Internal Controls and Risk Management
Op3.12-14 Internal Controls and Risk Management
What is my role as Department Head?
All organizations have business risks – we couldn’t succeed without taking some risks. However, we need to understand our risks and assess them. The university’s Internal Controls includes a system of organizational design, written policies and procedures, operating practices and physical barriers to protect assets. The internal control system provides for safeguarding assets, proper recording of transactions, and the efficient and effective accomplishment of the university’s goals and objectives, including compliance with federal, state, and university rules and regulations. As managers, we can delegate some of the related duties we have, but cannot delegate accountability and responsibility.
Who owns “internal controls?”
We all do. Internal controls are the process that management uses to provide reasonable assurance that the university’s goals and objectives will be achieved.
Who owns “risk”?
We all do. Risk is inherent in our operations and should be identified and managed. In any institution, some level of risk must be assumed to be successful. However, our policies and systems of internal control help to minimize risks.
What is internal control?
Internal Control is an accounting procedure or operating system that:
- Communicates the university’s mission, primary goals, and activities
- Protects the university’s assets
- Complies with laws and regulations
- Provides boundaries
- Utilizes resources effectively and efficiently
- Promotes financial reliability and integrity
- Monitors results
- Provides feedback
- Basically… helps us do our jobs.
Examples of internal controls that help you as the department head:
- Segregation of duties such as segregating the responsibility to receive and count cash versus comparing the cash register tape or receipt books to the record of deposits and books.
- Authorizations, delegations, and approvals (department head is authorized to approve time for the employee, initiate salary changes, etc.) The university has determined by policy that approval or execution of a contract must be at a Dean or higher level. The university’s President has delegated his contracting approval in certain cases to authorized individuals.
- Account reconciliation and analysis (the Department Head’s assistant reconciles all expenses per month to the source: salaries, P-Card purchases, furniture purchases, foundation funds, etc.) Analysis may be routine review of accounts to identify any unusual changes in balances, purchases, etc. and research to determine cause. Any unusual transactions (erroneous charge to your account, etc.) are brought to the attention of Financial Services.
- Physical and inventory Controls - As a control related to assets/inventory, department maintains a listing of all its computers and software to ensure that these are onsite and accounted for annually. As a safeguard to prevent theft, all laptops are locked in the employee’s desk. As an accounting control, when the Bookstore closes the year, a store-wide inventory is performed to confirm that the balance on the books for inventory equals the physical amount of inventory.
- Hiring and termination policy – The university has specific policies related to the hiring and termination of employees. Department Heads must ensure that the university’s policies are followed in the Search process, ensuring that a diverse pool of candidates is fully considered. An example where an employee is retiring or resigning, would be use of the Termination checklist by Human Resources/Department Head (to ensure return of keys, credit cards, etc. when an employee departs the department or the university)
- Strategic planning and university/Board policies – Definition of management’s expectations regarding the university’s mission and specific activities within the university. Policies are often based on existing federal, state, and local regulations, best practices and risk management, and pursuit of the university’s mission and goals.
- Desk procedures & cross training - These are important in assuring that should a position be vacated, the job duties will be performed. (minimizing risk)
- Data processing controls and policies – Examples would be procedures that ensure that the university’s various systems and data are only accessed by authorized individuals; that data is processed timely and accurately, that changes and updates to our systems are tracked and approved, and that security levels for the university’s data are defined and protected to prevent access of protected information and/or data breach incidents.
I’m not an accountant. What are risks in my department and how can I control them?
Risks are all possible barriers, obstacles, threats and exposures that might prevent you from achieving your goals and objectives. To effectively manage risks, we must understand the importance of internal controls.
Most of us understand the threats to our own college and department. For the birds eye view of typical threats/risks to any university – below is an excellent tool developed by our third-party Hotline provider, EthicsPoint.
This document defines various risk categories for higher education institutions. In other words, for various areas of our university, what types of things can go wrong? Page 4 is the high level view of risk categories; Pages 5 – 12 provide detailed definitions of risks that apply to the categories:
In addition, review the “Self Assessment” series of questions that may be helpful in assessing your own department’s controls.
Who might be a resource in my college?
Your Budget Officer should be able to assist you in understanding the accounts within your department, and also be familiar with the processes that support your accounts, such as revenue, cash receipts, grants management and reporting, P-cards, and expenses. For example:
If you have events that involve the sale of tickets or services for cash or checks, and this is a not a student organization’s activity, these should be recorded on the university books.
For an event that requires ticketing and receipt of cash - what controls are in place? (see section on cash receipts). Are you immediately depositing to the Bursar (or within the prescribed policy requirements)? Can you reconcile cash received to tickets? Do you issue Tickets? If not, what controls enable you to know all cash that should have been received has been?
What types of cash expenses are incurred? Do you have petty cash funds? Do you collect a lot of cash and have one person receiving and depositing? Who reconciles revenue for your accounts? Who confirms/reconciles expenses in your budget to the P-card statements or other billings (such as work orders, salary, telecom, etc?)
These and other types of support may be provided by the Budget Officer. If you have any question regarding proper fiscal controls and recording in accounts/handling cash, consult your budget officer for initial support.
On a practical basis – what should I do?
- Understand the key financial/business processes within your department (such as activities that relate to assets, purchases, cash collections, financial and operating data, safety and security, compliance with regulations, conflicts of interest, effort reporting, privacy of student, health, personally protected data.)
- For ongoing activities, know what the highest risks are, and identify controls in place to manage these.
- Make sure that you set the Tone at the Top: ask yourself whether you believe employees’ actions are in compliance with university policies, standards, procedures, and applicable laws and regulations.
- Be aware of any unusual circumstances regarding policy compliance or conflict of interest within your organization that may require your attention and follow-up, and don’t hesitate to ask questions. Discuss any concerns or actual violations with your Dean, and determine what actions must be taken. For clarification, feel free to contact the Bursar (cash receipts), or Financial Services (budget and accounting matters.)
- See the attachment “Top 10 Suggestions for Internal Controls” – a highly simplified listing of things to do regarding your office’s controls.
What are some Key Policies or references on this matter?
Academic Department Head Manual (revised 1/2009)
Fiscal Responsibility Policy
Missouri State University: Long-Range Planning Policy
Long-Range Plan – Chapter VI: Modeling Ethical and Effective Behavior
Missouri State University: Declaration of University Principles
Missouri State University: Whistleblower Policy
What if I have Questions?
Contact your Dean, Budget Officer, Financial Services, Internal Audit and Risk Management or General Counsel.