Internal Control Self Assessment Mar-06 1111

8/13/2019 Internal Control Self Assessment Mar-06 1111

1/14

Internal Control

Self-Assessment Checklist

Unit management throughout the University is responsible to establish internal controls to keep

their unit on course toward its financial goals, to help it achieve its mission, to minimizesurprises and risks, and to allow the organization to successfully deal with change. Internalcontrols are defined as activities undertaken to increase the likelihood of achieving management

objectives in three areas:

Efficiency and effectiveness of operations

eliability of financial reporting

!ompliance with laws and regulations

"ome internal controls are established at the institutional level# others are established by unitmanagement. $o achieve success, unit management needs to %&' be knowledgeable about, and

support, institutional controls, and %(' implement practical and effective internal controls specific

to the particular unit.

$he following checklist is provided to facilitate a self)assessment of internal controls bymanagement of individual departments. It is intended to address general aspects of internal

controls, and does not include specific controls applicable to individual units.

*rganization of the checklist is consistent with the five interrelated components of internal

control defined by the !ommittee of "ponsoring *rganizations of the $readway !ommission%!*"*'.

+e encourage department heads and other unit management to use this self)assessment checklist

to evaluate internal controls in their areas of responsibility. anagement should also add to the

checklist other controls that apply specifically their units.

Internal -udit would be pleased to consult on methods to improve your internal controls.

Index

1 C i 3 C A i i i


2/14

1 C t l E i t 3 C t l A ti iti

Assessment #actor Indication of Stron"er Controls Indication of $eaker Controls Assessment

Stron" - $eak

1 2 3 4

Section 1 % Control Environment

1 - Inte"rit& and Ethical 'alues

&.& -cceptable business practices.

Unit management %faculty and supervisorystaff' understand the University0s policiescovering matters such as legitimate use ofUniversity resources.

1olicies are poorly understood

&.( !odes of conduct.

Unit management understand the University0spolicies governing relationships with sponsors,suppliers, creditors, regulators, the community,and the public at large.

1olicies are poorly understood.

&./ !onflicts of interests.

Unit management understand the University0s

policies regarding potential conflicts of interest. 1olicies are poorly understood.

&.2 Integrity.Unit management sets a good e;ample andregularly communicates high e;pectationsregarding integrity and ethical values.

anagement does not set a good e;ampleandnowledge and "kills.

Unit management %faculty and supervisory

staff' understand the knowledge and skillsre?uired to accomplish tasks.

anagement does not ade?uately consider

knowledge and skill re?uirements.

(./ Employee competence.

Unit management is aware of competency

levels, and is involved in training and increasedsupervision when competency is low.

anagement is not ade?uately aware of

competency levels, or does not actively addressproblems.

3 % !ana"ement)s *hiloso(h& and +(eratin" St&le

/.& !ommunication with @aculty, !ollegeand University.

Unit management insists on full and opendisclosure of financial or business issues withappropriate faculty, college and University

personnel.

anagement is secretive and reluctant toconduct business or deal with issues in an openmanner.


3/14


Stron" - $eak

1 2 3 4

/.( Aaws and regulations.$here is active concern and effort to ensurecompliance with the letter and intent of lawsand regulations.

anagement is willing to risk the conse?uencesof noncompliance.

/./ 7etting the job done.anagement is concerned with and e;ertseffort to get the job done right the first time.

anagement is willing to get the job donewithout ade?uate regard to ?uality.

/.2 E;ceptions to policy.E;ceptions to policy are infre?uent. +hen theyoccur they must be approved and welldocumented.

E;ceptions to policy are the norm and arerarely documented.

/.3 -pproach to financial accountability.

anagementBs approach shows concern and

appreciation for accurate and timely reporting.Cudgeting and other financial estimates are

generally conservative.

@inancial accountability is given low priority.

/.4 Emphasis on meeting budget and otherfinancial and operating goals.

ealistic budgets are established and results areactively monitored. !orrective action is takenas necessary. $he unit learns from, and does notrepeat, mistakes.

anagement either shows little concern%climate of la;ness', or makes unreasonable

demands %climate of fear'.

/.6 -pproach to decision making.

Decision)making processes are deliberate andconsistent. Decisions are made after carefulconsideration of relevant facts. 1olicies and

procedures are in place to ensure appropriatelevels of management are involved.

Decision making is nearly always informal.anagement makes arbitrary decisions withinade?uate discussion and analysis of the facts.

4 % +r"ani,ational Structure

2.& !omple;ity of the organizationalstructure.

!omple;ity of the structure is commensurate

with the organization. Aines of reporting areclear and documentation is up)to)date.

Aines of responsibility are unclear or

unnecessarily complicated for the size andactivities of the entity.

2.( *rganization charts. Documentation e;ists and is up to date.Documentation does not e;ist or is out)of)date.$he documented structure does not correspondwith actual responsibilities.

2./ "ize of the management group."ize is commensurate with the comple;ity ofthe unit and its growth.

"ize is not appropriate %e.g., too many levels,too dispersed, or too thin'.

2.2 "tability of the management group. Aow turnover. 5igh turnover.


4/14


Stron" - $eak

1 2 3 4

% Assi"nment of Authorit& and Res(onsiilit&

3.& Delegation of authority and assignment

of responsibility for operating andfinancial functions.

Delegation of authority and assignment of

responsibility is clearly defined. Individuals areheld accountable for results.

Decisions are dominated by one or a few

individuals. oles and responsibilities ofmiddle management are unclear.

3.( -uthority limits.-uthority limits are clearly defined in writingand communicated as appropriate.

1olicies and procedures covering authoritylimits are informal or poorly communicated.

3./ Delegated signature authority.

-ppropriate limits have been placed on each

delegation of signature authority. anagementreviews and updates signature records as

turnover occurs.

"ignature authority is delegated without

ade?uate consideration. Delegated authority isnot in line with employee knowledge, training,

or competence.

3.2 >nowledge and e;perience.>ey personnel are knowledgeable ande;perienced. anagement does not delegateauthority to ine;perienced individuals.

>ey personnel are ine;perienced. anagementdelegates authority without regard toknowledge and e;perience.

3.3 esources.anagement provides the resources needed foremployees to carry out their duties.

anagement does not provide necessaryresources.

% /uman Resource *olicies and *ractices

4.& "election of personnel.

- careful hiring process is in place. $he5uman esources Department is involved inidentifying potential employees based on jobre?uirements.

$he hiring process is informal, and sometimesproceeds without ade?uate involvement byhigher)level supervisors.

4.( $raining.*n)the)job and other training programs havedefined objectives. $hey are effective and

important.

$raining programs are inconsistent, ineffective,or are given low priority.

4./ "upervision policies.1ersonnel are ade?uately supervised. $hey havea regular resource for resolving problems.

egular supervision does not e;ist or isineffective. Employees are frustrated and feelthey Fhave nowhere to goB with issues.

4.2 Inappropriate behavior.Inappropriate behavior is consistentlyreprimanded in a timely and direct manner,regardless of the individual0s position or status.

eprimands are not timely, direct, or are notconsistently applied %climate of favoritism'.


5/14


Stron" - $eak

1 2 3 4

4.3 Evaluation of personnel. -n organized evaluation process e;ists.$he evaluation process is ad hoc andinconsistent. 1erformance issues are notformally addressed.

4.4 ethods to compensate personnel.

!ompensation decisions are based on a formalprocess with meaningful involvement of morethan one level of management. $he effect of

performance evaluations on compensationdecisions is defined and communicated.

!ompensation decisions are ad hoc,inconsistent, or inade?uately reviewed bymanagement.

4.6 "taffing of critical functions.!ritical functions are ade?uately staffed, withreasonable workloads.

$here is inade?uate staffing and fre?uentperiods of overwork and organizationalstress.

4.8 $urnover. 1articularly turnover in

financially responsible positions.

Aow turnover. anagement understands root

causes of turnover.

5igh turnover. anagement does not

understand root causes.

Section 2 % Risk Assessment

0 % +r"ani,ational oals and +ectives

6.& Unit)wide objectives.- formal unit)wide mission or value statementis established and communicated throughoutthe unit.

- unit)wide mission or value statement doesnot e;ist.

6.( !ritical success factors.

@actors that are critical to achievement of unit)wide objectives are identified. esources are

appropriately allocated between critical successfactors and objectives of lesser importance.

"uccess factors are not identified or prioritized.

6./ -ctivity)level objectives.

ealistic objectives are established for all key

activities including operations, financialreporting and compliance considerations.

-ctivity)level objectives do not e;ist.

6.2 easurement of objectives.

Unit)wide and activity level objectives include

measurement criteria and are periodicallyevaluated.

1erformance regarding objectives is not

measured. $argets are not set.

6.3 Employee involvement.Employees at all levels are represented in

establishing the objectives.

anagement dictates objectives without

ade?uate employee involvement.


6/14


Stron" - $eak

1 2 3 4

6.4 Aong and short)range planning.Aong and short)range plans are developed andare written. !hanges in direction are made onlyafter sufficient study is performed.

Go organized planning process e;ists. $hereare fre?uent shifts in direction or emphasis.

6.6 Cudgeting system.

Detailed budgets are developed by area ofresponsibility following prescribed proceduresand realistic e;pectations. 1lans and budgetssupport achievement of unit)wide action steps.

Cudgets do not e;ist or are backed intodepending on desired outcome.

6.8 "trategic planning for informationsystems.

1lanning for future needs is done well inadvance of e;pected needs and considersvarious scenarios.

$he information system lags significantlybehind the needs of the business.

% Risk Identification and *rioriti,ation

8.& Identification and consideration of

e;ternal risk factors.

- process e;ists to identify and consider theimplications of e;ternal risk factors %economicchanges, changing sponsor, student andcommunity needs or e;pectations, new orchanged legislation or regulations,technological developments, etc.' on unit)wideobjectives and plans.

1otential or actual e;ternal risk factors are not

effectively identified or evaluated.

8.( Identification and consideration ofinternal risk factors.

- process e;ists to identify and consider theimplications of internal risk factors %new

personnel, new information systems, changes inmanagement responsibilities, new or changed

educational or research programs, etc.' on unit)wide objectives and plans.

1otential or actual internal risk factors are noteffectively identified or evaluated.

8./ 1rioritization of risks.

$he likelihood of occurrence and potentialimpact %monetary and otherwise' have been

evaluated. isks have been categorized astolerable or re?uiring action.

isks have not been prioritized.

8.2 -pproach to studying risks.In)depth, cost < benefit studies are performed

before committing significant unit resources.isks are accepted with little or no study.


7/14


Stron" - $eak

1 2 3 4

8.3 1rocess for monitoring risks.- risk management program is in place tomonitor and help mitigate e;posures.

E;posure is dealt with on a case by case basis.egular efforts or programs to manage risks donot e;ist.

8.4 !onsultation with e;ternal advisors.E;ternal advisors are consulted as needed tosupplement internal e;pertise.

Internal e;pertise regarding risk and controlissues is inade?uate. -ssistance is never soughtfrom outside sources.

% !ana"in" Chan"e

9.& !ommitment to change.anagement promotes continuousimprovement and solicits input and feedback on

the implications of significant change.

anagement promotes the status ?uo, evenwhen changes are needed to meet important

business needs.

9.( "upport of change.anagement is willing to commit resources toachieve positive change.

anagement offers no resources to facilitatechange.

9./ outine change.

echanisms e;ist to identify, prioritize, andreact to routine events %i.e., turnover' that affectachievement of unit)wide objectives or actionsteps.

1rocedures are not present or are ineffective.

9.2 Economic change.echanisms e;ist to identify and react toeconomic changes.


9.3 egulatory change.

echanisms e;ist to identify and react toregulatory changes %maintain membership inassociations that monitor laws and regulations,

participate in University forums, etc.'.


9.4 $echnological change.echanisms e;ist to identify and react totechnological changes and changes in the

functional re?uirements of the unit.


Section 3 % Control Activities

15 % $ritten *olicies and *rocedures

&.& -ccess to University policies and

procedures.

Unit staff have available up to date Universitypolicy and procedures and know how to usethem.

University policy and procedures are not

available or are rarely used.


8/14


Stron" - $eak

1 2 3 4

&.( Unit policies and procedures.$he unit has documented its own policies and

procedures. $hey are well understood by unitstaff.

Unit policies and procedures do not e;ist.

11 % Control *rocedures

&&.& "enior management %University or!ollege' reviews.

"enior management monitors the unit0sperformance against objectives and budget.

"enior management does not monitor unitperformance.

&&.( $op level %unit)wide' objectiveperformance reviews by unitmanagement.

eviews are made of actual performancecompared to objectives and previous periodsfor all major initiatives. anagement analyzesand follows up as needed.

-nalyses are not performed or managementdoes not follow up on significant deviations.

&&./ $op level %unit)wide' financial

performance reviews by unitmanagement.

eviews are made of actual performance versus

budgets, forecasts, and performance in priorperiods for all major initiatives. anagement

analyzes and follows up as needed.

-nalyses are not performed or managementdoes not follow up on significant deviations.

&&.2 Direct functional or activity managementby unit management.

1erformance reviews are made of specificfunctions or activities, focusing on compliance,financial or operational issues.

Go performance reviews occur.

&&.3 1erformance indicators.Une;pected operating results or unusual trendsare investigated.

*perating results and trends are not monitored.

&&.4 -ccounting statements and keyreconciliations.

-ccounting statements and key reconciliationsare completed timely. anagement performs adiligent review and signifies approval bysignature and date.

econciliations are not performed timely orregularly. anagement does not carefullyreview or formally approve statements orreconciliations.

&&.6 "ponsored project account management.

"ponsored project accounts are reviewed andreconciled. 1Is certify the e;penditures timely.

Unit management monitors the portfolio ofsponsored accounts for compliance and fiscal

responsibility.

"ponsored project accounts are not monitored#

reconciliations and certifications are not timely.


9/14


Stron" - $eak

1 2 3 4

&&.8 Use of restricted funds %gifts'.

estrictions on use are well documented, andare understood by employees who administerthe funds. Usage is monitored by management,

accounts are reconciled.

estrictions are not clearly documented.estricted fund accounts are not monitored#usage may not match restrictions.

&&.9 Information processing.!ontrols e;ist to monitor the accuracy andcompleteness of information as well asauthorization of transactions.

Go information processing controls are inplace.

&&.& 1hysical controls.

E?uipment, supplies, inventory, cash and otherassets are physically secured and periodicallycounted and compared to the amounts shownon control records.

E?uipment, supplies, inventory, cash and otherassets are not protected. !ontrol records do note;ist or are not up to date.

&&.&& $raining and guidance for asset

custodians.

-de?uate guidance and training are provided to

personnel responsible for cash or similar assets.Go training or guidance is provided.

&&.&( "eparation of duties.

@inancial duties are divided among differentpeople %responsibilities for authorizingtransactions, recording them and handling theasset are separated'.

Go significant separation of financial dutiesamong different employees.

&&.&/ ecord retention.

Unit employees understand which records theyare responsible to maintain and the re?uiredretention period. ecords are appropriatelyfiled.

Unit employees do not understand whichrecords they are responsible for maintaining.$he filing system is inade?uate.

&&.&2 Disaster response plan. - disaster response and recovery plan has beendeveloped and is understood by key personnel. Go disaster response or recovery plan e;ists.

12 % Controls over Information S&stems

&(.& Aocal information systems and A-Gs.

"ystem operations are documented# software isappropriately ac?uired and maintained# accessto the system, programs and data is controlled#the system is maintained in a secureenvironment# applications are appropriatelydeveloped and maintained.

Inade?uate controls over local informationsystems or A-Gs.


10/14


Stron" - $eak

1 2 3 4

&(.( -pplication controls.

$he unit controls its computer applications bydiligent and timely response to edit lists,rejected transactions and other control and

balancing reports. !ontrols ensure a high levelof data integrity including completeness,accuracy, and validity of all information in thesystem.

-pplication controls are not used.

&(./ Cack Up.

>ey data and programs on A-Gs or desktopcomputers are appropriately backed up andmaintained. *ff)site storage is ade?uateconsidering possible risks of loss.

Go formal back up procedures e;ist.anagement has not informed staff of back upre?uirements.


11/14


Stron" - $eak

1 2 3 4

Section 4 % Information and Communication

13 % Access to Information

&/.& elevant e;ternal information.

Unit members receive relevant informationregarding legislation, regulatory developments,economic changes or other e;ternal factors thataffect the unit.

elevant information is not available.

&/.( anagement reporting system.

-n e;ecutive information system e;ists.Information and reports are provided timely.eport detail is appropriate for the level ofmanagement. Data is summarized to facilitatedecision making.

- formal reporting system does not e;ist.eports are not timely or are not at appropriatelevels of detail.

&/./ anagement of information security.

Information is evaluated and classified basedon level of integrity, confidentiality andavailability. Individuals with access to

information are trained to understand theirresponsibilities related to the information.

Information used by the unit has not beenevaluated and classified. Employees are not

trained with respect to information security.

14 % Communication *atterns

&2.& $rust.anagement promotes and fosters trust

between employees, supervisors and otherunits.

Interactions among faculty, staff and


12/14


Stron" - $eak

1 2 3 4

&2.3 E;ternal communications.

"tandards and e;pectations are communicatedto key outside groups or individuals %e.g.,vendors, consultants, donors, sponsors,

subcontractors, sub)recipients'.

Go e;ternal communication of standards ande;pectations.

&2.4 Informal communications.

Employees are kept informed of importantmatters %downward communication' and areable to communicate problems to persons withauthority %upward communication'. $here iseffective functional coordination within the unit%lateral communication'.

ost information is received by thegrapevine.

&2.6 !ommunication with evaluators.Information is openly shared with outsideevaluators.

Information is kept secret from outsideevaluators.

Section % !onitorin"

1 % !ana"ement Su(ervision

&3.& Effectiveness of key control activities.anagement routinely spot)checkstransactions, records and reconciliations toensure e;pectations are met.

anagement never performs spot)checks.

&3.( anagement supervision of accountingfunction.

-ccounting policies are defined and adoptedafter appropriate consideration. 1olicies areeffectively communicated %in writing'.

1olicies are ad hoc or poorly communicated.

&3./ anagement supervision of new systemsdevelopment.

1olicies are defined for developing newsystems or changes to e;isting systems%cost


13/14


Stron" - $eak

1 2 3 4

&4.& Industry and professional associations.Data is used to compare the unitBs performancewith peers or industry standards.

!omparative data is not regularly monitored.

&4.( egulatory authorities. eports from regulatory bodies are consideredfor their internal control implications. esponse is limited to what is necessary to getby the regulators.

&4./ "ponsors, students, suppliers, creditors,and other third parties.

oot causes of in?uiries or complaints areinvestigated and considered for internal controlimplications.

In?uiries or complaints are dealt with case)by)case, with little or no follow)up.

&4.2 E;ternal auditors.Information provided by e;ternal auditorsabout control)related matters are considered

and acted on at high levels.

@indings are referred to lower levels or aree;plained away.

10 % Res(onse !echanisms

&6.& anagement follow)up of violations ofpolicies.

$imely corrective action is taken. @ollow)up is sporadic.

&6.( E;ternal or internal audit findings.@indings are considered and immediately actedupon at appropriate levels.

!onsideration of findings is delegated to lowerlevels or is given low priority.

&6./ !hanges in conditions %e.g., economic,regulatory, technological, orcompetitive'.

!hanges are anticipated and routinelyintegrated into ongoing long) and short)range

planning.esponses are reactive rather than proactive.

1 % Self-Assessment !echanisms

&8.& onitoring of control environment.

anagement periodically assesses employeeattitudes, reviews the effectiveness of the

organization structure, and evaluates theappropriateness of policies and procedures.

-ssessment processes do not e;ist.

&8.( Evaluation of risk assessment process.anagement periodically evaluates theeffectiveness of its risk assessment process.


&8./ -ssessment of design and effectivenessof internal controls.

Internal controls are subject to a formal andcontinuous internal assessment process.



14/14


Stron" - $eak

1 2 3 4

&8.2 Evaluation of information and

communication systems.

anagement periodically evaluates theaccuracy, timeliness and relevance of itsinformation and communication systems.

anagement ?uestions information onmanagement reports that appears unusual orinconsistent.

-ssessment process does not e;ist.

Documents

Internal Control Self Assessment Mar-06 1111