EIU Office of Internal Auditing

#133 - Internal Control

Approved: July 31, 1996

Nomenclature changes: October 28, 2024

Monitor: President

Accomplishment of the goals of the University requires effective management, including establishing and maintaining a system of "internal control". Broadly defined, internal control is as a process effected by the University's governing board, administration, faculty, and staff, to provide reasonable assurance regarding the achievement of the University's objectives in the following categories:

• effectiveness and efficiency of operation;
• reliability of financial reporting; and,
• compliance with applicable laws and regulations.

This definition reflects certain fundamental concepts. First, internal control is a process geared toward the achievement of objectives. It is a means to an end, not an end in itself. Second, internal control is effected by people. It is not merely policy manuals and forms, but people functioning at every level of the institution. Finally, internal control can be expected to provide reasonable, but not absolute, assurance that the University's operational, financial reporting, and compliance objectives are met.

Internal control consists of five interrelated components that are derived from basic University operations and administrative processes. The five components are:

• Control Environment - The core of any university is its people. They are the engine that drives the organization. Their individual attributes (integrity, ethical values, and competence) and the environment in which they operate set the tone for the organization and determine the success of the institution.
• Risk Assessment - Risk Assessment is the process of identifying, analyzing, and managing risks related to the accomplishment of the University's objectives.
• Control Activities - Control Activities are the policies and procedures established and executed to help ensure the actions necessary to address risks and achieve the University's objectives are effectively carried out. Examples of control activities include policies and procedures related to authorization, security of assets, and reviews of operating performance, among others.
• Information and Communication - Information and communication systems enable the institution's people to capture and exchange the information needed to conduct, manage, and control operations.
• Monitoring - Monitoring is the process that assesses the quality of internal control performances over time. A properly monitored system can react dynamically to changing conditions.

Everyone at the University has responsibility for internal control. This responsibility extends beyond the development and implementation of control procedures initially considered necessary. The system of internal control must be under constant review by administrators and supervisors at all levels to determine that:

• prescribed policies and procedures are being interpreted properly and are being carried out;
• changes in operating conditions have not made the procedures cumbersome, obsolete, or inadequate; and,
• corrective measures are taken promptly when systems breakdowns appear.

The President and Vice Presidents are responsible for establishment of the internal control structure and for communication of relevant information regarding policies and controls to administrative staff. Administrators at every level are responsible for managing their units consistent with the University policies and controls established.

Responsibility of the President

Ultimate responsibility for establishing and maintaining adequate internal control rests with the President. The President shall: (1) consult with the President's Council in determining University policies necessary to establish an adequate internal control structure, and (2) periodically review and monitor compliance with internal control systems and take appropriate action concerning deviations from established policies and procedures.

Responsibility of Vice President for Business Affairs

The Vice President for Business Affairs shall be responsible for: (1) providing primary advice and direction in the development of controls related to financial reporting, (2) coordinating external audits and similar evaluations and (3) advising administrators as necessary regarding fiscal policies and procedures.

Responsibility of Vice Presidents

Vice Presidents shall have the responsibility for development, maintenance, and enforcement of effective control system policies and procedures within their areas.

Responsibility of the Director of Internal Auditing

The Director of Internal Auditing shall be responsible for periodic review of the internal control structure to determine whether adequate, effective internal controls exist and for calling deficiencies to the attention of appropriate administrators. Internal audit findings and recommendations shall be reported to the President, the appropriate Vice President, and other administrators, as necessary.

Employees Responsibilities

Each administrator and account manager shall be responsible for a knowledge of established internal controls, for operating their units in accordance with University policies and procedures, for the preparation of justifiable budget requests, for periodic reviews of their budgets, and for operating their units within the budgets provided.

General Policies

1. The Office of the President shall issue and update administrative policies and procedures approved by the President's Council.
2. The Office of the Vice President for Business Affairs shall issue and update content which contains accounting policies and procedures and which shall be available to each employee of the University.
3. The level of adherence to established internal control systems shall be considered in annual evaluations of individual administrators and employees.