Internal Control is broadly defined as a process designed to provide reasonable assurance regarding the achievement of specific objectives in accountability, effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations
Internal Controls Are Everyone's Responsibility
Internal controls encompass high ethical standards and values that are communicated throughout the institution. Implementation for UCSF's internal controls is the prime responsibility of the University's administrators and supervisors. There is a perception that monitoring internal controls is the responsibility of others, such Internal Audit or Financial Administration. But everyone at the university has some responsibility for internal control.
Virtually all employees play some role in effecting control in how business functions operate, in the use of university resources, and in the way they accomplish their work. They may produce information used in the internal control system or take other actions needed to effect control. All personnel must take responsibility to communicate problems in operations, unwarranted deviations from established standards, and violations of policy or law. Appropriate channels for such communication exist at UCSF, and include supervisors, the Internal Controls office, Internal Audit, and the Whistleblower program.
Of course, UCSF's senior management and supervisors must assume the leadership in managing internal controls for their areas of responsibility. But other groups also play important roles. The Regents, the Office of the President, Financial and Budget officers, and other governing boards at UCSF are often involved in developing institution-wide controls and procedures. Internal Audit contributes to the effectiveness of the controls, but they are not responsible to establish or maintain them. It is the responsibility of managers and department chairs to provide oversight. Adequate internal controls are everyone's responsibility.
While Internal Audit takes a look at an organization's processes and procedures for a given slice in time, maintaining internal controls is a continuing process. It's not just policy manuals and forms, but people functioning at every level of the institution. Internal controls are a way to provide reasonable assurance to an institution's leaders against risk in operation, financial reporting, and compliance. Internal controls are tools used by employees to mitigate risk for the institution of UC and UCSF.
What are the Components of Internal Control?
There are five major elements that make up an organization's internal controls (The COSO model is recognized throughout the world as a significant standard for discussing internal control). The five elements are depicted at right, in a pyramid form, as each element depends on the preceding elements. At the base of any organization is the Environment . The core of any institution is its people. They are the engine that runs the organization. Their individual attributes (integrity, ethical values and competence) and the environment in which they operate determine the success of the institution.
Next is Risk Assessment . Colleges and universities must be aware of and deal with the risks they face. Key activities and their risks must be assessed and prioritized so that they can take the risks they need to take and avoid risks that are not necessary.
Following assessment, an institution builds its Control Activities . Policies and procedures must be reexamined to ensure that actions necessary to achieve the institution's objectives are effectively carried out and that unnecessary activities are eliminated.
The entire process must then be monitored by those doing the work, and modified as necessary. Simply put, things change, and by monitoring the system on a regular basis, the organization can react dynamically to changing conditions.
Throughout this process of examination, prioritizing and risk mitigation, information and communication systems enable the organization's people to capture and exchange the appropriate information needed to manage its operations responsibly.