Skip to main content
Office of the University Controller Indiana University

Internal Controls

Prerequisites

Prior to reading the standard on Internal Controls, it is beneficial to review the below sections to gain foundational information:

  1. Internal Controls (FIN-ACC-470)
  2. Financial Process Narrative Standard
  3. Accounting Fundamentals Standards Section
  4. Financial Statements Standards Section

Preface

This standard discusses what internal controls are and how they are used internally within Indiana University. Information presented below outlines a general understanding of internal controls and requirements specifically related to internal controls.

Introduction

What are Internal Controls?

As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “an internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

Internal Control Objectives

  • Operational Objectives - pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
  • Reporting Objectives - pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.
  • Compliance Objectives - pertain to adherence to laws and regulations to which the entity is subject.

    Internal Control Objectives

Importance and Impact of Internal Controls

Establishing and using the proper internal controls is vital for universities of any size and can help set the ethical tone in an organization. While internal controls cannot always prevent fraud, particularly if the fraud is being carried out by upper management, in normal circumstances they can help detect and deter fraudulent activity. An organization that does not properly establish internal controls is far more likely to experience issues such as fines, penalties, and/or loss assets and reputation.

Internal controls can also ensure that financial statements are prepared both timely and accurately, while also addressing any assertions made in the completed financial statements. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the University's financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. Material weakness or significant deficiency identified during the external financial statement audit has implications to the audit opinion. The opinion is published as part of the annual financial report, which is reviewed by government agencies, bond rating agencies, accrediting agencies, suppliers, creditors, and other interested parties external to the university such as donors.

Internal Controls - Discussed in Detail

Types of Internal Controls

  • Preventive Controls - are generally more efficient and designed to discourage errors or irregularities.
  • Detective Controls - are designed to identify errors or irregularities after they have occurred.
  • Corrective Controls - are implemented after the internal detective controls discover a problem.

Types of Internal Controls Example

Components of Internal Control

The system of internal controls must be designed, implemented, and functioning to support the following components:

  • Control Environment - the set of standards, processes, and structures that provide the basis for carrying out internal control across the university.
  • Risk Assessment - the process to identify, analyze and assess risks to the achievement of objectives.
  • Control Activities - the actions established through policies and procedures to mitigate risks to the achievement of institutional objectives.
  • Information and communication - the use of relevant information to disseminate clear messages. Sound internal controls establish expectations and procedures to support the reliability and integrity of financial information and reporting.
  • Monitoring Activities - the use of evaluations to ascertain whether internal controls are present and functioning.

Components of Internal Control

Component General Description Examples of IU Activity
Control Environment Sets tone of organization Ethics Policy
Internals Controls Policy
Authority Policy
Finance and Audit Committee Review Meetings
Risk Assessment Identification and analysis of relevant risks Internal Audit Risk Assessment
Risk Management
Compliance Office
Control Activities Policies and procedures that govern day-to-day activity. Transaction approvals and reconciliations
Segregation of duties
Written procedures (process narratives)
Information and Communication Flow of timely, accessible, and pertinent information. Foundations of supervision including metrics reporting, management reviews, and annual employee performance reviews.
Websites and Newsletters
Monitoring Assessment of controls Internal Audit Reviews and Report findings
UCO Annual Certification
Oversight reports

Requirements

  1. All Constituent Reporting Units (CRUs) must annually attest to their financial activity, internal control structure and overall adherence to IU Accounting Standards through the university’s Sub-Certification process.
  2. Financial process narratives should be updated on an annual basis in preparation for the audit cycle and related internal controls evaluation.

  3. Departments are required to follow all internal control standards posted on the UCO IU Accounting Standards site.