You can use the CSU Internal Audit Reports page(opens in new window) to search for more reports by title, category, year or campus.
Internal controls are practices that protect or make more efficient use of the University's assets. They are the kinds of things you already do because they are generally just good business practices. Internal controls can involve anything from protecting computer files with passwords to making sure the door is locked when everyone has gone home for the night.
Typically, management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices. They may seem unimportant by themselves, but taken as a whole, they can have a major impact on the University's operations. Internal controls are typically preventive or detective.
Preventive Controls are designed to discourage or prevent errors or irregularities from occurring. They are more cost-effective than detective controls. Credit checks, job descriptions, required authorization signatures, data entry checks, and physical control over assets to prevent their improper use are all examples of preventive controls.
Detective Controls are designed to search for and identify errors after they have occurred. They are more expensive than preventive controls, but are essential since they measure the effectiveness of preventive controls and are the only way to effectively control certain types of errors. Account reviews and reconciliations, observations of payroll distribution, periodic physical inventory counts, passwords, transaction edits and internal auditors are all examples of detective controls.
Auditors evaluate the effectiveness of an operation's internal controls by gathering information about how a unit operates, identifying points at which errors or inefficiencies are possible, and identifying system controls designed to prevent or detect such occurrences. Then, they test the application and performance of those controls to assess how well they work. You can evaluate controls in your department's operations by following the same process.
Internal Controls are practices that protect or make more efficient use of the University's assets. Internal controls only provide reasonable assurance, a concept which recognizes that the "cost" of internal controls should not exceed the benefits derived from them. Control activities are those specific policies and procedures that help ensure management directives are implemented. They include a wide range of activities that occur throughout the organization, by supervisory and front-line personnel. Some examples of control activities are:
Separation of Duties: Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For instance, responsibilities for authorizing transactions, recording them, and handling the related asset are divided.
Physical Controls: Equipment, inventories, cash and other assets are secured physically, and periodically counted and compared with amounts shown on control records. Access is restricted to those with authority to handle them.
Reconciliations: Comparisons are made between similar records maintained by different person to verify transaction details.
Policies and Procedures: Established policies, procedures and even job descriptions provide guidance and training to ensure consistent performance at a required level of quality.
