Statewide Office of Audit and Consulting Services

Internal Controls


Internal Controls Overview

Internal controls assist to offset negative risk events, which can be categorized into just four main titles: errors, omissions, delay and fraud. Managers should develop internal controls procedure to decrease identified risk to a level where management can accept the exposure to that risk. By performing this balancing act "reasonable assurance” can be attained.

Examples of controls out of balance:

Excessive Risks
• Loss of Assets, Donor or Grants
• Poor Business Decisions
• Noncompliance
• Increased Regulations
• Public Scandal

Excessive Controls
• Increased Bureaucracy
• Reduced Productivity
• Increased Complexity
• Increased Cycle Time
• Increase of No-Value Activities

In order to achieve a balance between risk and controls, internal controls should be proactive, value-added, cost-effective, and address exposure to risk.


The Manager’s Responsibility

Managers are responsible for ensuring that internal controls are established, balanced, and operating as intended. Through design, a system of internal controls can assist in providing managers a reasonable level of assurance that the unit’s mission and objectives will be achieved. Managers are also responsible for periodically re-evaluating the internal controls at use in their unit for balance and function.

Most internal controls can be classified as preventative or detective. These systematic measures tools assist to:
• conduct business in an orderly and efficient manner,
• safeguard assets and resources, including electronic information resources
• deter and detect errors, fraud, and theft,
• ensure accuracy and completeness of accounting data,
• produce reliable and timely financial and management information, and
• ensure adherence to policies and regulations


Audit and Consulting Services's Responsibility

Audit and Consulting Services provides an independent evaluation of the adequacy of internal controls, works with managers and their unit to identify out of balance internal control and risk areas, and reports the results to appropriate management and the Board of Regents Audit Committee per Regents Policy P05.03.

Often, the auditor’s evaluation will include the following internal control elements:
• Personnel – verify that clearly established lines in regards to authority and responsibility are documented in job descriptions and procedure manual
• Authorization Procedures – review supporting information to verify the propriety and validity of transactions
• Segregation of Duties – review the appropriate placement of duties to reduce the likelihood of errors and irregularities (one individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping)
• Physical Restrictions – review the safeguarding of university assets, processes, and data
• Documentation and Record Retention – review the assurance information that assets and data are controlled and correctly recorded
• Operational Internal Controls – review operational risks and how they are addressed


Suggestions for Internal Controls

• Set an example. Display and expect ethical behavior from yourself and those around you. This is also referred to as ‘the tone at the top’.
• Never sign something you do not understand or that is not completed properly.
• Document approvals by signature and date of approval.
• Provide yourself and your unit with the opportunities to stay knowledgeable with university policies and regulations and within arenas essential to unit operations. Check up on training provided by different departments around the university. Refer to the section below titled University of Alaska Guidance.
• Keep written procedures up to date and available to the whole unit.
• Evaluate your unit’s risks and internal controls for balance continually. Ask Audit and Consulting Services for additional information or consulting.
• Do not let one employee have complete control of any process.
• Keep property and data safeguarded. Contact your risk management or information technology departments for ideas on techniques.
• Do reconciliations. Verify different sets of records contain the same data across the board. Financial data is important to reconcile, but not the only kind of data that needs reconciling.
• Maintain support documentation for transactions and key business decisions.
• Provide employee performance reviews. Keep up to date on all areas of employee work related activities, goals, perceptions, ideas, etc.


Tools to Assist in Designing Internal Controls

• Risk Assessments
• Process Flowcharts
• Walk-Throughs
• Transaction Tracing
• Questionnaires
• Guidance from other departments

Audit and Consulting Services or your risk management department can assist by providing tools, hosting a training session or workshop, facilitating a risk assessment, or any combination of these items.


Back to Top