Section 4 Internal Controls
Internal controls are a combination of measures put in place to ensure that the financial and physical assets of the school are safeguarded (the risk of theft and fraud is minimised). This section provides an overview of internal controls and some general examples. Each section of this manual also includes internal control measures specific to that item.
This is to ensure that the accounting information produced is accurate and complete, and the financial information obtained from the schools accounting system can be relied upon and used with confidence by all people involved in financial decision-making. Good internal control protects staff and school resources.
4.2 Preventative controls
These controls are designed to discourage errors or irregularities from occurring. They are proactive actions that help ensure objectives are being met.
4.2.1 Preventative controls including (this is not an exhaustive list)
Segregation of duties — this means that no one person is responsible for doing everything. For example, the person who enters the invoice into CASES21 is different from the person who approves the payment of the invoice.
This type of control serves two purposes. It ensures there is oversight and review to detect errors and it helps prevent fraud because it requires at least 2 people to collude in order to hide a transaction.
In the case of single operator schools where segregation of duties is not practicable, compensating safeguards must be established to manage potential risk.
Schools should also consider Conflict of Interest (COI) when implementing this control or compensating safeguards when it is not possible to segregate duties. COI is a particularly relevant risk for consideration in small schools as compensating safeguards are often required.
In very small schools, principals (or nominees) are advised to randomly (minimum of 2 checks a term) verify the cash handling and the recording process has been correctly undertaken. Please keep a signed record of these random checks for audit purposes.
Authorisations — Authorisations may be specific or general. Specific authorisations relate to individual transactions and require formal approval by school personnel who have proper approval authority. A purchase order approval is an example of a 'specific' authorisation. It is important to remember that approving a transaction is assuming responsibility for the authenticity of that transaction or verifying it. An example of a general authorisation is matching of vendor invoices to delivery reports and purchase orders prior to payment to ensure that the school is only paying for items actually received and in accordance with negotiated terms and prices.
Electronic security — Electronic security must be designed to prevent unauthorised access to systems, software and data. Secure passwords, security tokens and access roles limit access to transactions and data to those required by individuals and authorised for their use. Schools are to have procedures in place to ensure that passwords and tokens are secure and that access roles are regularly reviewed.
Physical security — Physical security must be designed to prevent unauthorised access to school assets and accounting records. Examples of physical security include a safe, vault, locked doors/desk drawers, and card key systems.
Employee background checks — this includes the Department’s recruitment checks as well as requiring all teaching staff (including CRTs) to have a current Victorian Institute of Teaching (VIT) registration, all non-teaching staff to have a current Working with Children Check and all employees who handle cash to have undertaken a criminal record check.
Employee training and professional development — having a well-trained, competent workforce that allows role rotation of staff will provide opportunities for multiskilling and will enhance the internal control system of the school. For example, specific 'how to' training will support hard controls such as processing accuracy and information quality while values and induction type training will support soft controls as they will set out desirable behaviours and reinforce morale.
4.3 Detective controls
These are designed to find errors or irregularities after they have occurred.
4.3.1 Examples of detective controls (this is not an exhaustive list)
Reconciliations — A reconciliation is the process of comparing transactions and activity to supporting documentation to ensure accuracy and validity. It also involves resolving any discrepancies that may be identified and undertaking corrective action within the month that the anomaly or anomalies are discovered. For example, conducting a bank reconciliation at the end of the month to match or explain the difference between the cash at bank figure on CASES21 and the balance shown on the bank statement.
Review of financial statements for irregularities — this may identify errors in transaction processing. For example, reviewing the figures on the operating statement to identify any negative year to date balances that may indicate the incorrect posting of a journal.
Review of actuals to budget — this allows for the identification of variances between actual performance and what was projected or expected. Variances can be analysed and corrective action taken.
Audits — Audits can be formal or informal. Formal audits can provide an objective independent examination of the financial statements, procedures and controls. This can increase the value and credibility of the financial statements and increase user confidence. It can also identify weaknesses that may require attention. Informal audits may include ‘spot checks’ such as an independent person counting the daily banking to verify processes.
Stocktakes — must be used to verify the existence of assets and identify any losses that may have occurred.
Employee monitoring — this must involve activities such as performance reviews, role rotations, multi-skilling, checking hours of work (employees working outside normal hours when there is less supervision), checking when and if annual leave is taken (reluctance to take leave may indicate some inappropriate activity that an employee does not want discovered), etc.
4.4 Corrective controls
These are designed to correct errors or irregularities that have been detected.
4.4.1 An example of corrective controls
Data backups on U drive — A functioning system can be restored from data backups in the event of a crash or if corrupted or invalid data is identified. As U drive is automatically backed up on a daily basis, schools must ensure they keep all relevant information on this drive.
Process whereby differences between bank account balances reported on the bank statement and bank account balances reported in CASES21 are identified and explained.
CASES21 (Computerised Administrative System Environment in Schools) is the software package provided to Victorian Government Schools to support school administration, finance and central reporting.
Conflict of Interest (COI)
Conflict of Interest arises in circumstances where an employee’s public duty is influenced, or can be seen to be influenced, by a private interest.
Terms of payment negotiated with suppliers.
Resources available to the school including equipment, data and cash.
Device that works in conjunction with a password to provide an additional level of security. Often used with online banking packages.
Reviewed 21 October 2020