001.6 Internal Controls

Owned by Chad
May 20, 2021

Portland State University has a responsibility to prevent and detect fraud, waste and abuse and to hold accountable those who engage in it. If you are aware of fraud, waste or abuse occurring within PSU, matters can be reported to the Ethics Point hotline.

In order to prevent financial irregularity, PSU is responsible for establishing and maintaining sufficient internal controls. In September 1992, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued the "Internal Control - Integrated Framework" report. PSU uses the COSO model as a basis for designing sufficient controls over its financial accounting and reporting process. The COSO model includes five interrelated components:

CONTROL ENVIRONMENT: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Basic to the control environment are organization structure, assignment of authority and responsibility, and human resources policy. More difficult to quantify are ethics, commitment to competence, and management operating style.

RISK ASSESSMENT: Risk assessment is the identification and analysis of risks relevant to achievement of objectives, forming a basis for determining how the risk should be managed. Management's responsibility is to define compatible, relevant objectives and the risks related to achieving those objectives. Management should have a basis for determining which risks are most critical. Management is also responsible for ensuring mitigation of key operating risks.

CONTROL ACTIVITIES: Control activities are the policies and procedures that help ensure management directives are carried out.  Control activities reflect management's risk mitigation strategy in the form of directive, preventive and detective controls. Focus is on achieving effective and efficient resource usage as measured by the degree of achievement of control objectives. Control activities help ensure necessary actions are taken to address risks relevant to achievement of objectives. Examples are physical controls and segregation of duties.

INFORMATION AND COMMUNICATION:  Information and communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Information systems deal with both internally generated data and information about external events, activities, and conditions. Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control. Management is obligated to communicate the standards of measurement for evaluating operations. In other words, sufficient relevant communication promotes awareness of internal control objectives so employees understand how their individual actions interrelate and recognize how and for what they will be held accountable.

MONITORING: Monitoring is a process established by management that assesses the quality of internal control performance over time. Monitoring provides external oversight, either ongoing or in the form of independent checks of internal controls by management or other parties outside the process.