Internal Controls

Contents

Overview

Components of Internal Controls

Limitations of Internal Control

Transaction Cycles and Related Control Objectives

Policies that Govern the Work

Roles and Responsibilities

Additional Resources

Overview

UC Berkeley’s internal control consists of five interrelated components: the control environment, risk assessment, control activities, information and communication, and monitoring. The components include processes, policies, procedures, methods, records, and other means designed and implemented by management to achieve its objectives.

These objectives are to generate reliable financial information for reporting on operations, comply with applicable laws and regulations, and promote operational efficiency. Internal control is the process by which management ensures the entity achieves these objectives.

In this section you’ll learn about:

  • The different components of internal controls
  • The transaction cycles and their related control objectives
  • Management’s responsibilities for internal control under the Foreign Corrupt Practices Act
  • How the DFL plays a pivotal role in achieving these control objectives

Components of Internal Controls

The concept of internal controls was first developed and later updated by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and later adopted by the Comptroller General of the United States (GAO) as the standard for internal control in the Federal Government in a publication titled “the Green Book.” While UC Berkeley is not a federal entity, we must comply with these standards because they’ve been incorporated into Uniform Guidance (Uniform Administrative Rules, Cost Principles and Audit Requirements for Federal Awards). As a result of this and because it’s considered a best practice, UC Berkeley’s control environment is structured around the five components of internal controls first established under COSO.

Internal Control is a process, affected by the Regents of the University of California, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations, including operational and financial performance goals, and the safeguarding of assets against loss
  • Reliability, timeliness, and transparency of internal and external financial and non-financial reporting
  • Compliance with applicable laws and regulations

The five internal control components are described in more detail as follows;

Control Environment

This comprises the attitudes, abilities, awareness, and actions of UC Berkeley’s personnel, especially its management, as they affect the overall operation and control of the business. In the words of the Treadway Commission, it is the “tone at the top” that influences the control consciousness of its people. The control environment represents the collective effect of various factors on the effectiveness of specific controls. The control environment serves as the foundation for an internal control system and provides the discipline and structure to help an entity achieve its objectives.

A management philosophy dedicated to establishing sound business processes and operating controls would tend to create a stronger internal control environment than a philosophy that is unaware of or unconcerned with internal controls.

Management can include but is not limited to the Chancellor and the Chancellor’s Cabinet, Vice Chancellors, Deans, Associate Deans, Associate Vice Chancellors, DFLs, CAOs, department heads, subordinate managers and supervisors, and others. Management can also include faculty who supervise or manage contract and grant awards, personnel, or other units within the organization.

Risk Assessment

Management’s process of identifying, analyzing, and managing risks that affect the achievement of its objectives. It also forms the basis for determining how risks should be managed which can arise from many factors, including changes in regulations or finance-related statutes, new technology, changes in the operating environment, organizational restructuring, etc.

Control Activities

Relates to the policies and procedures that help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives as referenced above. Control activities have various objectives and are applied at different organizational levels. Control activities are briefly described in more detail in the transaction cycles section, and how the DFL plays a pivotal role in executing key controls of the organization below. Control activities can be divided into the following four categories:

  • Performance Reviews
  • Information Processing
  • Physical Controls
  • Segregation of duties

Information and Communication

Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of its objectives. Communication enables personnel to understand internal control responsibilities and their importance to the achievement of objectives. The accounting system is the part of the information system that is most directly relevant to financial reporting objectives. The general ledger and its feeder systems (BearBuy, Reimbursement System, CDS, UCPath, CalTime, etc.) consist of the procedures established, including electronic means, to transmit, process, maintain, and access information, as well as the documents produced as a result of those procedures.

These procedures and documents help management operate the University effectively and enable it to prepare reliable financial statements. For example, the way in which a purchase transaction is initially recorded and posted to ledger accounts is part of the accounting system.

Monitoring

Evaluations are used to ascertain whether each of the five components of internal control is present and functioning. They assess the quality of performance over time and promptly resolve the findings of audits and other reviews. They serve to identify and address problems. They may either be ongoing, such as regular management and supervisory activities, or periodic, such as an evaluation made for a specific purpose of assessing the effectiveness of controls.

Ongoing monitoring controls may be exercised at the entity level or at the transactional cycle level in conjunction with closely related control activities. The key controls discussed below are key monitoring controls that work in collaboration with the transactional control activities. This ensures that control activities are operating effectively.

Limitations of Internal Control

While an effective system of internal control provides reasonable assurance of achieving UCB’s objectives, inherent limitations do exist. Limitations may result from the:

  • Ability of management to override internal control
  • Ability of management, other personnel, and/or third parties to circumvent controls through collusion
  • Breakdown that can occur because of human failures, such as errors
  • Reality that human judgment in decision making can be faulty and subject to bias
  • External events beyond the organization’s control

Overall, DFLs play a pivotal role in all five components of an integrated internal control framework out the five components of internal controls, their relationship with our objectives, and how they interrelate to UC Berkeley as an entity.

Transaction Cycles and Related Control Objectives

UC Berkeley’s internal control framework views certain business processes in terms of “cycles” into which related transactions can be grouped within the specific accounting procedures and control activities that have been established. Each cycle typically comprises several transaction classes that vary with the particular aspect of the University’s operations. The transaction cycles are outlined below;

  • Revenue cycle: Transactions related to generating and collecting revenue, and related controls applied to such activities as invoicing and cash receipts associated with tuition and fee revenues from students, sponsored research-related activity, and other operating revenues. It also includes cash receipts from the State of California through state appropriations and other governmental funds allocated to UC Berkeley.
  • Purchasing cycle: Transactions related to purchasing and payments, and related controls applied to such activities as ordering and receiving purchases, cash disbursements, and goods returned to suppliers.
  • Payroll cycle: Transactions related to payroll payments to employees include major activities such as time recording, payroll calculations, payroll payment, allocation of payroll benefits from UCOP to UC Berkeley, and adjustments such as salary cost transfers.
  • Plant, Property, and Equipment cycle: Interrelated to purchasing, transactions related to capital acquisition of goods and services for long-lived assets include major activities associated with acquisitions and capital projects, asset depreciation, disposals and retirements, asset valuation, adjustments, and ledger maintenance.

Control Objectives

These are the control objectives relevant to financial reporting for a specific class of transactions.

  1. Processing Transactions: There are three control objectives related to this area.

    • Authorization: all recorded transactions that actually occurred and relate to the entity, and were approved by designated personnel. Typical control activities might include authorization by an appropriate individual and exception reporting (e.g. reporting employees working more hours than a given number of hours in a week, with subsequent review and follow-up by a responsible official like a supervisor).

    • Completeness of input: all transactions occurred are initially entered into the accounting records and accepted for processing. Relevant control activities, for example, might include computer matching of transactions to other data within the system, one-for-one checking of source documents to data entered into the system, etc.)

    • Accuracy of input: transactions are initially recorded at the correct amount, in the appropriate account, and on a timely basis. Control activities might include one-for-one checking, matching vouchers from purchase orders to goods receipt information in the purchasing system, etc.

  2. Maintaining files on which those transactions and the related data are stored
  3. Protecting assets against loss from errors and fraud: Assets are protected against loss from errors and fraud (particularly misappropriation) in the processing and handling of assets. This might include physical controls that restrict access to physical inventories and related documents and segregation of duties between personnel authorized to purchase assets and those authorized to disburse cash.

Best Practices in Control Activities

The following is a list of best practices to safeguard the University from fraud, waste, abuse, and mismanagement and ensure effective operations, reliable reporting, and compliance with federal regulations and UC policies.

  • Segregation of duties: Establishes a breakdown of duties so that no one person can single-handedly conduct the entire procedure in a transaction. This separation ensures a check and balance system. Assigned responsibilities should be properly documented and reviewed periodically. For example, employees and proxies to employees enter travel reimbursement requests into the reimbursement system. The supervisor is responsible for reviewing the request to ensure compliance against policy before authorizing reimbursement, and individuals within the Controller’s Office monitor transaction processing to ensure reimbursement is completed using automated systems. Review this chart as an illustrative example of segregation of duties by financial cycle.
  • Policies and procedures: Written policies and procedures should be made available to personnel and must describe processes for planning, organizing, directing, controlling, and reporting on organizational operations.
  • Documentation: Ensures detailed, accurate, and sufficient information is recorded and retained to support and corroborate University transactions.
  • Authorization: Establishes transactions that should be reviewed and authorized prior to execution. For example, purchase transactions require financial approval if the amount exceeds certain dollar thresholds within BearBuy.
  • Asset safeguarding: Physical assets susceptible to misappropriation or misuse, such as cash, fixed assets, or theft of sensitive equipment such as tablets, cell phones, and laptops, are properly secured and accessible only to authorized personnel. Access controls, however, do not prevent individuals who have authorized access to assets from misappropriating them. Individuals who have authorized access to both assets and related accounting records may be in a position to conceal shortages of assets in the records; however, if duties are properly segregated, such as between the BETS system of asset records and individuals with access to equipment, the concealment of shortages can be mitigated.
  • General Computer Controls (GCCs): Computer systems frequently have common areas of control and related control procedures. Managers of the information systems function usually monitor the performance of GCCs. Monitoring activities include observation, exception reporting, reviews of work performed, reviews of program changes, and monitoring of user complaints.
  • Reconciliations: Accounting reconciliations corroborate that recorded transactions are accurate and provide the most current information for reporting. Physical reconciliations ensure assets purchased with University funds are being properly utilized. For example, custodial managers are required to perform equipment inventory audits on a biennial basis. The Controller’s Office, as another example, reconciles bank statement amounts to current cash balances for any unexplained discrepancies.

All of these best practices have been built into UC Berkeley’s internal control framework.

In summation, it’s important for the DFL to know that maintaining the internal control environment and related control procedures is an integral part of management’s responsibilities. In the context of governmental accounting and reporting, the control environment has a direct impact on UC Berkeley’s ability to collect and present accurate financial information, and as a result, the internal control environment and related procedures are key areas of concern to the University of California’s external auditor.

Policies that Govern the Work

Management’s responsibilities for internal control are outlined under the Foreign Corrupt Practices Act. Changes in the business and legal environment, in particular the Foreign Corrupt Practices Act of 1977 (the Act), as amended, have magnified the importance of internal control to management. While the Act amended the Securities Exchange Act of 1934, it has one specific part that is applicable in the design and effectiveness of internal controls. The 2nd part of the Act specifically relates to internal accounting controls (i.e. control activities), which is useful as a guideline for the University to model its control environment under which compliments COSO, the Standards for Internal Control in the Federal Government, and the Department of Education’s guidebook (Financial Accounting for Local and State School systems), and other guidance issued.

Specifically, it establishes a legal requirement that every SEC registrant must follow around designing and maintaining a system of internal accounting controls sufficient to provide reasonable assurance, which are incorporated into the control activities and best practices outlined in the previous section. It also led to the creation of useful guidelines that were established by the United States Sentencing Commission.

These guidelines list the following seven steps that demonstrate the exercise of due diligence by an organization. Divisional Finance Leaders are advised to think of these guidelines when establishing local practices within their divisional areas because it demonstrates the exercise of due diligence and compliments the overall control environment of the University. The seven guidelines are as follows:

  • Establishing compliance standards and procedures for employees and other agents that are reasonably capable of reducing the potential of criminal conduct.
  • Assigning to specific, high-level individuals within the organization the overall responsibility for overseeing compliance with the established standards and procedures.
  • Using due care not to delegate substantial discretionary authority to individuals whom the organization knows (or should know) have a propensity to engage in illegal activities.
  • Taking steps to communicate compliance standards and procedures effectively to all employees and agents (e.g. by requiring participation in training programs and by disseminating publications that explain in a practical manner what is required.)
  • Taking reasonable steps to achieve compliance with these standards. These steps may include the use of monitoring or auditing systems designed to detect criminal conduct and implementing and publicizing a reporting system for employees and agents to report criminal conduct by others within the organization without fear of retribution (i.e. UC’s whistleblower program.)
  • Enforcing the standards consistently through appropriate disciplinary mechanisms including, as appropriate, discipline of individuals responsible for the failure to detect an offense (i.e. performance management processes such as Achieve Together).
  • Taking all reasonable steps, after the detection of an offense, to respond appropriately and to prevent similar offenses in the future.

These steps include many of the controls described earlier in this webpage. This and other UC Policies can provide an appropriate methodology for determining whether an organization has an effective program to prevent and detect violations of law (one of the internal control objectives listed above).

Roles and responsibilities

Divisional Finance Leaders play a key and pivotal role as members of University Management, but more specifically, there are certain control activities that would not meet the desired control objective without the DFL’s review and oversight. UC Berkeley has specific key controls that must be performed at the divisional level on a quarterly basis. These control activities specifically relate to performance reviews and physical controls that safeguard financial data and the use of assets (see internal control learning topic above for a refresher).

These reviews are separate functions from the monthly compliance review of individual contract and grant awards by research administrators and principal investigators in PI Portfolio and cannot substitute for the compliance review.

The key controls performed by DFL’s specifically include:

Financial Reporting Review

The Financial Reporting Review control provides assurance that operating results are complete, accurate, and valid, and that there are no material misstatements to the financial statements and is required for external and internal audits. Detailed instructions on what reports should be used in performing the financial reporting review, along with job aids on how to review the general ledger, and how to review compensation expenses, can be found at the Financial Reporting Review website on the Controller’s Office website. The two reports and related systems that are required to be reviewed are

  • CalPlanning GL Summary Monthly Comparative Actuals report
  • Cal Answers General Ledger Compensation by Accounting Period report

System Access Review

This safeguard control ensures that employee access to financial systems is accurate and appropriate for current job responsibilities, the access defined supports the proper segregation of duties within the division, and is required for external and internal audits. More detailed information can be found at System Access Review on the Controller’s Office website. The BFS System Access Review report required for review.

Timesheet policy compliance

Ensuring all timesheets within the DFL’s organization are completed and approved for employees who are required to report time. The submission and approval of timecards ensure we have complete, accurate, and valid records in place. Time recording is an integral part of the payroll cycle, ensuring the following control activity objectives are achieved.

  • Ensure evidence of services performed is obtained
  • Employee services are recorded in the correct period
  • Fictitious time and attendance information is not entered into the system.
  • Supports compliance with relevant DOL rules and regulations

Inventory of Equipment controls

Ensures custodian managers perform an inventory of all equipment within the DFL’s unit in accordance with the biennial certification process.

Divisional Finance Leaders (DFLs) must complete their financial reporting and system access reviews (SAR) by the due date. An escalation process, which includes three email reminders, will ultimately result in the loss of BFS access for all division employees. To avoid unnecessary interruptions to your business process, reviews must be completed by the due date.

The latter two controls (timesheet approvals and inventory controls) are management responsibilities with varying due dates throughout the year.

Additional Resources

Additional information about the topics within this section can be found at the following: