Skip to Main Content

Auditing & Consulting Division of Administration & Business Affairs

Support Page Content

Best Business Practices

What are controls?

Simply put, controls are those procedures you perform everyday to get your job done. For example, our delegation of authority policy, travel approval procedure, and our Duo login for our campus computers are all examples of internal controls.

A system of controls (or procedures) reduces business risk, which the probability that certain exposures will lead to loss or adverse business conditions.

Types of Controls

  • Internal controls
    • Practices that protect or make more efficient use of the University's assets. They are the kinds of things you already do because they are generally just good business practices. Internal controls can involve anything from protecting computer files with passwords to making sure that the door is locked when everyone has gone home for the night.
    • Typically, management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices. They may seem unimportant by themselves, but taken as a whole, they can have a major impact on the University's operations. Internal controls can be preventative, detective, or corrective in nature.
  • Preventive Controls
    • Designed to discourage or pre-empt errors or irregularities from occurring. They are more cost-effective than detective controls. Credit checks, job descriptions, required authorization signatures, data entry checks and physical control over assets to prevent their improper use are all examples of preventative controls.
  • Detective Controls
    • Designed to search for and identify errors after they have occurred. They are more expensive than preventive controls, but still essential since they measure the effectiveness of preventive controls. They are also the only way to effectively control certain types of errors. Account reviews and reconciliation's, observations of payroll distribution, periodic physical inventory counts, passwords, transaction edits and internal auditors are all examples of detective controls.
  • Information Processing Controls
    • These encompass a variety of controls that are performed to check accuracy, completeness and authorization of transactions. Data entered are subject to edit checks or matching to approved control files. Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.

The Auditor's Role

Auditors evaluate the effectiveness of an operation's internal controls by first gathering information about how a unit operates, identifying points at which errors or inefficiencies are possible, and identifying system controls designed to prevent or detect such occurrences. Then, they test the application and performance of those controls to assess how well they work. You can evaluate controls in you department's operations by following the same process.

Internal controls only provide reasonable assurance, a concept which recognizes that the "cost" of internal controls should not exceed the benefits derived from them. Management (with input from Internal Audit) must make the decision as to how much control is enough. As needs and personnel change, management will make changes in the systems of control to ensure that the system is still providing reasonable assurance that risks are being avoided.

Control Activities

Control activities are those specific policies and procedures that help ensure management directives are implemented. They include a wide range of activities that occur throughout the organization, by supervisor and front-line personnel. This is not an all-encompassing list, but below are some examples of common control activities.

Common Control Activities

  • Segregation of Duties
    • This is when duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For instance, responsibilities for authorizing transactions, recording them and handling the related asset are divided.
  • Physical Controls
    • Physical controls are when equipment, inventories, securities, cash and other assets are being secured physically, and periodically counted and compared with amounts shown on control records. In these instances, access is restricted to those with authority to handle them.
  • Reconciliation
    • Comparisons made between similar records maintained by different persons to verify transaction details.
  • Policies and Procedures
    • Established policies, procedures and even job descriptions provide guidance and training to ensure consistent performance at a required level of quality.
  • Transaction and Activity Reviews
    • Manager running functions or activities review performance reports. They may relate different sets of data-operating or financial - to one another, together with analyses of the relationships.