Internal controls are comprised of five interrelated components, listed in order of their importance and effectiveness:
- Control Environment
- The control environment sets the ethical and procedural tone for the organization. Factors such as integrity, ethical values, competency, management philosophy, and operating style form the foundation for other components of internal control, and for providing discipline and structure.
- Risk Assessment
- Risk assessment involves identifying circumstances that may impede the organization’s ability to achieve its objectives and evaluating the effectiveness of procedures in place that mitigate identified risks.
- Control Activities
- Control activities are the actions and directions that help ensure management goals are met and risks are properly managed. They include a range of activities, such as approvals, authorizations, verifications, reconciliations, reviews, security of assets, and separation of duties.
- Information and Communication
- Quality information must be communicated to the right people at the appropriate time to ensure employees effectively discharge their responsibilities. Effective communication must also occur in a broader sense flowing in all directions throughout the organization. Everyone must understand their own role with internal controls and that control responsibilities must be taken seriously.
Processes for assessing the quality of performance over time through ongoing monitoring of activities, and/or separate evaluations provide assurance that controls are in place and functioning as intended. Monitoring includes regular management and supervisory activities and actions taken by people in performing their duties.
Establishing an ethical environment and setting the tone at the top of the organization are the most important elements of the accountability and control environment. Each of the components work together to create a comprehensive system capable of deterring fraud and preventing, detecting and correcting problems based on an overall assessment of risk and exposure.
Statement on Auditing Standards 115
The American Institute of Certified Public Accountants in 2008 published Statement on Auditing Standards 115 (SAS 115) titled “Communicating Internal Control Related Matters Identified in an Audit.” SAS 115 establishes standards and provides guidance to auditors on communicating matters related to an entity’s internal controls over financial reporting in an audit of financial statements. The university contracts with an external accounting firm to perform an annual audit of the UC financial statements. The standard:
- Defines the terms significant deficiency and material weakness.
- Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements.
- Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit.
SAS 115 lowers the threshold for reporting control deficiencies. The significance of a control deficiency as determined by the auditor depends on the reasonable possibility for a financial misstatement, not on whether a misstatement has actually occurred.
Significant deficiencies and material weaknesses may result in our external auditors rendering a qualified opinion regarding the university’s financial statements. Such an opinion would bring into question our stewardship responsibilities and have a significant financial impact.
The US General Accounting Office included SAS 112 in their July 2007 revision to the Government Auditing Standards, which federal auditors follow in performing audits of sponsored projects. The new standards could result in disallowances and penalties.