MOSERS Home Search Important links Contact MOSERS MOSERS Site Map Disclaimer
 
 Member Login
 Active Members
 Retired Members
 Employers
 Employer Login
 About MOSERS
   Annual Report
   Board of Trustees
   Board Rules
   Appeals
   Careers
   Office of Internal Audit
   Legislation
   Mission Statement
   Newsletters
   Privacy Policy
   Reports/Research
   Staff
 Investments
 Press Room
 Videos MOSERS Videos

Internal Controls

Internal Audit Home | Affiliations and Links | Audit Plan | IA Governance | Quality Assurance | Internal Controls | Archive List of Audits | Archive List of Reviews | Objective Assurance (Auditing) | Policies | Risk Assessment | IIA Chairman Message

Whether or not your section has ever been audited, you may have heard of internal controls. This page presents a brief, practical discussion of internal controls for the section’s manager.

What are internal controls and why are they important?

Internal controls are the methods employed to help ensure the achievement of an objective. They are tools used by management everyday.

  • Writing procedures to encourage compliance, locking your office to discourage theft, reviewing financial records, and reviewing staff performance are common examples of internal controls.

All managers use internal controls to help assure that their sections operate according to plan. And the methods they use--policies, procedures, organizational design, and physical or electronic barriers--constitute the internal control structure of MOSERS.
Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities. Examples of preventive controls include:

  • A computer application which checks validity prevents the entry of an invalid account number or member ID number.
  • Reading and understanding the Employee Handbook policies, such as working hours, helps prevent violations of the Federal Fair Labor Standards Act.
  • A manager's review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.
  • Monthly reviews of expenditures compared to budgeted amounts helps control expenses.

Detective controls are designed to identify an error or irregularity after it has occurred.

  • An exception report detects and lists incorrect or invalid entries or transactions.
  • A comparison of validated cash receipt reports to monthly financial statements will detect deposits posted to erroneous accounts.
  • The manager's review of invoices will detect improper expenditures.

Through careful design, the system of internal controls can help your section operate more efficiently and effectively and provide a reasonable level of assurance that the processes and assets for which you are responsible are adequately protected.

back to top

What is the manager's responsibility?

Managers are responsible for ensuring that internal controls are established and functioning to achieve the mission and objectives of your section. To evaluate internal controls, first think about the following general objectives then identify your unit's specific objectives within these broad categories.

  • Propriety of Transactions for all activity within accounts for which the manager is responsible.
  • Reliability and Integrity of Information for internal management decisions and external reports.
  • Compliance with Laws, Regulations, and Policies including but not limited to: Employee Handbook policies, Purchasing policies, Board policies, Governance Policies, and state and federal government laws and regulations.
  • Safeguarding Assets, including physical objects, MOSERS building, investments, and MOSERS data.
  • Economy and Efficiency of Operations to optimize the use of limited resources in accomplishing the mission of the section and MOSERS.

Next, identify what controls currently exist (or should be established) to reasonably assure the achievement of each specific objective for your section.

back to top

What is internal audit's responsibility?

Internal Audit provides an independent evaluation of the adequacy of internal controls and reports the results to MOSERS administration and the Board of Trustees. The auditor looks at how the internal controls, within an operation, work together to make up the internal control structure. The auditor gathers information about the mission and processes of the section, discusses the major objectives with the manager, and identifies control points within each process where an error, irregularity, or inefficiency is likely to occur.

The auditor documents existing controls, evaluates the adequacy of the controls to ensure achievement of the objectives, and then tests the controls to verify they are working as described. Further discussions with the manager focus on control risks, manager insights, and potential control enhancements. The greater the risk, more extensive controls may be warranted.

The auditor's evaluation includes an examination of the following internal control elements (with examples):

Personnel - should be competent and trustworthy, with clearly established lines of authority and responsibility documented in written job descriptions and procedures manuals.

  • Organizational charts provide a visual presentation of lines of authority.
  • Periodic updates of job descriptions or periodic staff meetings ensure that employees are aware of the duties they are expected to perform.

Authorization Procedures - should include a thorough review of supporting information to verify the propriety and validity of transactions. Approval authority should be commensurate with the nature and significance of the transactions and in compliance with MOSERS’ policies.

  • Time records should be signed by the employee and supervisor with direct knowledge of the employee's work schedule.

Segregation of Duties - should reduce the likelihood of errors and irregularities. An individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping.

  • Authorization for a member’s purchase of service (Benefit Counselor) is segregated from the collection of the revenue for the purchase (Accounting Section).

Physical Restrictions - are the most important type of protective measure for safeguarding assets, processes, and data.

  • Safe combinations should be changed periodically and anytime a staff member knowing the combination terminates employment.
  • Critical forms, such as blank check stock, should be adequately secured.
  • Alarm systems are necessary to adequately protect against fire damage in the building.

Documentation and Record Retention - should provide reasonable assurance that assets are controlled and transactions are correctly recorded.

  • The use of computerized member records helps ensure that paper records will not be lost, misplaced or destroyed by a fire.
  • All invoices are imaged for retrieval by all interested parties and retained on the imaging system. Imaged invoices are reviewed for propriety prior to payment.

Monitoring Operations - is essential to verify that controls are operating properly. Reconciliation, confirmations, and exception reports can provide this type of information.

  • Annual equipment inventories provide assurance that assets physically exist, were not misappropriated, and are available for use.
  • Reconciliation of bank accounts ensure that all cash is accounted for and no erroneous transactions were made by the bank.
  • Semi-annual due diligence visits help ensure external money managers are properly investing system assets as intended.

back to top

What can jeopardize internal controls?

While many circumstances may compromise the effectiveness of an internal control structure, a few of the most common and serious of these warrant special mention:

Inadequate Segregation of Duties - Separating responsibility for physical custody of an asset from the related record keeping is a critical control.

  • Persons who can authorize purchase orders (managers) should not be capable of processing payments (Accounting Section).
  • The person who prepares the deposit should not post the receipts to the customer accounts (insurance billings).
  • The person who prepares the payroll voucher should not distribute or have custody of the payroll checks.

Inappropriate Access to Assets - Internal controls should provide safeguards for physical objects, restricted information, critical forms, and update applications.

  • An employee who only needs to view computer information should be restricted to read only access and should not be granted “write” access.
  • Only employees with a legitimate business purpose should be authorized access to the MIBs system.
  • Computer passwords should be changed regularly.

Control Override - Exceptions to established policies are sometimes necessary to accomplish a specific task, but can pose a significant risk if not effectively monitored and limited.

  • Thorough documentation and approval of all exceptions will help management ensure the availability of a clear explanation for unusual transactions or events. A periodic review of these exceptions also helps to identify the need for policy or procedural changes.

Inherent Limitations - There is no such thing as a perfect control system. Staff size limitations may obstruct efforts to properly segregate duties, which requires the implementation of compensating controls to ensure that objectives are achieved. A limitation inherent in any system is the element of human error (misunderstandings, fatigue, and stress).

  • A manager who encourages employees to take earned vacation time can improve operations through cross training while enabling employees to overcome or avoid stress and fatigue.

back to top

How much do internal controls cost?

The cost of implementing a specific control should not exceed the expected benefit of the control.

  • The potential loss of a computer printer may justify the cost of a door lock but not an alarm system.
  • Computer screen savers with passwords are inexpensive, effective methods of protecting sensitive data on a computer.

Sometimes there is no out-of-pocket cost to establish an adequate control. A realignment of duty assignments may be all that is necessary to accomplish the objective.

  • Checks received in the mail are immediately separated from supporting documentation for restrictive endorsement and deposit. The supporting documentation is given to a different employee (with a copy of the check, if needed) for crediting the payment.
  • Voided receipts are approved by someone (preferably a manager) other than the person preparing receipts.

A well-designed internal control structure can enhance operations by improving a section’s overall efficiency and effectiveness, as well as, reducing the risk of loss or theft.

  • A bank lock box (or another lockable storage device) establishes accountability and restricts access to cash, in addition to streamlining operations by providing immediate deposits.

In analyzing the pertinent costs and benefits, managers should also consider the possible ramifications for MOSERS and attempt to identify and weigh the intangible as well as the tangible consequences.

  • It may be difficult to determine the cost of poor public relations and lost goodwill if an ex-employee steals cash because the manager did not change the safe combination or change the passwords on a computer system upon an employee's termination.

Internal controls should reduce the risks associated with undetected errors or irregularities, but designing and establishing effective internal controls is not a simple task and cannot be accomplished through a short set of quick fixes. However, I hope that this document has helped to explain the basic internal control concepts and has presented some ideas for improving your section's controls.

For further advice and assistance in designing internal controls appropriate for your operation, you may contact the internal auditor at any time.

back to top

 
Last Modified: 7/1/2008 10:54:10 AM