Internal Controls
FIN-ACC-470
About This Policy
- Effective Date:
- 12-01-2004
- Date of Last Review/Update:
- 02-09-2023
- Responsible University Office:
- Office of the University Controller
- Responsible University Administrator:
- Vice President and Chief Financial Officer
- Policy Contact:
Internal Control Manager, Office of the University Controller
- Policy Feedback:
- If you have comments or questions about this policy, let us know with the policy feedback form.
Scope
This policy applies to all Indiana University units, financial leadership, and employees.
Policy Statement
It is the policy of Indiana University to create a strong culture of financial internal controls to ensure compliance, integrity and transparency. Additionally, it is the policy of the university to use and secure financial resources and assets in a responsible and appropriate manner to support the university’s mission, consistent with applicable laws, regulations and ethical practice.
The university follows the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework. Internal controls, as defined by COSO, is a process effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations
Reason for Policy
The objective of this policy is to establish best practices regarding internal controls at Indiana University. In addition, the university is required by Federal regulations, including Uniform Guidance and Generally Accepted Accounting Principles (GAAP) to maintain an effective internal control structure.
Procedures
All units are responsible for ensuring internal controls exist for all critical operations or activities. Financial controls must adhere to the internal control procedures outlined in the IU Accounting Standards, including required documentation for existing and new financial activities.
All Constituent Reporting Units (CRUs) must annually attest to their financial activity, internal control structure and overall adherence to IU Accounting Standards through the university’s Sub-Certification process.
Those charged with campus- and unit-level fiscal oversight are responsible for the following:
- Ensuring a structure of internal controls is established, documented, and functioning to achieve university- and unit-level mission(s) and objectives.
- Implementing a structure of internal controls and proper segregation of duties to avoid mismanagement, fraud, theft, or personal use of system resources and assets.
- Ensuring staff are appropriately credentialed for their financial roles.
- Ensuring staff are well-versed in university financial policies and IU Accounting Standards.
- Adhering to and implementing procedures set forth in the IU Accounting Standards.
All documented financial internal control procedures are subject to review upon request by the Office of the University Controller, Internal Audit, and any external auditors/agencies.
All employees are responsible for safeguarding university financial resources and assets to ensure they are used only for authorized purposes. All employees are also responsible for reporting fraudulent activities or misconduct according to IU Fraud (FIN-ACC-35) and Fiscal Misconduct (FIN-ACC-30) policies.
Definitions
- Internal control is a process, effected by an entity’s management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, financial reporting, and compliance. Each employee is responsible for internal controls relevant to that individual’s role within the university and that support the following objectives:
- Operations Objectives – pertain to effectiveness and efficiency of the university’s operations, including operational and financial performance goals. These objectives promote orderly, economical operations and assist in achieving outcomes consistent with the university’s mission. Operations should safeguard resources against loss due to waste, mismanagement, errors, and fraud.
- Reporting Objectives – pertain to internal and external financial and nonfinancial reporting. These objectives encompass reliability, transparency, and other terms as set forth by regulators, recognized standard setters, and university policies.
- Compliance Objectives – pertain to adherence to laws and regulations to which the university is subject.
- Financial Controls and Accountability
- Each employee of the university has a role in the system of internal control. Financial responsibilities are distributed throughout the university’s decentralized environment. Each university employee with an oversight role for the use of university funds and for financial operations and budgets is accountable for upholding control principles and is responsible for ensuring that internal controls are established, documented, and functioning to achieve the university’s and the unit’s mission and objectives. This responsibility includes requiring that staff are educated and well-trained on university financial policies.
- The Internal Audit department is responsible for the independent review and assessment of the adequacy and effectiveness of internal controls at all levels of the university. Since Internal Audit must remain independent and objective, that unit will not have responsibility for establishing or maintaining the university’s internal control systems.
- Components of Internal Control.
- Control Environment – the set of standards, processes, and structures that provide the basis for carrying out internal controls across the university. The control environment comprises the commitment to integrity and ethical values that establish oversight responsibility and enforce accountability.
- Risk Assessment – the process to identify, analyze and assess risks to the achievement of objectives.
- Control Activities – the actions established through policies and procedures to mitigate risks to the achievement of institutional objectives.
- Information and Communication – the use of relevant information to disseminate clear messages. Sound internal controls establish expectations and procedures to support the reliability and integrity of financial information and reporting.
- Monitoring Activities – the use of evaluations to ascertain whether internal controls are present and functioning.
History
This policy was established on December 1, 2004.
FIN-ACC-510 (Financial Sub-Certification) was consolidated into this policy in 2018.
The policy statement, reason for policy, and procedures were revised on October 7, 2022. These changes were posted for review in October 2022 and made effective on February 9, 2023.
On March 30, 2023, a non-substantive update was made to the title of the IU Accounting Standards referenced in the policy.