Internal Control Framework Key Terms

Overview

When discussing internal controls, there are some terms that are important to consider in this context.  Below are important terms organized by the framework component as well as definitions and correlations to the University of Florida.

Control Environment

The control environment is just that – the environment of standards, processes and structures in the University.

Tone at the Top

Management leads by example to demonstrate a commitment to integrity and ethical values.  At the University of Florida, the Tone at the Top is set by the Board of Trustees and senior management, and reinforced by leaders throughout the entire organization. The Tone at the Top tells employees what importance is placed on honesty and integrity, and can also be considered the “company culture.”

Risk Assessment

Risks to achieving the University’s objectives must be identified and analyzed.  The identification of risks helps management and employees in decision-making and carrying out their internal control responsibilities.

Risk

The possibility that an error or irregularity will happen to negatively affect the achievement of objectives related to operations, reporting, or compliance.

Inherent Risk

The risk to an organization that may lead to potential financial loss, inaccuracies, noncompliance or other errors, in the absence of response to the risk. This can be thought of as “what can go wrong?”

Residual Risk

The risk remaining after a response to the inherent risk.

Risk Tolerance

Setting the acceptable level of variation from objectives that management is willing to tolerate.  It is impossible to entirely remove risk, so management must determine what level is tolerable.

Risk Responses

Using the identified risks and the level of risk tolerance, management designs responses and actions, including the following:

• Acceptance: No action is taken because the risk is considered insignificant
• Avoidance: Take action to entirely or partially stop the process causing the risk
• Reduction: Take action to reduce the possibility or extent of the risk
• Sharing: Take action to transfer or share risk across the organization or with external parties

Fraud

Fraud involves obtaining something of value through willful misrepresentation.  Fraud can include fraudulent financial reporting, misappropriation of assets or corruption.  The fraud triangle – consisting of pressure, opportunity and rationalization – demonstrates the primary risk factors for fraud.

Control Activities

Control activities are what is commonly thought of when people think of internal controls – they are the actions directed by management through policies and procedures to minimize identified risks to tolerable levels.  They are performed at all levels throughout the University and at different steps in the process, including IT systems.

Key Control

A control designed with an operation process to prevent or detect a significant risk.  Monthly reconciliations are considered a key internal control at the University of Florida.

Control Objective

The goal to be achieved for a control that is designed and implemented for a process.

Policies versus Procedures

A policy is a statement of what must be done to effect control.  A procedure is the action that implements the policies.  For example, at the University of Florida a policy is what expenses require receipts for reimbursement during travel.  The procedure is how you process the expense report and get it approved.

Information and Communication

Relevant and timely information must be obtained and communicated to both internal and external parties to support the internal control system.  The method of communication should always be considered – meetings, emails, training, newsletter, etc.

Audience

The targeted recipients of the information to be delivered.  Who needs to receive this information? Is it a big group or small group? Are they subject matter experts or unfamiliar with the topic? You want to tailor your communication and use a method appropriate for your audience.

Nature of the Message

The type of information being communicated. What is the purpose of the information? Is it complicated? The nature of the message should impact the method used for communication.

Timeliness

The timing needed for people to act on the information being communicated.  How quickly do we need to get this information to people? Do we need them to act on it right away? Again, this will impact the method of communication, as an urgent issue requiring immediate action would not be communicated in a quarterly newsletter.

Monitoring Activities

Monitoring is a key part of assessing internal control effectiveness.  The internal control system will evolve as objectives change and controls become obsolete.  Monitoring is how we make sure the control is really happening in the way it was intended.

Ongoing Evaluations

These monitoring evaluations are routine and built in to normal business processes.  They will often identify problems faster, such as regular comparisons and reconciliations or automated tools.

Separate Evaluations

These monitoring evaluations are conducted at periodic intervals by objective management personnel, internal audit, our department, or external parties.  It is typically not as frequent as ongoing evaluation, but will provide objective feedback.

Control Deficiency

A potential or actual internal control issue, or an opportunity to strengthen the internal control system, based on observation and/or direct testing.

CONTACTS

Internal Controls, Anti-Fraud, and Advisory Services: (352) 392-1321

LAST REVIEWED

Last reviewed on 03/20/2024