Appendix A


The Internal Control Structure

What Are Internal Controls? Internal Controls are processes designed by management to provide reasonable assurance that the Institute will achieve its objectives. They are tools used by all managers, from the Support Staff level to the President of the Institute, every day to help assure that their Department, Laboratory, or Center (DLC) is operating according to plan. Internal Controls may be designed to safeguard assets; maintain the accuracy and reliability of accounting data; promote operational efficiency, and/or encourage adherence to prescribed managerial policies.

Internal controls can generally be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities. For example, a supervisor's review of purchases for propriety and validity before approval prevents inappropriate expenditures. Detective controls are designed to identify an error or irregularity after it has occurred. For example, a supervisor's review of long distance telephone charges will detect improper or excessive personal calls that should not have been charged to the cost collector.

What Is The Internal Control Structure? Together, the policies, procedures, organizational design, and physical barriers developed and employed in all DLCs throughout the Institute constitute our internal control structure. Through careful design, a strong internal control structure can help your DLC operate more efficiently and effectively, providing a reasonable level of assurance that the processes and products for which you are responsible are adequately protected.

What Can Jeopardize Internal Controls? While many circumstances may compromise the effectiveness of internal controls within your DLC, a few of the most common and serious of these warrant special mention:

1. Inadequate Segregation of Duties -- Separating responsibility for physical custody of an asset (e.g., funds, equipment, intellectual property) from the related record keeping and financial review is a critical control.

  • Persons who are authorized to purchase on a cost collector should not be responsible for review of activity on that same cost collector.
  • The person who prepares the deposit should not post the receipts in SAP.
  • The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.

2. Inappropriate Access to Assets -- Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.

  • An employee who only needs to view computer information should be restricted to "Display Only" access and should not be granted "Update" access.
  • Only authorized individuals should be issued keys for restricted areas.

3. Inadequate Knowledge of Institute Policies -The Institute is not a static environment--new policies and policy revisions are a part of our continual evolution.

Many Institute policies are available electronically and printed copies can be supplied upon request by contacting the relevant Institute department. Managers must stay abreast of these changes and understand their responsibilities.

4. Fiscal Misconduct - If any employee knows or suspects that other Institute employees are engaged in theft, fraud, embezzlement, fiscal misconduct, or violation of Institute financial policies, they should immediately notify your Ombudsperson, the Audit Division, or MIT Campus Police.

5. Form Over Substance - Controls can appear well designed but still lack substance, as is often the case with required approvals.

  • Unless the signer of a DACCA (attesting to its accuracy) is someone with firsthand knowledge of the work performed, the control lacks substance.

6. Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.

  • Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.

7. Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).

  • An AO who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.

Can We Ever Have Too Many Controls? Yes. All controls have some cost component, whether measured in cash expended or in staff time and effort. The cost of implementing a specific control should not exceed the expected benefit of the control.

  • The potential loss of a computer printer may justify the cost of a door lock but not an alarm system.
  • The potential for Long Distance telephone abuse justifies monitoring telephone usage, but not a call-by-call reconciliation.

Inadequate controls, on the other hand, present undue risk. Therefore, a conscious effort should be made to achieve an appropriate balance between cost and control. A well designed internal control structure can enhance operations by improving your DLC's overall efficiency and effectiveness, while also reducing the risk of loss or theft. In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for the Institute at large and attempt to identify and weigh the intangible as well as the tangible consequences.

  • It may be difficult to determine the cost of poor public relations and lost goodwill if insufficient internal controls were to result in misappropriation of Federal funds and a front-page story in The Boston Globe.

By acknowledging the controls inherent in our current systems and reducing procedural requirements accordingly, these guidelines can help reduce the administrative burden in your DLC.

Who Is Responsible For Internal Controls And The Internal Control Structure? The manager is responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of the DLC. To evaluate internal controls, managers should first think about the following general objectives, then identify specific DLC objectives within these broad categories:

  • Propriety of Transactions for all activity within the cost objects for which the manager is responsible;
  • Reliability and Integrity of Information for internal management decisions and external agency reports;
  • Compliance with Institute policies and applicable government regulations, including but not limited to Human Resources, OSP, Procurement, Property, CAO, granting agencies, other sponsors, and federal government agencies;
  • Safeguarding Assets, including cash, equipment, DLC or Institute data, and intellectual property, and;
  • Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the DLC and the Institute.

Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your DLC.

What Is The Audit Division's Responsibility? The MIT Audit Division provides an objective evaluation of the adequacy of internal controls and reports the results to Institute senior management and the Corporation Auditing Committee. Auditors look at how the internal controls within an operation work together to make up the internal control structure. Auditors gather information about the mission and processes of the DLC, discusses the major objectives with the AO, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur.The auditor documents existing controls at each significant control point, evaluates the adequacy of the controls to ensure achievement of the objective, and then tests the controls to verify they are working as described. Further discussions with the AO focus on control risks, AO insights, and potential control enhancements. When risks are greater, more extensive controls are warranted.The auditor's evaluation may include an examination of some or all of the following internal control elements:

  • Organizational charts, a visual presentation of lines of authority.
  • Authorization Procedures - including a thorough review of supporting information to verify the propriety and validity of transactions.Approval authority should be commensurate with the nature and significance of the transactions and in compliance with Institute policy.
  • Consolidated Salary Expense Analysis (DACCA) reports for evidence of certification by a supervisor with direct knowledge of the work performed.
  • Segregation of Duties - should reduce the likelihood of errors and irregularities.An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.
  • Adequacy of supporting documentation and verification, propriety of assigned general ledger accounts, and compliance with Federal and Institute guidelines for selected transactions.
  • Competency of personnel.
  • Physical Restrictions - are the most important type of protective measure for safeguarding Institute assets, processes, and data.
  • Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.
  • Monitoring Operations - is essential to verify that controls are operating properly.
  • General level of awareness of personal computer security in the office

Additionally, the Audit Division performs a consultative role. Auditors serve on Institute teams and committees, helping to maintain and/or enhance internal controls and the internal control structure. Auditors are also available to answer questions from the MIT community regarding the establishment or enhancement of internal controls and the internal control structure.