Internal Audit & System of Internal Control
Internal Audit & System of Internal Control
The Internal Audit Office aims to provide independent and objective assurance and related services to assist and lead to an improvement in the University’s operations. While offering a service to management, internal audit is not an extension of, or substitute for, line management, who remain fully responsible for having appropriate and adequate internal controls . The Internal Audit Office does not design, implement or operate control systems, although it may provide consultancy services / an opinion at the time of implementation.
The role of internal audit is to determine whether the systems, procedures and controls that management operate are being complied with and are adequate. It is a systems-based approach which aims to encompass all aspects of a department’s functions and responsibility.
Internal controls are activities designed to determine, direct or command processes in order to achieve a desired outcome.
An internal control system encompasses the policies, procedures, processes, tasks, behaviours and other aspects of an organisation that, taken together:
- facilitate effective and efficient operations by enabling the organisation to respond to its significant risks;
- assist in ensuring the quality of internal and external information and reporting;
- assist in compliance with applicable laws, regulations and internal policies and procedures; and
- provide management with the capability to monitor and assess the level of compliance with organisational internal controls.
Suggested Internal Controls Checklist
This list is not intended to provide an exhaustive list of internal controls required for each department*. This listing is designed to assist and provide guidance on the possible features of an effective system of internal controls. Each department* is encouraged to identify its significant risks and tailor the system of internal controls accordingly in order to mitigate these risks. Components of an effective system of internal controls should include:
Segregation of Duties: The staff member who raises a purchase requisition, transaction approver, custodian and account reconciler should not be the same individual. In the case of cash handling, one individual should not be responsible for the initiation, processing, recording and reporting of the transaction;
Authorisation: Those charged with the responsibility to approve transactions should be of an appropriate level of management / seniority within the department*. Transaction approvers should be familiar with the University's policies and procedures, terms and conditions of the transaction or terms of endowment / project contract terms in order to provide informed authorisation and approval for the transaction;
Reconciliations: Financial reports related to the department* should be prepared on a periodic basis and reviewed by management. Significant accounts (in quantum or sensitivity) should be reconciled to supporting documentation on a periodic basis;
Governance / Performance Review: Executive management in each department* should perform a regular review of academic and administrative resource inputs and outputs to ensure intended quality and value for money is obtained;
Error Handling via journal entry should be approved and documented by an individual of relevant authority in a timely manner in addition to the sign off of the preparer of the journal;
Budget Review: Comparison of budget income and budget expenditure to actual income and actual expenditure should be performed on a monthly basis and approved by department* management;
Books & Records: Sufficient records should be maintained by the department* for the time periods suggested by the Corporate and Legal Affairs Department of the University (source: https://www.ucc.ie/en/ocla/policy/ );
Safeguarding of Assets: Assets purchased by the department* 1) should be safeguarded and 2) reviewed to ensure proper insurance cover is maintained. Further details on the asset management are contained in the University's Finance Office policy suite and available at https://www.ucc.ie/en/financeoffice/fp/;
Conflict of Interest: Staff in each department* should be aware of any potential conflict of interest in department* activities and the need to demonstrate fairness at all times in decision making. Appropriate action to avoid actual / perceived conflicts of interest should be taken in each department* to ensure that all staff adhere to the University's policy on conflict of interest policies.
Risk Management: A sound system of internal control depends on a regular and thorough evaluation of the operational, strategic and reputational risks to which the department* is exposed. The UCC Risk Management process is outlined in the Risk Management Policy and User Guide available at https://www.ucc.ie/en/ocla/risk/ on your web browser;
* Please note that 'department' mentioned above is defined in a broad sense meaning department, institute, college, school, office, centre, or unit of the University. It is important to emphasise that responsibility to ensure that an appropriate system of internal controls is maintained at the local level rests, in the first instance, with local management of each department, institute, office, centre, or unit of the University.