and that all disbursements are properly recorded.

Petty cash
To ensure that petty cash and other working funds are disbursed only for proper purposes, are
adequately safeguarded, and properly recorded.

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 1
Information Sheet 1.1.10: Review Internal Control System

Payroll
To ensure that payroll disbursements are made only upon proper authorization to bona fide
employees, that payroll disbursements are properly recorded and that related legal requirements
(such as payroll tax deposits) are complied with.

Grants, gifts, and bequests

To ensure that all grants, gifts, and bequests are received and properly recorded, and that
compliance with the terms of any related restrictions is adequately monitored.

Fixed assets
To ensure that fixed assets are acquired and disposed of only upon proper authorization, are
adequately safeguarded, and properly recorded.
Additional internal controls are also required to ensure proper recording of donated materials,
pledges and other revenues, accurate, timely financial reports and information returns, and
compliance with other government regulations.

Achieving these objectives requires your organization to clearly state procedures for handling each
area, including a system of checks and balances in which no financial transaction is handled by only
one person from beginning to end. This principle, called segregation of duties, is central to an
effective internal controls system. Even in a small nonprofit, duties can be divided up between paid
staff and volunteers to reduce the opportunity for error and wrongdoing. For example, in a small
organization, the director might approve payments and sign checks prepared by the bookkeeper or
office manager. The board treasurer might then review disbursements with accompanying
documentation each month, prepare the bank reconciliation, and review canceled checks.

The board and executive director share the responsibility for setting a tone and standard of
accountability and conscientiousness regarding the organization's assets and responsibilities. The
board, usually through the work of the finance committee, fulfills that responsibility in part by
approving many aspects of the internal control accounting system. Common areas requiring broad
attention include:

Check issuance
The number of signatures on checks, dollar amounts which require board approval or board
signature on the check, who authorizes payments and financial commitments, etc.

Deposits
How payments made in cash (for admissions, raffles, weekly collection plate, etc.) will be handled,
etc.

Transfers
If and when the general fund can borrow from restricted funds, etc.

Approval of plans and commitments before they are implemented

The annual budget and periodic comparisons of financial statements with budgeted amounts, leases,
loan agreements, and other major commitments.

Personnel policies
Salary levels, vacation, overtime, compensatory time, benefits, grievance procedures, severance pay,
evaluation, and other personnel matters.

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 2
Information Sheet 1.1.10: Review Internal Control System

The Accounting Procedures Manual

The policies and procedures for handling financial transactions are best recorded in an Accounting
Procedures Manual, describing the administrative tasks and who is responsible for each. The manual does
not have to be a formal document, but rather a simple description of how functions such as paying bills,
depositing cash, and transferring money between funds are handled. As you start to document these
procedures, even in simple memo form, the memos themselves can be kept together to form a very basic
Accounting Procedures Manual. Writing or revising an Accounting Procedures Manual is a good opportunity
to see whether adequate controls are in place. In addition, having such a manual facilitates smooth turnover
in financial staff.

Types of Internal Control Activities

Internal Control Financial Accounting http://f2.washington.edu/fm/fa/internal-controls/authorization

1. Preventive: Preventive control activities aim to deter the instance of errors or fraud.
Preventive activities include thorough documentation and authorization practices. Preventive
control activities prevent undesirable "activities" from happening, thus require well thought out
processes and risk identification.
2. Detective: Detective control activities identify undesirable "occurrences" after the fact. The
most obvious detective control activity is reconciliation.

Whether preventive or detective the internal control can be in the form of the following:

1. Authorization

Authorization is the basis by which the authority to complete the various stages of a transaction is
delegated. These stages include the processes of Recording (initiate, submit, process), Approving
(pre-approval, post entry review), and Reconciling. The main aspects of authorization are:

Privilege: Typically, the application for which an individual is granted the ability to use or the
duty in which they are granted the ability to perform.
Role: Typically, a type of user, such as staff, principal investigator, administrator or other,
more specific roles such as payroll coordinator. This often is dependent upon the privilege the role is
associated with.
Action: Typically, an action that the user can perform. Some examples are initiate, submit,
approve, reconcile or view (inquiry).
Span-of-control: This is a restriction upon the action granted to a user. This is often a
restriction by organization code, budget number, or other organizational or financial entity defined
restriction.

Purpose:

All transactions and activities should be carried out and approved by employees acting within their
range of knowledge and proper span of control. Proper authorization practices serve as a proactive
approach for preventing invalid transactions from occurring.

Concepts and Best Practices:

Lead Experts Date: Developed Date: Revised Page #
Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 3
Information Sheet 1.1.10: Review Internal Control System

Key Concept Best Practice

Level of authority should be documented:

Policies and procedures within an
Documented authority creates an expectation of
organization should clearly identify which
responsibility and accountability. Authority to
individuals have authority to initiate, submit,
perform a particular action may come in hard copy
reconcile, view or approve different types of
documents or system generated authority (example:
transactions.
ASTRA access system)
Know what you are authorizing:
Individuals should have first hand knowledge of the
transactions being approved, or they should review
Employees should be properly trained and
supporting documentation to verify the validity and
informed of departmental procedures
appropriateness of transactions.
related to internal controls.
An employee being uninformed of their
responsibilities related to departmental procedures is
not acceptable in a good internal control system.
Many falsifications occur after the approval
of a transaction. The workflow process
Authorization should be timely:
should stress timely authorizations as well as
Workflow is an important aspect of good internal
timely processing of transactions following
controls. Time lags between approval and processing
approval.
provide opportunities for altered documents and
potential fraud. Once a document has been approved it
should not be returned to the preparer.

2. Documentation

In the context of internal controls, paper or electronic communication which supports the
completion of the lifecycle of a transaction meets the criteria for documentation. Anything that
provides evidence for a transaction, who has performed each action pertaining to a transaction,
and the authority to perform such activities are all considered within the realm of
documentation for these purposes.

Purpose:

Documents provide a financial record of each event or activity, and therefore ensure the
accuracy and completeness of transactions. This includes expenses, revenues, inventories,
personnel and other types of transactions. Proper documentation provides evidence of what has
transpired as well as provides information for researching discrepancies.

Supporting documentation may come in paper or electronic form. In recent years, more often,
official supporting documentation has moved from paper based to electronic forms. Keep in
mind that in some instances electronic processing and approvals are the source documents for
transactions.

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 4
Information Sheet 1.1.10: Review Internal Control System

Key Concepts and Best Practices:

Key Concept Best Practice

The advance of online applications provides a

Format of source documents: fast and efficient method for accessing
supporting documentation in a standard
Well designed documents help ensure the proper
format. In other areas, wherever possible, the
recording of transactions. Consistent use of
use of templates provides the same benefits.
standard forms or templates should be
Consider creating templates for activities such
considered whenever possible.
as:
Email approvals
Departmentally created supporting
documentation
Time reporting
Reimbursement logs (such as mileage logs,
petty cash, others)
University ownership of documents: Whenever possible, do not allow employees
to take University owned records home. If
Documents used to support University business business needs require University records to
transactions are University property, not the be taken home, communicate to employees
personal property of employees. their responsibility to keep documents secure,
particularly those containing personal
information. This is particularly important to
communicate to employees that have
telecommuting agreements.

Documenting changes: Use attachments or footnotes to document

the reasons for corrections/adjustments to
Changes made subsequent to approval of any records. Make the time/date and the
documents should be clear and concise. approval of such corrections/adjustments
clear and evident.

Avoid duplicate processing: Build a check for duplicate payments into the
processing and approval of payroll, petty cash
Establish a method to avoid duplicate processing, and travel reimbursements.
especially in regards to transactions that result in
payments to individuals such as payroll, petty Create an environment in which payroll, petty
cash and travel reimbursements. cash reimbursements and travel
reimbursements are processed in a timely
manner. Long delays in processing create
opportunities for duplicate payments that go
undiscovered.

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 5
Information Sheet 1.1.10: Review Internal Control System

Look closely at all late entries to watch for

double submission of payments. (Example:
late timecards, extremely late petty cash
requests, travel expenses requested at a later
time separate from the rest of the trip).

Retention: Establish a process for purging documents

that have reached the end of their retention
Retention policies exist for all types of supporting period. Document who, when and how each
documentation. Always keep documents for the record type should be purged.
appropriate retention period and no longer.
Be aware of record retention responsibilities.
See Records Retention

3. Reconciliation

Reconciliation is the process of comparing transactions and activity to supporting

documentation. Further, reconciliation involves resolving any discrepancies that may have been
discovered.

Purpose:

The process of reconciliation ensures the accuracy and validity of financial information. Also, a
proper reconciliation process ensures that unauthorized changes have not occurred to
transactions during processing.

Concepts and Best Practices

Key Concept Best Practice

For each type of activity consider

Accuracy of activity: documenting the particular information from
source documents that is to be compared to
A good internal control system provides a
the appropriate report. This assists to ensure
mechanism to verify that transactions and activity
that transactions are valid and are correct in
are for the correct purpose and amount, and
purpose. (example: determine that for travel
allowable.
reimbursement source documents, the
traveler name, destination, purpose of the
trip, etc. will be matched to the monthly
financial report)

Ensure that transactions have been properly

authorized. Especially, if the source

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 6
Information Sheet 1.1.10: Review Internal Control System

documents are paper based, review for

potential changes to the document between
approval and processing of transactions.

Ensure that all transactions are allowable.

See more specific information: Budget Activity

Reconciliation Process Guidelines

Error correction: Verify the recording of transactions in a timely

manner. Review source documents to assure
Errors and discrepancies, intentional or they are processed and posted in a timely
unintentional, should be detected, investigated manner by the processing department. If not,
and resolved in a timely fashion. follow up with the appropriate central office
or processing department.

Document a plan for the research and

correction of errors or discrepancies of each
type of transaction or activity. Communicate
these processes and procedures with the
appropriate staff.

Establish expectations for timeliness of error

correction.

Matching to the source:

The oversight of any transaction is strengthened

See Budget Activity Reconciliation Process
by the process of matching source documentation
Guidelines
of the transaction to the appropriate reporting
documentation or reporting tool.

Documenting the process and completion: Be consistent with reconciliation processes.

Changing the reconciliation process often
Reconciliation processes are most effective when leads to undiscovered inaccuracies and
they are consistent and thorough. Employees potential fraud.
involved in the reconciliation process should be
knowledgeable and clear on their responsibilities Reconciliation should be documented clearly
and expectations. to verify that a review has been done.

It should be clear to an external reviewer when a The reconciliation process and procedures
reconciliation has been completed. should be documented clearly and
communicated. Consider documenting:

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 7
Information Sheet 1.1.10: Review Internal Control System

1. The steps in the process

2. Who performs each step
3. Expectations regarding timeliness
4. A mechanism for providing proof that all
activity has been reviewed and reconciled
5. A procedure for error correction.

4. Security

The security of University assets and records includes three types of safeguards; Administrative,
Physical and Technical:

Administrative security:
This focuses on the departmental and University processes put in place to protect assets
and records. This includes the above mentioned processes of authorization and
reconciliation.
Physical security:
This is the protection of physical records and assets from loss by theft or damage.
Technical security:
This is the protection of electronic records from loss by theft, damage, or loss in
transport.

Purpose:

Assets and records should be kept secure at all times to prevent unauthorized access, loss or
damage. The security of assets and records is essential for ongoing operations, accuracy of
information, privacy of personal information included in some records and in many cases is a state
or federal law.

Concepts and Best Practices

Key Concept Best Practice

Designate a point person Designating a point person for all areas or

individually for the 3 types of security provides
an established responsibility and accountability
for proper security procedures.

Administrative organization Keep an up-to-date organizational chart that

defines the reporting relationships as well as

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 8
Information Sheet 1.1.10: Review Internal Control System

responsibilities, including back-up

responsibilities, regarding internal controls
within the unit.

Document such processes as opening and

distributing mail, administration of keys, access
to documents and other administrative controls.

Access to electronic records: Establish and communicate unit standards for

screensavers and password protected screens.
Limit access to records and assets to those who
have been authorized and have a business need Setup password protected access to electronic
for them. records.

Physical access to records: Do not allow electronic records to be

downloaded to mobile workstations and
Limit access to records and assets to those who transported outside of the office.
have been authorized and have a business need
for them. Keep important records in lockable, fireproof
storage

Employee Turnover: Develop a checklist for removing access to

records upon separation of an employee or
Limit access to records and assets to those who upon transfer out of the unit. Develop a process
have been authorized and have a business need and assign a point person the responsibility of
for them. administering the process for deleting access to
records.

Passwords: Have a prescribed standard for departmental

passwords. Make them complex and enforce a
policy for changing passwords periodically.

5. Separation of Duties

Separation of duties is the means by which no one person has sole control over the lifespan of a
transaction. Ideally, no one person should be able to initiate, record, authorize and reconcile a
transaction.

Purpose:

All organizations should separate functional responsibilities. The separation of duties assures
that mistakes, intentional or unintentional, cannot be made without being discovered by
another person.

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 9
Information Sheet 1.1.10: Review Internal Control System

Concepts and Best Practices

Key Concept Best Practice

Duties may be separated by department or by

Unit differences: individuals within a department. The level of
risk associated with a transaction should come
Separation of duties may vary depending on each
into play when determining the best method for
unit's size and structure
separating duties.

Demonstration: Documentation of processes and authorization

is helpful in demonstrating a system of control
Separation of duties should be able to be that includes separation of duties.
demonstrated to an outside party.

Document the responsibilities: Document and clearly communicate who will

initiate, submit, process, authorize, review
Separation of duties should be clearly defined, and/or reconcile each activity within the unit.
assigned and documented.

Review and oversight: Assess the potential for mistakes or fraudulent

transactions. If the separation of duties is not
Management should increase the review and sufficient to eliminate or adequately reduce the
oversight function when it is difficult to risk of discovering errors, the level of review of
sufficiently separate duties. management should be increased over the
particular activity.

Lead Experts Date: Developed Date: Revised Page #

Reviewing Internal Control System
Academy 1 APR 2016 Ver. 1 10