Source material for this policy has been drawn from the following resources.
- UCLA Financial Policy, November 30, 1996;
- UC Business & Finance Bulletin IA Series, Internal Audit:
IA-001, Internal Control Standards Introduction,
IA-101, Internal Control Standards Departmental Payrolls,
IA-403, Internal Control Standards Issuance and Control of Operating Cash Funds;
- UC Business & Finance Bulletin BUS Series, Business Affairs:
BUS-43, Materiel Management,
BUS-49, Cashiering Responsibilities and Guidelines,
BUS-54, Operating Policy for University Supply Inventories;
- UC Business & Finance Bulletin, RMP Series, Records Management;
- UC Accounting Manual:
A-000-7, Official Documentation Required in Support of Financial Transactions,
C-173-61, Cash: Petty Cash Disbursements,
C-173-78, Cash: Unclaimed and Uncashed Checks,
C-173-85, Cash: Credit and Debit Card Program,
C-557-21, Contracts & Grants: Cash Advance Programs,
D-371-16, Disbursements: Approvals Required,
D-371-36, Disbursements: Invoice Processing in Response to Purchase Authorizations (see also-UC Sales & Use Tax Manual),
R-212-2, Receivables Management;
- UCLA Cash Handling Security Policy, March, 1998;
- UCLA Policy 740, Purchasing Goods and Services;
- National Association for College and University Business Officers (NACUBO): Internal Control Questionnaire for Colleges and Universities;
- Components of Internal Control - Treadway Commission Committee of Sponsoring Organizations (COSO).
II. PURPOSE AND SCOPE
An important part of the delegated accountability for the financial management of UCLA resources is the establishment and implementation of adequate internal controls. Internal control is a broadly defined process designed to provide reasonable assurance regarding the achievement of the following objectives:
- Ensuring the effectiveness and efficiency of operations;
- Safeguarding of assets against loss and unauthorized use or disposition;
- Ensuring the validity, accuracy and reliability of accounting records and financial reports; and
- Promoting adherence to prescribed management policies and procedures and regulatory requirements.
This policy describes the internal control components used to achieve the objectives noted above, and identifies those with responsibility for ensuring the efficacy of local guidelines designed to implement this policy and related policies of the University.
A. Responsibility for Internal Control
- Department administrators and managers are responsible for establishing and maintaining a system of internal controls, and for promoting a positive and supportive attitude toward them at all times by:
- conducting or assigning to a designee required periodic review of departmental operating procedures to ensure that the principles and guidelines of internal control are being followed;
- establishing controls where new types of transactions occur;
- improving upon existing controls if control weaknesses are detected. See 2. below for responding to audit results and recommendations.
Because not all departments have sufficient resources to provide optimal control at all times, estimates and judgments must be exercised to assess the costs, benefits, and risks involved. The costs associated with internal control should not exceed the benefits derived. Given these considerations, administrators are strongly urged to adhere to the control guidelines contained in this policy as is practicable.
- Audit & Advisory Services as well as external auditors, are responsible for reviewing the adequacy of departmental internal controls and for reporting their findings to the appropriate administrative levels within the University.
- Department administrators and managers are required to take prompt and responsive action on all findings and recommendations made by both internal and external auditors.
- The audit process is completed only after department administrators and managers receive the result of the audit, and action has been taken to (1) correct identified weaknesses, (2) produce improvements, or (3) demonstrate that management action is not warranted.
B. Internal Control Components
Internal control for the campus consists of five interrelated components. These are derived from the way a department administrator or manager runs an academic or administrative unit, and are integrated with the management process. The department manager has responsibility for ensuring and demonstrating that all five components of control are operating effectively.
- Control Environment
The control environment set by a department administrator establishes the tone of the business unit, influencing the control conscientiousness of its employees. Control environment factors include an administrator's integrity; the ethical values and competence of his/her employees; the way an administrator assigns authority and responsibility, and organizes and develops the unit's employees. An administrator can help promote a good control environment by:
- holding regular team and one-on-one meetings;
- periodically evaluating staff training needs and providing for staff development;
- clearly communicating performance expectations to staff and providing periodic constructive feedback; and
- clearly articulating positions on ethical issues relating to business so that staff receive a clear, unambiguous message to act in an ethical manner.
- Risk Assessment
Every administrator faces risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of clear business objectives at all levels that are consistent and relate directly to those of the total organization. Risk assessment is the process of the identification and analysis of relevant risks to achievement of objectives, and forming a basis for determining how the risks should be managed. This should be a disciplined, documented and on-going process that is communicated to staff members as well as management.
- Control Activities
The control activities are the implementing tools of internal control policy. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating procedures, security of assets and segregation of duties. The general guidelines for control activities are outlined below. Specific guidelines for applying these principles as they relate to departmental functions are presented in Attachment A.
- Separation of Duties
Individual duties are separated so that one person's work routinely serves as a complementary check on another person's work. No one person has complete control over more than one "key" processing function or activity, such as authorizing, approving, certifying, disbursing, receiving or reconciling.
- Authorization and Approval
Proposed transactions are authorized when they are proper and consistent with University policy and the organization's plans. Transactions are approved by the person delegated approval authority. Approval authority is usually conferred on the basis of some special knowledge or competency.
- Custodial and Security Arrangements
The responsibility for the physical security (custody) of assets is separated from the related record-keeping (accounting) for those assets. Unauthorized access to assets and accounting records is prevented.
- Review and Reconciliation
Departmental accounting records and documents 1) are examined by employees who possess sufficient understanding of the University financial system to verify that recorded transactions actually took place and were made in accordance with prescribed procedures; and 2) are compared with University financial system reports and financial statements to verify their reasonableness, accuracy and completeness.
- Information and Communication
Pertinent information must be identified, captured and communicated in a form and timeframe that enables a manager and staff to carry out their responsibilities efficiently. Information systems produce reports containing operational, financial and compliance-related information that make it possible to run and control a business or academic unit. Effective communication must also occur in a broader sense, flowing down, across and up the unit. All staff must understand their own role in the internal control system, as well as how individual activities relate to the work of others.
Internal control systems need to be monitored -- a process that assesses the quality of the system's performance over time. Ongoing monitoring occurs in the course of normal operations and includes regular management and supervisory activities. In addition, separate operational evaluations are conducted based upon the assessment of risks and the effectiveness of ongoing monitoring procedures.
Adequate supervision of personnel and other monitoring activities are required to ensure the reliability of accounting and/or operational controls by pointing out errors, omissions, exceptions and inconsistencies in the application of procedures.