Preventative control activities
Preventive controls attempt to prevent or deter undesirable acts from occurring. They are proactive controls, designed to prevent a loss, error, or omission. Examples of preventive controls are:
- separation of duties
- proper authorizations
- adequate documentation
- physical security over cash and other assets
Detective control activities (Monitoring)
Detective controls attempt to detect undesirable acts that have occurred. They provide evidence after-the-fact that a loss or error has occurred, but do not prevent them from occurring.
- Regular supervisory review of account activity, reports, reconciliations (See Business Policy and Procedure Manual Section 2:005)
- Routine spot-checking of transactions, records and reconciliations (do things make sense and look reasonable)
- Variance analysis, including budget to actual comparisons
- Physical inventories
- Control self assessment (such as this Guide and related Self-assessment Questionnaire)
- Internal audit review of business unit’s controls
Information and communication
- Administrative information systems that provide necessary information to the appropriate people, at the necessary level of detail, on a timely basis
- Channels for employees to communicate suspected improprieties upstream through other than a direct supervisor
Management is responsible for assessing risks that could undermine these objectives of financial statements:
- Establishing the existence/ownership of assets and liabilities
- Proper valuation of assets and liabilities
- Contain all transactions of the reporting period
- Proper presentation and disclosure
A control-conscious environment is also necessary. It is an environment that supports ethical values and business practices. Management is responsible for “setting the tone” for their areas and encouraging the highest levels of integrity and ethical behavior, as well as exhibiting leadership behavior that promotes internal control and accountability.
The following steps are examples of this leadership behavior:
- Communicate to employees that fraud and conflicts of interest will not be tolerated.
- Communicate to employees that University policies and procedures are important and will be followed.
- Make employees fully aware of their responsibilities, including internal controls.
- Monitor the internal controls system on an on-going basis.