UVM has adopted the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) internal control framework for designing, implementing, conducting, and assessing the effectiveness of internal control.
Definition
COSO defines internal control as “a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with applicable laws and regulations”
The COSO internal control framework consists of three related elements: the objectives an organization strives to achieve, the components required to achieve the objectives, and the organizational structure in which the components are enacted.
Components
An effective system of internal control requires that each of the five internal control components be present and functioning, and all five components are operating together in an integrated manner.
- Control Environment: “the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.” This includes the “tone at the top” set by UVM Trustees and senior management, organizational values such as Our Common Ground, and the University’s Code of Business Conduct.
- Risk Assessment: “a dynamic and iterative process for identifying and assessing risks to the achievement of objectives…relative to established risk tolerances. Risk assessment forms the basis for determining how risks will be managed.” Effective internal controls create the appropriate balance between risk and reward (or effectiveness vs. efficiency) based on a risk assessment and the organization’s risk tolerance. For example, given a relatively low level of risk, a control that is 100% effective may be inefficient and overly bureaucratic. Conversely, insufficient controls for a higher-risk area could jeopardize the University’s ability to achieve its objectives.
- Control Activities: “the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.” The University’s financial operations are informed and guided by University policies and operating procedures. Policy creates the appropriate and judicious ‘space’ needed for people to conduct the financial business of the institution with responsibility and discretion. Policies also identify requisite connections between persons conducting the University’s financial business and the persons responsible for managing it.
There are five major types of control activities:- Preventative: Proactive controls such as separation of duties, authorization and approvals of transactions, pre-numbered documents, documentation, verification, checks for reasonableness and completeness, access control and security
- Detective: Reactive, often automatic or system-produced controls such as error messages and reconciliations.
- Corrective: controls that correct or fix an error
- Directive: less common, usually positively constructed controls such as the Moral, Social and Ethical Considerations in Investment Strategy section of UVM’s Statement of Investment Policies and Objectives
- Compensating: workarounds, fail-safes, arrangements for special circumstances or situations
- Information and Communication: Relevant and quality information from internal and external sources, communicated and disseminated throughout the University, supports the effective functioning of the other internal control components.
- Monitoring Activities: Continuing and periodic evaluations of the five components of internal control, as well as individual controls themselves, provide assurance of an effective and well-functioning internal control framework.