Which of the internal control components provides the foundation for all the other components of internal control?

In an effective control environment, competent people understand their responsibilities and the limits of their authority, and are knowledgeable, mindful, and committed to doing what is right.

The university has adopted an internal control methodology developed by the Committee of Sponsoring Organizations [COSO], in which internal control is defined as a process implemented by management that provides reasonable assurance that:

• Operations are effective and efficient.
• Financial and operational reports are reliable.
• Compliance with applicable laws, regulations, and internal policies and procedures has been achieved.

COSO Components of Internal Control [listed in order of importance and effectiveness]

• The control environment sets the tone for the organization. Factors such as integrity, ethical values, competency, management philosophy, and operating style form the foundation for other components of internal control, and for providing discipline and structure.
• Risk assessment represents the identification of circumstances which may impede the organization's ability to achieve its business objectives, and the procedures in place that mitigate the identified risks.
• Control activities are undertaken by the organization to ensure compliance with sound business practices, including the development of policies and procedures, the review and approval of transactions, the segregation of duties, and account reconciliation. Control activities should be documented, including follow-up activities.
• Information and communication comprise the transmittal of quality data to the right people at the appropriate time to ensure employees have adequate information to effectively discharge their responsibilities. Effective communication must also occur in a broader sense throughout the organization.
• Monitoring activities assure that processes are working as intended and actions are taken to address problems with the quality of performance. This includes regular monitoring, management and supervisory activities.

The above internal controls definition was developed by the Committee of Sponsoring Organizations of the Treadway Commission [COSO] which is recognized by the Office of the University Auditor.

Penn has adopted the Integrated Internal Control Framework [IICF], an adaptation of COSO [Committee of Sponsoring Organizations of the Treadway Commission], for utilization as the foundation of the internal control and compliance environment.

This Framework defines internal control is a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations.
• Reliability of financial reporting.
• Compliance with applicable laws and regulations.

This definition reflects certain fundamental concepts:

• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is effected by people. It is not merely policy manuals and forms, but people functioning at every level of an organization.
• Internal control is geared to the achievement of objectives in several overlapping categories.
• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to the institution’s leaders regarding achievement of operational, financial reporting and compliance objectives.

Effective administration involves planning, executing and monitoring. Internal control is a tool used by administrators to accomplish these processes.

Management’s Responsibility For Internal Control

In accordance with University Policy 2701, management is responsible, in both the central and decentralized operating units, for establishing, maintaining and promoting effective business practices and effective internal controls. Such systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.

While there may be practical limitations to the implementation of some internal controls, each business function throughout the University and Penn Medicine must establish and maintain a system of controls which meets the minimum requirements as established by the University’s Internal Control Policy. A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding assets and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and other diversions of assets.

Components of Internal Control

Internal Control consists of five interrelated components derived from basic University operations and administrative processes as follows:

• Control Environment – The core of any educational institution is its people. They are the engine that drives the organization. Their individual attributes [integrity, ethical values and competence] and the environment in which they operate determine the success of the institution.
• Risk Assessment – Colleges and universities must be aware of and deal with the risks they face. They must set objectives that integrate key activities so the total organization operates in concert. They also must establish mechanisms to identify, analyze, and manage the related risks.
• Control Activities – Control policies and procedures must be established and executed to help ensure that actions necessary to achieve the institution’s objectives are effectively carried out.
• Information and Communication – Surrounding these activities are information and communication systems. These enable the organization’s people to capture and exchange the information needed to conduct, manage, and control its operations.
• Monitoring – The entire process must be monitored and modified as necessary. Thus, the system can react dynamically to changing conditions.

The following models show the relationships among these components:

The Control Environment provides an atmosphere in which people conduct their activities and carry out their control responsibilities. It serves as the foundation for the other components. Within this environment, management assesses risks to the achievement of specified objectives. Control activities help ensure that management directives are carried out to address the risks. Meanwhile, relevant information is captured and communicated throughout the organization. The entire process is monitored and modified as conditions warrant.

Types of Controls

Many types of controls can help management direct their activities, such as:

• Preventive Controls are intended to deter inappropriate events from happening. These are the best types of controls, but they are typically the most expensive to implement.
• Detective Controls are actions that are taken to detect and correct undesirable events that have already occurred.
• Directive Controls are to trigger a desired behavior or event to occur.

Often, the best strategy is a combination and collection of all types of controls used together that enable an organization to achieve its goals and objectives.

Internal controls are one of the most essential elements within any organization. Internal controls are put in place to enable organizations to achieve their goals and missions. Management is responsible for the design, implementation, and maintenance of all internal controls, while the Board is responsible for the oversight of the control environment. Strong internal controls allow for three main objectives: accurate and reliable financial reporting, compliance with laws and regulations, and effectiveness and efficiency of the organizations operations.

So, how do we achieve this? It all starts with your internal control framework. Each organization’s internal control framework should consist of 5 components:

1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring

Control Environment

This component is the foundation for all other components of internal control. It sets the tone at and from the top of an organization and provides discipline and structure. There are several factors that make up control environment, those include:

• Ethical Values and Integrity: Management and employees must have integrity. If management lacks integrity, it can trickle down to the employees and result in internal control issues and opportunities for fraud.
• Human Resource Policies & Procedures: Control difficulties can be avoided by sound hiring procedures, training of new employees, and appropriate discipline.
• Organization Structure: Organizations that have a clear understanding of who reports to whom within an organization will limit the chance for internal control issues.
• Participation of Those Charged with Governance: It is important for those charged with governance [audit committee, board of directors, etc.] to be involved with the organization and monitor internal control functions.
• Management Style: If management incorporates the importance of internal control in its operating style, employees will know the seriousness of the matter.
• Responsibility Assignment: Responsibilities and authority need to be assigned to different employees throughout an organization. Decision-making responsibilities should not be assigned to one individual.

Risk Assessment

This component is used to identify and analyze risks that may prevent an organization from achieving its objectives. Risk factors could consist of internal and external factors. Properly identifying risks will allow management to determine how to mitigate and manage these risks. Management should evaluate risk on a regular basis, as changes in an organization, such as staffing, new policies, new software applications, new regulations, etc., could all impact an organization’s risk assessment.

Control Activities

These are the policies and procedures that help ensure that management directives are carried out. One of the most important control activities is segregation of duties. There should be different individuals responsible for authorizing transactions, recording transactions, having custody of assets, and performing comparisons/reconciliations. For example, the individual responsible for hiring employees should not be the individual paying employees because it increases the chances that a ghost employee will go unnoticed. If this isn’t possible, management needs to assess where other controls can be implemented to compensate for the overlapping responsibilities. This will help organizations to better identify any errors or irregularities in a timely manner.

Information and Communication

This component relates to the identification and transfer of pertinent information in a timely manner to allow personnel to carry out their responsibilities. For instance, timely financial reporting can allow management to identify anomalies in its operations prior to year-end so that they can better prepare the business.

Monitoring

And, last but not least, monitoring. This process is ongoing and is a key element of management’s responsibilities. Management is responsible for ensuring controls are operating as intended and whether they are efficient. If controls are not operating effectively, management is then responsible to modify these controls and inform top administration and governing boards. Monitoring is often done through a company’s quality assurance or internal audit departments.

The proper implementation of these five components can help a business achieve its goals while avoiding complications along the way.