Internal Control Self-Assessment Checklist

Unit management throughout the University is responsible to establish internal controls to keep their unit on course toward its financial goals, to help it achieve its mission, to minimize surprises and risks, and to allow the organization to successfully deal with change. Internal controls are defined as activities undertaken to increase the likelihood of achieving management objectives in three areas:

Efficiency and effectiveness of operations eliability of financial reporting !ompliance with laws and regulations

"ome internal controls are established at the institutional level# others are established by unit management. $o achieve success, unit management needs to %&' be knowledgeable about, and support, institutional controls, and %(' implement practical and effective internal controls specific to the particular unit. $he following checklist is provided to facilitate a self)assessment of internal controls by management of individual departments. It is intended to address general aspects of internal controls, and does not include specific controls applicable to individual units. *rganization of the checklist is consistent with the five interrelated components of internal control defined by the !ommittee of "ponsoring *rganizations of the $readway !ommission %!*"*'. +e encourage department heads and other unit management to use this self)assessment checklist to evaluate internal controls in their areas of responsibility. ,anagement should also add to the checklist other controls that apply specifically their units. Internal -udit would be pleased to consult on methods to improve your internal controls. Index 1. Control Environment &. Integrity and Ethical .alues (. !ommitment to !ompetence /. ,anagement0s 1hilosophy and *perating "tyle 2. *rganizational "tructure 3. -ssignment of -uthority and esponsibility 4. 5uman esource 1olicies and 1ractices 2. Risk Assessment 6. *rganizational 7oals and *bjectives 8. isk Identification and 1rioritization 9. ,anaging !hange 3. Control Activities &:. +ritten 1olicies and 1rocedures &&. !ontrol 1rocedures &(. !ontrols over Information "ystems 4. Information and Communication &/. -ccess to Information &2. !ommunication 1atterns . !onitorin" &3. ,anagement "upervision &4. *utside "ources &6. esponse ,echanisms &8. "elf)-ssessment ,echanisms

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

Section 1 % Control Environment

1 - Inte"rit& and Ethical 'alues &.& -cceptable business practices. Unit management %faculty and supervisory staff' understand the University0s policies covering matters such as legitimate use of University resources. 1olicies are poorly understood

&.(

!odes of conduct.

Unit management understand the University0s policies governing relationships with sponsors, 1olicies are poorly understood. suppliers, creditors, regulators, the community, and the public at large. Unit management understand the University0s 1olicies are poorly understood. policies regarding potential conflicts of interest. Unit management sets a good e;ample and regularly communicates high e;pectations regarding integrity and ethical values. ,anagement does not set a good e;ample and<or does not communicate high e;pectations regarding integrity and ethical values.

&./ &.2

!onflicts of interests. Integrity.

2 % Commitment to Com(etence (.& (.( =ob descriptions. >nowledge and "kills. esponsibilities are clearly defined in writing and communicated as appropriate. Unit management %faculty and supervisory staff' understand the knowledge and skills re?uired to accomplish tasks. esponsibilities are poorly defined or poorly communicated. ,anagement does not ade?uately consider knowledge and skill re?uirements.

(./

Employee competence.

Unit management is aware of competency ,anagement is not ade?uately aware of levels, and is involved in training and increased competency levels, or does not actively address supervision when competency is low. problems.

3 % !ana"ement)s *hiloso(h& and +(eratin" St&le /.& !ommunication with @aculty, !ollege and University. Unit management insists on full and open disclosure of financial or business issues with appropriate faculty, college and University personnel. ,anagement is secretive and reluctant to conduct business or deal with issues in an open manner.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

/.( /./ /.2

Aaws and regulations. 7etting the job done. E;ceptions to policy.

$here is active concern and effort to ensure compliance with the letter and intent of laws and regulations. ,anagement is concerned with and e;erts effort to get the job done right the first time.

,anagement is willing to risk the conse?uences of noncompliance. ,anagement is willing to get the job done without ade?uate regard to ?uality.

E;ceptions to policy are infre?uent. +hen they E;ceptions to policy are the norm and are occur they must be approved and well rarely documented. documented. ,anagementBs approach shows concern and appreciation for accurate and timely reporting. Cudgeting and other financial estimates are generally conservative. @inancial accountability is given low priority.

/.3

-pproach to financial accountability.

/.4

Emphasis on meeting budget and other financial and operating goals.

ealistic budgets are established and results are ,anagement either shows little concern actively monitored. !orrective action is taken %climate of la;ness', or makes unreasonable as necessary. $he unit learns from, and does not demands %climate of fear'. repeat, mistakes. Decision)making processes are deliberate and consistent. Decisions are made after careful consideration of relevant facts. 1olicies and procedures are in place to ensure appropriate levels of management are involved. Decision making is nearly always informal. ,anagement makes arbitrary decisions with inade?uate discussion and analysis of the facts.

/.6

-pproach to decision making.

4 % +r"ani,ational Structure 2.& !omple;ity of the organizational structure. *rganization charts. "ize of the management group. "tability of the management group. !omple;ity of the structure is commensurate with the organization. Aines of reporting are clear and documentation is up)to)date. Documentation e;ists and is up to date. "ize is commensurate with the comple;ity of the unit and its growth. Aow turnover. Aines of responsibility are unclear or unnecessarily complicated for the size and activities of the entity. Documentation does not e;ist or is out)of)date. $he documented structure does not correspond with actual responsibilities. "ize is not appropriate %e.g., too many levels, too dispersed, or too EthinE'. 5igh turnover.

2.( 2./ 2.2

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

% Assi"nment of Authorit& and Res(onsi-ilit& 3.& Delegation of authority and assignment of responsibility for operating and financial functions. -uthority limits. Delegation of authority and assignment of Decisions are dominated by one or a few responsibility is clearly defined. Individuals are individuals. oles and responsibilities of held accountable for results. middle management are unclear. -uthority limits are clearly defined in writing and communicated as appropriate. -ppropriate limits have been placed on each delegation of signature authority. ,anagement reviews and updates signature records as turnover occurs. >ey personnel are knowledgeable and e;perienced. ,anagement does not delegate authority to ine;perienced individuals. 1olicies and procedures covering authority limits are informal or poorly communicated. "ignature authority is delegated without ade?uate consideration. Delegated authority is not in line with employee knowledge, training, or competence. >ey personnel are ine;perienced. ,anagement delegates authority without regard to knowledge and e;perience.

3.(

3./

Delegated signature authority.

3.2 3.3

>nowledge and e;perience. esources.

,anagement provides the resources needed for ,anagement does not provide necessary employees to carry out their duties. resources.

. % /uman Resource *olicies and *ractices 4.& "election of personnel. - careful hiring process is in place. $he 5uman esources Department is involved in identifying potential employees based on job re?uirements. *n)the)job and other training programs have defined objectives. $hey are effective and important. $he hiring process is informal, and sometimes proceeds without ade?uate involvement by higher)level supervisors. $raining programs are inconsistent, ineffective, or are given low priority.

4.(

$raining.

4./

"upervision policies.

egular supervision does not e;ist or is 1ersonnel are ade?uately supervised. $hey have ineffective. Employees are frustrated and feel a regular resource for resolving problems. they Fhave nowhere to goB with issues. Inappropriate behavior is consistently eprimands are not timely, direct, or are not reprimanded in a timely and direct manner, consistently applied %climate of favoritism'. regardless of the individual0s position or status.

4.2

Inappropriate behavior.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

4.3

Evaluation of personnel.

-n organized evaluation process e;ists. !ompensation decisions are based on a formal process with meaningful involvement of more than one level of management. $he effect of performance evaluations on compensation decisions is defined and communicated. !ritical functions are ade?uately staffed, with reasonable workloads. Aow turnover. ,anagement understands root causes of turnover.

$he evaluation process is ad hoc and inconsistent. 1erformance issues are not formally addressed. !ompensation decisions are ad hoc, inconsistent, or inade?uately reviewed by management. $here is inade?uate staffing and fre?uent periods of overwork and Eorganizational stress.E 5igh turnover. ,anagement does not understand root causes.

4.4

,ethods to compensate personnel.

4.6 4.8

"taffing of critical functions. $urnover. 1articularly turnover in financially responsible positions.

Section 2 % Risk Assessment

0 % +r"ani,ational 1oals and +-2ectives 6.& Unit)wide objectives. - formal unit)wide mission or value statement is established and communicated throughout the unit. - unit)wide mission or value statement does not e;ist.

6.(

!ritical success factors.

@actors that are critical to achievement of unit) wide objectives are identified. esources are "uccess factors are not identified or prioritized. appropriately allocated between critical success factors and objectives of lesser importance. ealistic objectives are established for all key activities including operations, financial reporting and compliance considerations. -ctivity)level objectives do not e;ist.

6./

-ctivity)level objectives.

6.2 6.3

,easurement of objectives. Employee involvement.

Unit)wide and activity level objectives include 1erformance regarding objectives is not measurement criteria and are periodically measured. $argets are not set. evaluated. Employees at all levels are represented in establishing the objectives. ,anagement dictates objectives without ade?uate employee involvement.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

6.4

Aong and short)range planning.

Aong and short)range plans are developed and Go organized planning process e;ists. $here are written. !hanges in direction are made only are fre?uent shifts in direction or emphasis. after sufficient study is performed. Detailed budgets are developed by area of responsibility following prescribed procedures Cudgets do not e;ist or are Ebacked intoE and realistic e;pectations. 1lans and budgets depending on desired outcome. support achievement of unit)wide action steps. 1lanning for future needs is done well in advance of e;pected needs and considers various scenarios. $he information system lags significantly behind the needs of the business.

6.6

Cudgeting system.

6.8

"trategic planning for information systems.

3 % Risk Identification and *rioriti,ation - process e;ists to identify and consider the implications of e;ternal risk factors %economic changes, changing sponsor, student and 1otential or actual e;ternal risk factors are not community needs or e;pectations, new or effectively identified or evaluated. changed legislation or regulations, technological developments, etc.' on unit)wide objectives and plans. - process e;ists to identify and consider the implications of internal risk factors %new personnel, new information systems, changes in 1otential or actual internal risk factors are not management responsibilities, new or changed effectively identified or evaluated. educational or research programs, etc.' on unit) wide objectives and plans. $he likelihood of occurrence and potential impact %monetary and otherwise' have been evaluated. isks have been categorized as tolerable or re?uiring action. In)depth, cost < benefit studies are performed before committing significant unit resources. isks have not been prioritized.

8.&

Identification and consideration of e;ternal risk factors.

8.(

Identification and consideration of internal risk factors.

8./

1rioritization of risks.

8.2

-pproach to studying risks.

isks are accepted with little or no study.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

8.3

1rocess for monitoring risks.

- risk management program is in place to monitor and help mitigate e;posures. E;ternal advisors are consulted as needed to supplement internal e;pertise.

E;posure is dealt with on a case by case basis. egular efforts or programs to manage risks do not e;ist. Internal e;pertise regarding risk and control issues is inade?uate. -ssistance is never sought from outside sources.

8.4

!onsultation with e;ternal advisors.

4 % !ana"in" Chan"e 9.& 9.( !ommitment to change. "upport of change. ,anagement promotes continuous ,anagement promotes the status ?uo, even improvement and solicits input and feedback on when changes are needed to meet important the implications of significant change. business needs. ,anagement is willing to commit resources to achieve positive change. ,anagement offers no resources to facilitate change.

9./

outine change.

,echanisms e;ist to identify, prioritize, and react to routine events %i.e., turnover' that affect 1rocedures are not present or are ineffective. achievement of unit)wide objectives or action steps. ,echanisms e;ist to identify and react to economic changes. 1rocedures are not present or are ineffective.

9.2

Economic change.

9.3

egulatory change.

,echanisms e;ist to identify and react to regulatory changes %maintain membership in 1rocedures are not present or are ineffective. associations that monitor laws and regulations, participate in University forums, etc.'. ,echanisms e;ist to identify and react to technological changes and changes in the functional re?uirements of the unit. 1rocedures are not present or are ineffective.

9.4

$echnological change.

Section 3 % Control Activities

15 % $ritten *olicies and *rocedures &:.& -ccess to University policies and procedures. Unit staff have available up to date University policy and procedures and know how to use them. University policy and procedures are not available or are rarely used.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

&:.( Unit policies and procedures. 11 % Control *rocedures &&.& "enior management %University or !ollege' reviews. &&.( $op level %unit)wide' objective performance reviews by unit management. &&./ $op level %unit)wide' financial performance reviews by unit management.

$he unit has documented its own policies and procedures. $hey are well understood by unit staff.

Unit policies and procedures do not e;ist.

"enior management monitors the unit0s performance against objectives and budget. eviews are made of actual performance compared to objectives and previous periods for all major initiatives. ,anagement analyzes and follows up as needed.

"enior management does not monitor unit performance. -nalyses are not performed or management does not follow up on significant deviations.

eviews are made of actual performance versus budgets, forecasts, and performance in prior -nalyses are not performed or management periods for all major initiatives. ,anagement does not follow up on significant deviations. analyzes and follows up as needed.

1erformance reviews are made of specific &&.2 Direct functional or activity management functions or activities, focusing on compliance, Go performance reviews occur. by unit management. financial or operational issues. &&.3 1erformance indicators. &&.4 -ccounting statements and key reconciliations. Une;pected operating results or unusual trends *perating results and trends are not monitored. are investigated. -ccounting statements and key reconciliations econciliations are not performed timely or are completed timely. ,anagement performs a regularly. ,anagement does not carefully diligent review and signifies approval by review or formally approve statements or signature and date. reconciliations.

"ponsored project accounts are reviewed and reconciled. 1Is certify the e;penditures timely. "ponsored project accounts are not monitored# &&.6 "ponsored project account management. Unit management monitors the portfolio of reconciliations and certifications are not timely. sponsored accounts for compliance and fiscal responsibility.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

&&.8 Use of restricted funds %gifts'.

estrictions on use are well documented, and estrictions are not clearly documented. are understood by employees who administer estricted fund accounts are not monitored# the funds. Usage is monitored by management, usage may not match restrictions. accounts are reconciled. !ontrols e;ist to monitor the accuracy and completeness of information as well as authorization of transactions. Go information processing controls are in place.

&&.9 Information processing.

&&.&: 1hysical controls. &&.&& $raining and guidance for asset custodians. &&.&( "eparation of duties.

E?uipment, supplies, inventory, cash and other E?uipment, supplies, inventory, cash and other assets are physically secured and periodically assets are not protected. !ontrol records do not counted and compared to the amounts shown e;ist or are not up to date. on control records. -de?uate guidance and training are provided to Go training or guidance is provided. personnel responsible for cash or similar assets. @inancial duties are divided among different people %responsibilities for authorizing transactions, recording them and handling the asset are separated'. Go significant separation of financial duties among different employees.

&&.&/

ecord retention.

Unit employees understand which records they Unit employees do not understand which are responsible to maintain and the re?uired records they are responsible for maintaining. retention period. ecords are appropriately $he filing system is inade?uate. filed. - disaster response and recovery plan has been Go disaster response or recovery plan e;ists. developed and is understood by key personnel.

&&.&2 Disaster response plan. 12 % Controls over Information S&stems

&(.& Aocal information systems and A-Gs.

"ystem operations are documented# software is appropriately ac?uired and maintained# access to the system, programs and data is controlled# Inade?uate controls over local information the system is maintained in a secure systems or A-Gs. environment# applications are appropriately developed and maintained.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

&(.( -pplication controls.

$he unit controls its computer applications by diligent and timely response to edit lists, rejected transactions and other control and balancing reports. !ontrols ensure a high level of data integrity including completeness, accuracy, and validity of all information in the system. >ey data and programs on A-Gs or desktop computers are appropriately backed up and maintained. *ff)site storage is ade?uate considering possible risks of loss.

-pplication controls are not used.

&(./ Cack Up.

Go formal back up procedures e;ist. ,anagement has not informed staff of back up re?uirements.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

Section 4 % Information and Communication

13 % Access to Information &/.& elevant e;ternal information. Unit members receive relevant information regarding legislation, regulatory developments, economic changes or other e;ternal factors that affect the unit. -n e;ecutive information system e;ists. Information and reports are provided timely. eport detail is appropriate for the level of management. Data is summarized to facilitate decision making. Information is evaluated and classified based on level of integrity, confidentiality and availability. Individuals with access to information are trained to understand their responsibilities related to the information. elevant information is not available.

&/.( ,anagement reporting system.

- formal reporting system does not e;ist. eports are not timely or are not at appropriate levels of detail.

&/./ ,anagement of information security.

Information used by the unit has not been evaluated and classified. Employees are not trained with respect to information security.

14 % Communication *atterns &2.& $rust. ,anagement promotes and fosters trust between employees, supervisors and other units. Interactions among faculty, staff and<or with other units is characterized by low levels of trust.

&2.( 1olicy enforcement and discipline.

Employees who violate an important policy are .iolations, while not condoned officially, are disciplined. ,anagement0s communications often overlooked. ,anagement0s actions are and actions are consistent with policies. inconsistent with official policies. Employees are encouraged to provide recommendations for improvement. Ideas are recognized and rewarded. Employees0 ideas are not welcomed.

&2./

ecommendations for improvement.

&2.2 @ormal communications.

@ormal methods are used to communicate unit policies and procedures %e.g., manuals, training $o the e;tent that they e;ist, policies are buried programs, written codes of conduct, and in unused manuals and documents. acceptable business practices'.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

&2.3 E;ternal communications.

"tandards and e;pectations are communicated to key outside groups or individuals %e.g., vendors, consultants, donors, sponsors, subcontractors, sub)recipients'.

Go e;ternal communication of standards and e;pectations.

&2.4 Informal communications.

Employees are kept informed of important matters %downward communication' and are able to communicate problems to persons with ,ost information is received by the authority %upward communication'. $here is Egrapevine.E effective functional coordination within the unit %lateral communication'. Information is openly shared with outside evaluators. Information is kept secret from outside evaluators.

&2.6 !ommunication with evaluators.

Section
1 % !ana"ement Su(ervision &3.& Effectiveness of key control activities. &3.( ,anagement supervision of accounting function.

% !onitorin"

,anagement routinely spot)checks transactions, records and reconciliations to ensure e;pectations are met. -ccounting policies are defined and adopted after appropriate consideration. 1olicies are effectively communicated %in writing'.

,anagement never performs spot)checks.

1olicies are ad hoc or poorly communicated.

1olicies are defined for developing new systems or changes to e;isting systems &3./ ,anagement supervision of new systems %cost<benefit analysis, team composition, user development. specifications, documentation, acceptance testing, and user approval'. &3.2 Cudget analysis. 1. % +utside Sources Cudgets are compared to actual results and deviations are followed up on a timely basis. -de?uate consideration is given to commitments.

1olicies and procedures are ad hoc, poorly communicated, or ineffective.

-n analysis of actual versus budgeted results is not performed, or management does not follow up on deviations.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

&4.& Industry and professional associations. &4.( egulatory authorities.

Data is used to compare the unitBs performance !omparative data is not regularly monitored. with peers or industry standards. eports from regulatory bodies are considered for their internal control implications. esponse is limited to what is necessary to Eget byE the regulators.

&4./ "ponsors, students, suppliers, creditors, and other third parties. &4.2 E;ternal auditors. 10 % Res(onse !echanisms &6.& ,anagement follow)up of violations of policies. &6.( E;ternal or internal audit findings. &6./ !hanges in conditions %e.g., economic, regulatory, technological, or competitive'. 13 % Self-Assessment !echanisms &8.& ,onitoring of control environment.

oot causes of in?uiries or complaints are In?uiries or complaints are dealt with case)by) investigated and considered for internal control case, with little or no follow)up. implications. Information provided by e;ternal auditors about control)related matters are considered and acted on at high levels. @indings are referred to lower levels or are e;plained away.

$imely corrective action is taken.

@ollow)up is sporadic.

@indings are considered and immediately acted !onsideration of findings is delegated to lower upon at appropriate levels. levels or is given low priority. !hanges are anticipated and routinely integrated into ongoing long) and short)range planning. esponses are reactive rather than proactive.

,anagement periodically assesses employee attitudes, reviews the effectiveness of the organization structure, and evaluates the appropriateness of policies and procedures. ,anagement periodically evaluates the effectiveness of its risk assessment process. Internal controls are subject to a formal and continuous internal assessment process.

-ssessment processes do not e;ist.

&8.( Evaluation of risk assessment process. &8./ -ssessment of design and effectiveness of internal controls.

-ssessment processes do not e;ist. -ssessment processes do not e;ist.

Assessment #actor

Indication of Stron"er Controls

Indication of $eaker Controls

Assessment Stron" - $eak 1 2 3 4

&8.2 Evaluation of information and communication systems.

,anagement periodically evaluates the accuracy, timeliness and relevance of its information and communication systems. ,anagement ?uestions information on management reports that appears unusual or inconsistent.

-ssessment process does not e;ist.