Internal control structures are formed from how management operates an activity or function and are integrated into the management process. Despite the fact that the components apply to the entire University, small and mid-sized departments may implement them in a different way than major departments. They're designed to work together to provide reasonable assurance that overarching aims and goals are met.
The internal control structure is made up of five interconnected elements:
1. Control Environment
An organization's control environment sets the tone, affecting people's control consciousness. (1) the entity's people's integrity, ethical principles, and competency; (2) management's philosophy and operational style; and (3) the way management distributes authority and responsibility, organises, and develops its people are all control environment variables; and (4) the University's personal attention and guidance. Here are some more examples:
- Start at the top and work your way down.
- Policies at university.
- Authority of organisation.
2. Risk Assessment
It is the identification and risk related to the attainment of the objectives, which serves as the foundation for deciding how the risks should be managed. Among the many examples:
- Risk issues are discussed at monthly meetings.
- Risk assessment of internal audits
- Risk assessment conducted formally inside the department
3. Control Activities
Control activities are rules and processes that aid in the execution of management instructions. Approvals, authorizations, verifications, reconciliations, reviews of operating performance, asset security, and segregation of roles are just a few examples. Here are some more examples:
- Purchase restrictions
- Approvals
- Security related policies
4. Information and Communication
Critical information must be recognised, captured, and transmitted in a manner and timescale that allows individuals to carry out their duties. Information systems generate reports that comprise operational, financial, and compliance-related data, allowing the organisation to be managed and controlled. Communication must also flow down, across, and up the organisation in order to be effective. Here are several examples:
- Vision and values, or a poll of engagement
- Calls for problem-solving
- University communication (e.g. e-mails or meetings)
5. Monitoring
Internal control systems must be monitored, which is a procedure that evaluates the system's quality of performance over time. Continuous monitoring, independent evaluations, or a combination of the two are used to achieve this. During the course of activities, continuous monitoring is carried out. Internal control flaws should be notified upstream, with major issues being reported to the Regents and top management. Here are several examples:
- Review of performance reports on a monthly basis
- Function of internal auditing