A sound control environment is critical to any organization. The health of a college’s or university’s control environment is directly impacted by strong internal controls which are built into policies, processes, and procedures. An appropriate and direct “tone at the top” that is communicated regularly and effectively to employees is also important, along with an ethical organizational culture which sets the expectation of doing the right thing all the time.

Even with all of these positive control environment attributes in place, however, there is still the possibility that policies, processes and procedures (“the Three Ps”) won’t be executed in the manner intended. Implementing a management self-assessment program (MSAP) is one way in which management may validate/verify that the Three Ps are indeed functioning as intended and identify areas where the strengthening of internal controls is required. A well-functioning MSAP contributes to a strong control environment, which assists a college or university in meeting its objectives and minimizes the possibility of unexpected events occurring which may impede the institution’s operations across a variety of fronts.

Establishing and Maintaining a MSAP

The first step in establishing a MSAP is to identify all significant processes or process cycles across the college or university. Examples of such processes include revenue/billing, financial aid, procurement, travel, fixed assets, and treasury. This exercise should not be rushed and should include input from managers across the college to ensure that all significant processes have been identified.

Once processes have been identified, they need to be well documented. Documentation may include process flow charts, but at a minimum, should include comprehensive narratives. Depending on the college, thorough process documentation may take some time. This is time well spent, however, and will engage the employees involved to start thinking about processes and controls. The documentation should be completed by managers who are responsible for specific processes.

The next step in the MSAP process is for responsible managers to identify and document key controls within their documented significant processes. These key controls are the controls that are critical to ensuring that the processes are functioning as intended and that prevent inappropriate activity from happening (i.e.;fraudulent activities).

After the key controls have been identified and documented, the next step is to establish a testing plan. The important attributes of a sound testing plan include:

  • Testing should be performed once or twice every year
  • If possible, testing should be performed by someone independent of the process being tested
  • To the extent possible, the transactions and accounting entries tested should be randomly selected
  • The number of transactions tested can vary, but should equal a number that is considered to adequately represent the population of transactions
  • All aspects/attributes of the transactions and accounting entries tested should be reviewed for compliance with the related policy, process, and procedure
  • All testing performed should be documented, including exceptions

Once the testing phase of the MSAP has been completed, the testing results should be summarized. This summary should be included in a letter of representation. This summary and letter should be prepared by the senior manager responsible for the process tested. The representation letter could state one of the following:

  • Based on the transactional and accounting entry testing performed, which covered the period {enter period}, I represent that the {process name} process appears to be functioning as intended and that adequate internal controls are in place to ensure process integrity.
  • Based on the transactional and accounting entry testing performed, which covered the period {enter period}, I have discovered that internal controls over the {process name} process need to be enhanced to ensure process compliance. The following enhancements to the process will be made immediately to ensure that better controls exist so that the {process name} process functions as intended on a consistent basis. Enhancements include: {list enhancements}.

The letter of representation should be signed by the process area senior manager and provided to the college or university CFO (or others as the institution may determine). If the college has its own internal audit function, providing a copy of the letter of representation and testing to the internal audit department will also facilitate risk assessment activities and internal audit engagement efficiency for both management and the internal audit staff.

The steps to establish and maintain a MSAP described here should be considered general guidance; flexibility may be applied. The success of any program is to make sure that it is designed in a manner that will ensure institutional success. In addition, senior management support of the MSAP is very important and will significantly impact the program’s success.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.

Recent Articles

View All Articles