Internal Controls

Risks (Why Controls Matter)

Risks are the possibility that UMBC will not:

• Achieve its goals
• Operate efficiently and effectively
• Protect itself from loss, waste, or fraud
• Comply with laws and defined policies

COSO-Based Components of Internal Control

UMBC adopts the five interrelated components of internal control from the COSO framework:

1. Control Environment – Sets the tone at the top; integrity, ethics, competence, accountability
2. Risk Assessment – Identify and analyze risks to objectives; align controls with key risk
3. Control Activities – Policies/procedures (e.g., approvals, verifications, reconciliations, segregation of duties) that mitigate risks
4. Information & Communication – Timely capture and flow or relevant information
5. Monitoring – Ongoing oversight and periodic evaluations to detect and correct deficiencies; supports timely adjustment of internal control measures

---

Types of Control Activities & Examples

UMBC utilizes multiple internal control activity types to manage risk effectively:

• Preventive Controls
  • Designed to deter errors or irregularities before they occur (e.g., segregation of duties, access restrictions)
• Detective Controls
  • Identify and alert management to issues after occurrence (e.g., reconciliations, independent transaction reviews)
• Corrective Controls
  • Implemented after issues are detected to remediate causes (e.g., adjustments, process updates)

Common Activities Include:

• Approvals, Authorization, & Verification (Preventive): Ensuring transactions are reviewed and approved by individuals with proper authority. Approvers must confirm documentation is complete, accurate, appropriate, and complaint with UMBC policies. Unusual or questionable items should always be investigated.
  • Authorization must come from a higher-level supervisor.
  • No employee should approve payments to themselves or vendors for their own expenses.
  • Access to confidential information must follow “need-to-know” principles.
• Physical Controls (Preventive): Protecting university assets from theft, misuse, or accidental loss.

Examples include:

• • Secure storage (locked rooms, safes, controlled inventory)
  • Restricted access to buildings, offices, vehicles, credit cards, or sensitive materials
  • Collecting keys, ID cards, credit cards, and updating access when staff transfer or separate from the university
• Segregations of Duties (Preventive): Separating responsibilities for authorizing, recording, and reconciling transactions to reduce opportunities for fraud or error. No one person should be able to control a transaction from beginning to end without intervention or review by at least one other person. Specifically, an individual should not be in a position to initiate, approve, undertake, and review the same action. This principle is not limited to financial activities alone (ie. processing student grades). Involving two or more people to perform key responsibilities reduces the opportunity for misappropriation of funds or fraud.

If full segregation isn’t possible due to staffing:

• • Use compensating controls such as independent reviews, random checks, or exception report monitoring.

• Accountability (Detective): Maintaining an audit trail that clearly identifies who performed each step in a process. Audit trails can include:
  • Signatures or initials
  • Date/time stamps
  • System login IDs
  • Workflow logs

These help isolate responsibility for errors and irregularities.

• Reconciliations (Detective): Comparing two independent sets of records (e.g., bank statements vs general ledger) to ensure completeness and accuracy.
  • Reconciliations help detect errors, omissions, or irregularities.
  • Differences must be investigated and resolved promptly.

---

Roles & Responsibilities

Everyone has a role in internal controls; roles vary depending on the level or responsibility of the individual.

• Senior Leadership
  • Establish the presence of integrity, ethics, and competence
  • Promote and model a positive control environment.
  • Allocate resources and set expectations for risk management and controls.
• Directors & Department Heads
  • Implement and maintain internal controls within their unit.
  • Ensure policies and procedures are adhered to.
  • Clearly communicate expectations and duties as part of the control environment.
• Managers & Supervisors 
  • Carry out day-to-day control activities.
  • Verify documentation accuracy and investigate anomalies.
  • Ensure staff are aware of proper internal control procedures for their job responsibilities.
• All Employees
  • Follow established internal control procedures.
  • Act ethically and responsibly.
  • Report concerns related to errors, irregularities, or potential control weaknesses.
• Internal Audit & Management Advisory Services
  • Independently assess control adequacy effectiveness.
  • Provide recommendations to strengthen control processes.

---

Continuous Improvement & Reporting

• Self-Assessments: Units can perform ongoing, internal reviews using tools like risk registers and COSO checklists
• Audit Feedback: Internal Audit issues reports with observations and recommendations; management must develop corrective action plans. Regular monitoring ensures timely implementation.

---

Final Notes

Strong internal control systems are essential to UMBC’s success. They not only minimize risks—such as fraud, waste, loss, and compliance failures—but also enhance operational efficiency and integrity. These systems are dynamic, requiring ongoing evaluation and adaptation to emerging risks and institutional objectives.