Page title

Internal Control

Main page content

Internal control is a process, enacted by The University of Texas System (UT System) Board of Regents, management and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories:

  • Operations  relating to effective and efficient use of UT System's resources
  • Financial reporting  relating to preparation of reliable published financial statements
  • Compliance  relating to UT System's compliance with applicable laws and regulations

Internal control consists of the following five interrelated components:

  1. Control environment  Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Regents.
  2. Risk assessment  Risk assessment is the identification and analysis of risks that have the ability to impede the achievement of stated goals and objectives. It is a precursor for determining how risks should be managed. Preconditions to a risk assessment is the establishment of goals and objectives.
  3. Control activities  Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. They include a range of activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
  4. Information and communication  Pertinent information must be identified, captured, and communicated in a form and time frame that enables employees to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally-generated data, but also with information about external events, activities, and conditions necessary for informed business decision-making and external reporting.
  5. Monitoring  Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities or separate evaluations. It includes regular management and supervisory activities, and other actions personnel take when performing their duties.

When looking at any one category ( Operations Financial Reporting Compliance ), all five of the components, listed above, must be present and functioning effectively to conclude that internal control over operations is effective.

What are the key concepts for internal controls?

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It is not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management and the Board of Regents.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

When is internal control effective?

Internal control can be judged effective in each of the three categories, respectively, if the Board of Regents and management have reasonable assurance that they understand the extent to which:

  • the entity's operational objectives are being achieved,
  • published financial statements are being prepared reliably, and
  • applicable laws and regulations are being complied with.

What are factors limiting internal controls?

  • Judgment – Managers in a well-controlled organization can make bad decisions.
  • Breakdowns – People with control responsibilities may not carry them out effectively.
  • Management Override – Managers may intentionally go outside established practices for illegitimate purposes.
  • Cost vs. Benefit – When resources are limited, managers properly accept a degree of risk when the cost of controlling the risk exceeds the benefit

Note: The above definition of internal control and related concepts are taken directly from Internal Control -- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).