Which of the following terms is best described as policies and procedures that help ensure management directives are carried out and management objectives are achieved?

Table of Contents Show

Responsibility
Framework for Internal Control
Internal Control Activities and Best Practices
Other Internal Control Best Practices
Additional Information

Internal control is a process, enacted by The University of Texas System (UT System) Board of Regents, management and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories:

Operations relating to effective and efficient use of UT System's resources
Financial reporting relating to preparation of reliable published financial statements
Compliance relating to UT System's compliance with applicable laws and regulations

Internal control consists of the following five interrelated components:

Control environment Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Regents.
Risk assessment Risk assessment is the identification and analysis of risks that have the ability to impede the achievement of stated goals and objectives. It is a precursor for determining how risks should be managed. Preconditions to a risk assessment is the establishment of goals and objectives.
Control activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. They include a range of activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
Information and communication Pertinent information must be identified, captured, and communicated in a form and time frame that enables employees to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally-generated data, but also with information about external events, activities, and conditions necessary for informed business decision-making and external reporting.
Monitoring Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities or separate evaluations. It includes regular management and supervisory activities, and other actions personnel take when performing their duties.

When looking at any one category ( Operations , Financial Reporting , Compliance ), all five of the components, listed above, must be present and functioning effectively to conclude that internal control over operations is effective.

What are the key concepts for internal controls?

Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It is not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management and the Board of Regents.
Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

When is internal control effective?

Internal control can be judged effective in each of the three categories, respectively, if the Board of Regents and management have reasonable assurance that they understand the extent to which:

the entity's operational objectives are being achieved,
published financial statements are being prepared reliably, and
applicable laws and regulations are being complied with.

What are factors limiting internal controls?

Judgment – Managers in a well-controlled organization can make bad decisions.
Breakdowns – People with control responsibilities may not carry them out effectively.
Management Override – Managers may intentionally go outside established practices for illegitimate purposes.
Cost vs. Benefit – When resources are limited, managers properly accept a degree of risk when the cost of controlling the risk exceeds the benefit

Note: The above definition of internal control and related concepts are taken directly from Internal Control -- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Policies
Internal Controls

Internal control is all of the policies and procedures management uses to achieve the following goals.

Safeguard University assets - well designed internal controls protect assets from accidental loss or loss from fraud.
Ensure the reliability and integrity of financial information - Internal controls ensure that management has accurate, timely and complete information, including accounting records, in order to plan, monitor and report business operations.
Ensure compliance - Internal controls help to ensure the University is in compliance with the many federal, state and local laws and regulations affecting the operations of our business.
Promote efficient and effective operations - Internal controls provide an environment in which managers and staff can maximize the efficiency and effectiveness of their operations.
Accomplishment of goals and objectives - Internal controls system provide a mechanism for management to monitor the achievement of operational goals and objectives.

Responsibility

Management Responsibility: Administrative management is responsible for maintaining an adequate system of internal control. Management is responsible for communicating the expectations and duties of staff as part of a control environment. They are also responsible for assuring that the other major areas of an internal control framework are addressed.

Staff Responsibility: Staff and operating personnel are responsible for carrying out the internal control activities set forth by management.

Framework for Internal Control

The framework of a good internal control system includes:

Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
Monitoring and Reviewing: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management assures that internal control activities have not become obsolete or lost due to turnover or other factors. They should also be enhanced to remain sufficient for the current state of risks.
Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations is paramount to a good internal control system.
Control activities: These are the activities that occur within an internal control system. These are fully described in the next section.

Internal Control Activities and Best Practices

Internal control activities are the policies and procedures as well as the daily activities that occur within an internal control system. A good internal control system should include the control activities listed below. These activities generally fit into two types of activities.

Preventive: Preventive control activities aim to deter the instance of errors or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification.
Detective: Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation.

Click on the links below for information regarding these activities including best practices.

Authorization
Documentation
Reconciliation
Security
Separation of Duties

Other Internal Control Best Practices

With a good internal control system in place, other considerations to keep in mind include:

Regularly communicate updates and reminders of policies and procedures to staff through emails, staff meetings and other communication methods.
Periodically assess risks and the level of internal control required to protect University assets and records related to those risks. Document the process for review, including when it will take place. (Example: Determine that all security activities, reconciliation processes and separation of duties will be reviewed annually. They will, however, be staggered. Security activities will be reviewed in July, reconciliation in September and separation of duties in March.)
Management is responsible for making sure that all staff are familiar with University policies and changes in those policies.