Beruflich Dokumente
Kultur Dokumente
Unit management throughout the University is responsible to establish internal controls to keep their unit on course toward its financial goals, to help it achieve its mission, to minimize surprises and risks, and to allow the organization to successfully deal with change. Internal controls are defined as activities undertaken to increase the likelihood of achieving management objectives in three areas:
Efficiency and effectiveness of operations eliability of financial reporting !ompliance with laws and regulations
"ome internal controls are established at the institutional level# others are established by unit management. $o achieve success, unit management needs to %&' be knowledgeable about, and support, institutional controls, and %(' implement practical and effective internal controls specific to the particular unit. $he following checklist is provided to facilitate a self)assessment of internal controls by management of individual departments. It is intended to address general aspects of internal controls, and does not include specific controls applicable to individual units. *rganization of the checklist is consistent with the five interrelated components of internal control defined by the !ommittee of "ponsoring *rganizations of the $readway !ommission %!*"*'. +e encourage department heads and other unit management to use this self)assessment checklist to evaluate internal controls in their areas of responsibility. ,anagement should also add to the checklist other controls that apply specifically their units. Internal -udit would be pleased to consult on methods to improve your internal controls. Index 1. Control Environment &. Integrity and Ethical .alues (. !ommitment to !ompetence /. ,anagement0s 1hilosophy and *perating "tyle 2. *rganizational "tructure 3. -ssignment of -uthority and esponsibility 4. 5uman esource 1olicies and 1ractices 2. Risk Assessment 6. *rganizational 7oals and *bjectives 8. isk Identification and 1rioritization 9. ,anaging !hange 3. Control Activities &:. +ritten 1olicies and 1rocedures &&. !ontrol 1rocedures &(. !ontrols over Information "ystems 4. Information and Communication &/. -ccess to Information &2. !ommunication 1atterns . !onitorin" &3. ,anagement "upervision &4. *utside "ources &6. esponse ,echanisms &8. "elf)-ssessment ,echanisms
Assessment #actor
&.(
!odes of conduct.
Unit management understand the University0s policies governing relationships with sponsors, 1olicies are poorly understood. suppliers, creditors, regulators, the community, and the public at large. Unit management understand the University0s 1olicies are poorly understood. policies regarding potential conflicts of interest. Unit management sets a good e;ample and regularly communicates high e;pectations regarding integrity and ethical values. ,anagement does not set a good e;ample and<or does not communicate high e;pectations regarding integrity and ethical values.
&./ &.2
2 % Commitment to Com(etence (.& (.( =ob descriptions. >nowledge and "kills. esponsibilities are clearly defined in writing and communicated as appropriate. Unit management %faculty and supervisory staff' understand the knowledge and skills re?uired to accomplish tasks. esponsibilities are poorly defined or poorly communicated. ,anagement does not ade?uately consider knowledge and skill re?uirements.
(./
Employee competence.
Unit management is aware of competency ,anagement is not ade?uately aware of levels, and is involved in training and increased competency levels, or does not actively address supervision when competency is low. problems.
3 % !ana"ement)s *hiloso(h& and +(eratin" St&le /.& !ommunication with @aculty, !ollege and University. Unit management insists on full and open disclosure of financial or business issues with appropriate faculty, college and University personnel. ,anagement is secretive and reluctant to conduct business or deal with issues in an open manner.
Assessment #actor
$here is active concern and effort to ensure compliance with the letter and intent of laws and regulations. ,anagement is concerned with and e;erts effort to get the job done right the first time.
,anagement is willing to risk the conse?uences of noncompliance. ,anagement is willing to get the job done without ade?uate regard to ?uality.
E;ceptions to policy are infre?uent. +hen they E;ceptions to policy are the norm and are occur they must be approved and well rarely documented. documented. ,anagementBs approach shows concern and appreciation for accurate and timely reporting. Cudgeting and other financial estimates are generally conservative. @inancial accountability is given low priority.
/.3
/.4
ealistic budgets are established and results are ,anagement either shows little concern actively monitored. !orrective action is taken %climate of la;ness', or makes unreasonable as necessary. $he unit learns from, and does not demands %climate of fear'. repeat, mistakes. Decision)making processes are deliberate and consistent. Decisions are made after careful consideration of relevant facts. 1olicies and procedures are in place to ensure appropriate levels of management are involved. Decision making is nearly always informal. ,anagement makes arbitrary decisions with inade?uate discussion and analysis of the facts.
/.6
4 % +r"ani,ational Structure 2.& !omple;ity of the organizational structure. *rganization charts. "ize of the management group. "tability of the management group. !omple;ity of the structure is commensurate with the organization. Aines of reporting are clear and documentation is up)to)date. Documentation e;ists and is up to date. "ize is commensurate with the comple;ity of the unit and its growth. Aow turnover. Aines of responsibility are unclear or unnecessarily complicated for the size and activities of the entity. Documentation does not e;ist or is out)of)date. $he documented structure does not correspond with actual responsibilities. "ize is not appropriate %e.g., too many levels, too dispersed, or too EthinE'. 5igh turnover.
Assessment #actor
% Assi"nment of Authorit& and Res(onsi-ilit& 3.& Delegation of authority and assignment of responsibility for operating and financial functions. -uthority limits. Delegation of authority and assignment of Decisions are dominated by one or a few responsibility is clearly defined. Individuals are individuals. oles and responsibilities of held accountable for results. middle management are unclear. -uthority limits are clearly defined in writing and communicated as appropriate. -ppropriate limits have been placed on each delegation of signature authority. ,anagement reviews and updates signature records as turnover occurs. >ey personnel are knowledgeable and e;perienced. ,anagement does not delegate authority to ine;perienced individuals. 1olicies and procedures covering authority limits are informal or poorly communicated. "ignature authority is delegated without ade?uate consideration. Delegated authority is not in line with employee knowledge, training, or competence. >ey personnel are ine;perienced. ,anagement delegates authority without regard to knowledge and e;perience.
3.(
3./
3.2 3.3
,anagement provides the resources needed for ,anagement does not provide necessary employees to carry out their duties. resources.
. % /uman Resource *olicies and *ractices 4.& "election of personnel. - careful hiring process is in place. $he 5uman esources Department is involved in identifying potential employees based on job re?uirements. *n)the)job and other training programs have defined objectives. $hey are effective and important. $he hiring process is informal, and sometimes proceeds without ade?uate involvement by higher)level supervisors. $raining programs are inconsistent, ineffective, or are given low priority.
4.(
$raining.
4./
"upervision policies.
egular supervision does not e;ist or is 1ersonnel are ade?uately supervised. $hey have ineffective. Employees are frustrated and feel a regular resource for resolving problems. they Fhave nowhere to goB with issues. Inappropriate behavior is consistently eprimands are not timely, direct, or are not reprimanded in a timely and direct manner, consistently applied %climate of favoritism'. regardless of the individual0s position or status.
4.2
Inappropriate behavior.
Assessment #actor
4.3
Evaluation of personnel.
-n organized evaluation process e;ists. !ompensation decisions are based on a formal process with meaningful involvement of more than one level of management. $he effect of performance evaluations on compensation decisions is defined and communicated. !ritical functions are ade?uately staffed, with reasonable workloads. Aow turnover. ,anagement understands root causes of turnover.
$he evaluation process is ad hoc and inconsistent. 1erformance issues are not formally addressed. !ompensation decisions are ad hoc, inconsistent, or inade?uately reviewed by management. $here is inade?uate staffing and fre?uent periods of overwork and Eorganizational stress.E 5igh turnover. ,anagement does not understand root causes.
4.4
4.6 4.8
6.(
@actors that are critical to achievement of unit) wide objectives are identified. esources are "uccess factors are not identified or prioritized. appropriately allocated between critical success factors and objectives of lesser importance. ealistic objectives are established for all key activities including operations, financial reporting and compliance considerations. -ctivity)level objectives do not e;ist.
6./
-ctivity)level objectives.
6.2 6.3
Unit)wide and activity level objectives include 1erformance regarding objectives is not measurement criteria and are periodically measured. $argets are not set. evaluated. Employees at all levels are represented in establishing the objectives. ,anagement dictates objectives without ade?uate employee involvement.
Assessment #actor
6.4
Aong and short)range plans are developed and Go organized planning process e;ists. $here are written. !hanges in direction are made only are fre?uent shifts in direction or emphasis. after sufficient study is performed. Detailed budgets are developed by area of responsibility following prescribed procedures Cudgets do not e;ist or are Ebacked intoE and realistic e;pectations. 1lans and budgets depending on desired outcome. support achievement of unit)wide action steps. 1lanning for future needs is done well in advance of e;pected needs and considers various scenarios. $he information system lags significantly behind the needs of the business.
6.6
Cudgeting system.
6.8
3 % Risk Identification and *rioriti,ation - process e;ists to identify and consider the implications of e;ternal risk factors %economic changes, changing sponsor, student and 1otential or actual e;ternal risk factors are not community needs or e;pectations, new or effectively identified or evaluated. changed legislation or regulations, technological developments, etc.' on unit)wide objectives and plans. - process e;ists to identify and consider the implications of internal risk factors %new personnel, new information systems, changes in 1otential or actual internal risk factors are not management responsibilities, new or changed effectively identified or evaluated. educational or research programs, etc.' on unit) wide objectives and plans. $he likelihood of occurrence and potential impact %monetary and otherwise' have been evaluated. isks have been categorized as tolerable or re?uiring action. In)depth, cost < benefit studies are performed before committing significant unit resources. isks have not been prioritized.
8.&
8.(
8./
1rioritization of risks.
8.2
Assessment #actor
8.3
- risk management program is in place to monitor and help mitigate e;posures. E;ternal advisors are consulted as needed to supplement internal e;pertise.
E;posure is dealt with on a case by case basis. egular efforts or programs to manage risks do not e;ist. Internal e;pertise regarding risk and control issues is inade?uate. -ssistance is never sought from outside sources.
8.4
4 % !ana"in" Chan"e 9.& 9.( !ommitment to change. "upport of change. ,anagement promotes continuous ,anagement promotes the status ?uo, even improvement and solicits input and feedback on when changes are needed to meet important the implications of significant change. business needs. ,anagement is willing to commit resources to achieve positive change. ,anagement offers no resources to facilitate change.
9./
outine change.
,echanisms e;ist to identify, prioritize, and react to routine events %i.e., turnover' that affect 1rocedures are not present or are ineffective. achievement of unit)wide objectives or action steps. ,echanisms e;ist to identify and react to economic changes. 1rocedures are not present or are ineffective.
9.2
Economic change.
9.3
egulatory change.
,echanisms e;ist to identify and react to regulatory changes %maintain membership in 1rocedures are not present or are ineffective. associations that monitor laws and regulations, participate in University forums, etc.'. ,echanisms e;ist to identify and react to technological changes and changes in the functional re?uirements of the unit. 1rocedures are not present or are ineffective.
9.4
$echnological change.
Assessment #actor
&:.( Unit policies and procedures. 11 % Control *rocedures &&.& "enior management %University or !ollege' reviews. &&.( $op level %unit)wide' objective performance reviews by unit management. &&./ $op level %unit)wide' financial performance reviews by unit management.
$he unit has documented its own policies and procedures. $hey are well understood by unit staff.
"enior management monitors the unit0s performance against objectives and budget. eviews are made of actual performance compared to objectives and previous periods for all major initiatives. ,anagement analyzes and follows up as needed.
"enior management does not monitor unit performance. -nalyses are not performed or management does not follow up on significant deviations.
eviews are made of actual performance versus budgets, forecasts, and performance in prior -nalyses are not performed or management periods for all major initiatives. ,anagement does not follow up on significant deviations. analyzes and follows up as needed.
1erformance reviews are made of specific &&.2 Direct functional or activity management functions or activities, focusing on compliance, Go performance reviews occur. by unit management. financial or operational issues. &&.3 1erformance indicators. &&.4 -ccounting statements and key reconciliations. Une;pected operating results or unusual trends *perating results and trends are not monitored. are investigated. -ccounting statements and key reconciliations econciliations are not performed timely or are completed timely. ,anagement performs a regularly. ,anagement does not carefully diligent review and signifies approval by review or formally approve statements or signature and date. reconciliations.
"ponsored project accounts are reviewed and reconciled. 1Is certify the e;penditures timely. "ponsored project accounts are not monitored# &&.6 "ponsored project account management. Unit management monitors the portfolio of reconciliations and certifications are not timely. sponsored accounts for compliance and fiscal responsibility.
Assessment #actor
estrictions on use are well documented, and estrictions are not clearly documented. are understood by employees who administer estricted fund accounts are not monitored# the funds. Usage is monitored by management, usage may not match restrictions. accounts are reconciled. !ontrols e;ist to monitor the accuracy and completeness of information as well as authorization of transactions. Go information processing controls are in place.
&&.&: 1hysical controls. &&.&& $raining and guidance for asset custodians. &&.&( "eparation of duties.
E?uipment, supplies, inventory, cash and other E?uipment, supplies, inventory, cash and other assets are physically secured and periodically assets are not protected. !ontrol records do not counted and compared to the amounts shown e;ist or are not up to date. on control records. -de?uate guidance and training are provided to Go training or guidance is provided. personnel responsible for cash or similar assets. @inancial duties are divided among different people %responsibilities for authorizing transactions, recording them and handling the asset are separated'. Go significant separation of financial duties among different employees.
&&.&/
ecord retention.
Unit employees understand which records they Unit employees do not understand which are responsible to maintain and the re?uired records they are responsible for maintaining. retention period. ecords are appropriately $he filing system is inade?uate. filed. - disaster response and recovery plan has been Go disaster response or recovery plan e;ists. developed and is understood by key personnel.
"ystem operations are documented# software is appropriately ac?uired and maintained# access to the system, programs and data is controlled# Inade?uate controls over local information the system is maintained in a secure systems or A-Gs. environment# applications are appropriately developed and maintained.
Assessment #actor
$he unit controls its computer applications by diligent and timely response to edit lists, rejected transactions and other control and balancing reports. !ontrols ensure a high level of data integrity including completeness, accuracy, and validity of all information in the system. >ey data and programs on A-Gs or desktop computers are appropriately backed up and maintained. *ff)site storage is ade?uate considering possible risks of loss.
Go formal back up procedures e;ist. ,anagement has not informed staff of back up re?uirements.
Assessment #actor
- formal reporting system does not e;ist. eports are not timely or are not at appropriate levels of detail.
Information used by the unit has not been evaluated and classified. Employees are not trained with respect to information security.
14 % Communication *atterns &2.& $rust. ,anagement promotes and fosters trust between employees, supervisors and other units. Interactions among faculty, staff and<or with other units is characterized by low levels of trust.
Employees who violate an important policy are .iolations, while not condoned officially, are disciplined. ,anagement0s communications often overlooked. ,anagement0s actions are and actions are consistent with policies. inconsistent with official policies. Employees are encouraged to provide recommendations for improvement. Ideas are recognized and rewarded. Employees0 ideas are not welcomed.
&2./
@ormal methods are used to communicate unit policies and procedures %e.g., manuals, training $o the e;tent that they e;ist, policies are buried programs, written codes of conduct, and in unused manuals and documents. acceptable business practices'.
Assessment #actor
"tandards and e;pectations are communicated to key outside groups or individuals %e.g., vendors, consultants, donors, sponsors, subcontractors, sub)recipients'.
Employees are kept informed of important matters %downward communication' and are able to communicate problems to persons with ,ost information is received by the authority %upward communication'. $here is Egrapevine.E effective functional coordination within the unit %lateral communication'. Information is openly shared with outside evaluators. Information is kept secret from outside evaluators.
Section
1 % !ana"ement Su(ervision &3.& Effectiveness of key control activities. &3.( ,anagement supervision of accounting function.
% !onitorin"
,anagement routinely spot)checks transactions, records and reconciliations to ensure e;pectations are met. -ccounting policies are defined and adopted after appropriate consideration. 1olicies are effectively communicated %in writing'.
1olicies are defined for developing new systems or changes to e;isting systems &3./ ,anagement supervision of new systems %cost<benefit analysis, team composition, user development. specifications, documentation, acceptance testing, and user approval'. &3.2 Cudget analysis. 1. % +utside Sources Cudgets are compared to actual results and deviations are followed up on a timely basis. -de?uate consideration is given to commitments.
-n analysis of actual versus budgeted results is not performed, or management does not follow up on deviations.
Assessment #actor
Data is used to compare the unitBs performance !omparative data is not regularly monitored. with peers or industry standards. eports from regulatory bodies are considered for their internal control implications. esponse is limited to what is necessary to Eget byE the regulators.
&4./ "ponsors, students, suppliers, creditors, and other third parties. &4.2 E;ternal auditors. 10 % Res(onse !echanisms &6.& ,anagement follow)up of violations of policies. &6.( E;ternal or internal audit findings. &6./ !hanges in conditions %e.g., economic, regulatory, technological, or competitive'. 13 % Self-Assessment !echanisms &8.& ,onitoring of control environment.
oot causes of in?uiries or complaints are In?uiries or complaints are dealt with case)by) investigated and considered for internal control case, with little or no follow)up. implications. Information provided by e;ternal auditors about control)related matters are considered and acted on at high levels. @indings are referred to lower levels or are e;plained away.
@ollow)up is sporadic.
@indings are considered and immediately acted !onsideration of findings is delegated to lower upon at appropriate levels. levels or is given low priority. !hanges are anticipated and routinely integrated into ongoing long) and short)range planning. esponses are reactive rather than proactive.
,anagement periodically assesses employee attitudes, reviews the effectiveness of the organization structure, and evaluates the appropriateness of policies and procedures. ,anagement periodically evaluates the effectiveness of its risk assessment process. Internal controls are subject to a formal and continuous internal assessment process.
&8.( Evaluation of risk assessment process. &8./ -ssessment of design and effectiveness of internal controls.
Assessment #actor
,anagement periodically evaluates the accuracy, timeliness and relevance of its information and communication systems. ,anagement ?uestions information on management reports that appears unusual or inconsistent.