Internal Control Frequently Asked Questions

Internal controls are all the tools that senior leadership, management, and other personnel use to help provide reasonable assurance that TDOT's objectives are being achieved. The objectives and the related risks can be classified into one or more of the following three distinct but overlapping categories.

• Operations – The effectiveness and efficiency of operations
• Reporting – Reliability of reporting for internal and external use
• Compliance – Compliance with applicable laws and regulations

Internal control is comprised of the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of TDOT; therefore, internal control is a system. It is not one event, but rather a series of actions that occur throughout TDOT's operations.

Internal controls are needed because they are a vital part of the overall risk management process. Risk management practices involve the risk assessment process which begins with identifying the risks, analyzing the risks, evaluating the risks, and creating an appropriate risk response.

• Risk identification is a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives.
• Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. It is also used to study impacts and consequences and to examine the controls that currently exist.
• Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.
• Risk responses include acceptance, avoidance, mitigation, and transference.

Internal controls are a form of risk mitigation technique. Internal controls are needed because TDOT has a variety of exposures, risks, and threats that can prevent it from achieving its operating, reporting, and compliance objectives.

Internal controls are important because they are TDOT's first line of defense in safeguarding assets and helping ensure the effective stewardship of public resources. It is important for a number of reasons.

• Internal controls are important because a well-designed internal control system protects TDOT’s assets from accidental loss, fraudulent activities, and theft.
• Internal controls ensure that management has accurate, timely, and complete information from the accounting records. This helps management plan, monitor, and report business operations.
• Internal controls help to ensure that TDOT is complying with the many federal and state laws and regulations affecting operations.
• Internal controls provide an environment in which managers and staff can maximize the efficiency and effectiveness of their operations.
• An internal control system provides a mechanism for management to monitor the achievement of operational goals and objectives.

The framework used by the State of Tennessee, as outlined in the Financial Accountability Act of 1983, is the one developed by the Committee on Sponsoring Organizations of the Treadway Commission. Internal control consists of five integrated components.

• Control environment: A sound control environment is created by management through communication, attitude and example. This includes a focus on integrity, a commitment to investigating discrepancies, diligence in designing systems and assigning responsibilities.
• Risk Assessment: This involves identifying the areas in which the greatest threat or risk of inaccuracies or loss exist. To be most efficient, the greatest risks should receive the greatest amount of effort and level of control. For example, dollar amount or the nature of the transaction (for instance, those that involve cash) might be an indication of the related risk.
• Control activities: These are the activities that occur within an internal control system. These are fully described in the next section.
• Information and communication: The availability of information and a clear and evident plan for communicating responsibilities and expectations are paramount to a good internal control system.
• Monitoring: The system of internal control should be periodically reviewed by management. By performing a periodic assessment, management can assess the quality of performance over time and assures that internal processes are working as intended.

Everyone in TDOT has a responsibility for internal control.

• Senior Leadership, including the Commissioner and Bureau Chiefs, are ultimately responsible and assume "ownership" of the system. They set overarching policies and procedures and establish the "tone at the top" that affects integrity and ethics and other factors of a positive control environment. They provide the leadership and broad direction for various Division Directors and reviewing the way they are controlling the business.
• Division Directors and Managers design, implement, maintain, and monitor specific internal control activities for their respective areas of responsibility.
• Internal Auditors play an important role in evaluating the effectiveness of control systems, and contribute to ongoing effectiveness. Because of organizational position and oversight responsibilities within an entity, an internal audit function often plays a significant monitoring role.
• Field Personnel are involved in following the policies and procedures and report observed activities that are not in line with the accepted and appropriate behavior. Field personnel should report instances of fraudulent activities.

• Preventive - designed to avoid errors or irregularities from occurring initially; they are proactive. Preventive control activities aim to deter the instance of errors or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus requiring a well thought out processes and risk identification.
• Detective - designed to identify an error or irregularity after it has occurred; they are both proactive and reactive. Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation.
• Corrective - designed to correct errors or irregularities and prevent recurrence once they have been discovered; they are reactive.

Subject matter experts agree there are two general classifications of Internal Control - soft controls and hard controls. “Soft Controls” relate to the people performing the work and are behavioral in inclination. “Hard controls” relate to the processes and activities those people do.

Yes, internal controls do have limitations. In considering limitations of internal control, two distinct ideas must be recognized. The first set of limitations concedes that some events or conditions are simply beyond management’s control. The second acknowledges that no system of internal control will always do what it is designed to do. No internal controls, even ones that are smartly designed and implemented are foolproof. They are never perfect because of cost-benefit considerations; we can only place controls appropriate to the value of the asset we need to protect. Internal controls aim only to provide reasonable assurance and never absolute assurance. There are five main internal control limitations, namely:

• Overrides - Personnel who have managerial responsibilities are in a position to override controls for personal gain and advantage. They are also in position to ignore or stifle communications enabling dishonesty, misrepresent results, and fraud to occur. However, override should not be confused with management decisions or interventions, which are management actions to depart from prescribed policies and procedures for legitimate purposes.
• Judgment - Control effectiveness is limited by decisions made by humans who are sometimes under pressure to conduct business with imperfect information.
• External Events - Sometimes, peripheral events may have a significant impact on the achievement of objectives and the impact cannot be mitigated to an acceptable level because it is beyond the organization’s influence sphere.
• System Breakdowns - A well-designed internal controls system can break down when employees misunderstand instructions (and perform incorrectly) or simply make mistakes. Errors may also result from new technology and the complexity of computerized information systems.
• Collusion - Perhaps the most difficult limitation to detect and ascertain is collusion. Collusion happens when multiple individuals conspire to circumvent existing controls. Individuals acting collectively can alter financial data or other management information in a manner that cannot be identified or even detected by existing control systems.

Yes, there are several practices that are widely adopted by various organizations. It is important to view internal control as a continuum; it begins with preventive controls that are monitored by detective controls and improved through corrective controls. Therefore, internal control is composed of proactive and reactive measures. With a good internal control system in place, other considerations to keep in mind include:

• Instituting avenues for reporting fraud, waste, and abuse.
• Responding to allegations of reported fraud, waste, and abuse.
• Regularly communicating updates and reminders of policies and procedures to staff through emails, staff meetings and other communication methods.
• Using the Internal Audit function to periodically assess risks and the level of internal control required to protect TDOT assets.
• Periodic reviews by managers to see if their operations are achieving the desired results.
• Reviewing security protocols for facilities and equipment.
• Keeping appropriate documentation to validate transactions and activities.
• Educating and training employees on operational procedures.
• Performing reconciliations on financial transactions and purchases to make sure items purchased are needed, approved, and physically received.

When Internal Audit makes recommendations to improve existing controls, we often hear common arguments for not implementing the recommendations. These arguments really represent the dangers to unsuspicious management and each argument is in itself a problem that needs to be resolved.

• “Controls are too expensive.”
  If implementing a recommended control appears too expensive, it would be wise to consider the full cost of a fraudulent event that could occur because of absent controls. The cost considerations should include lost funds, lost productive time, investigative efforts, litigation costs, and others. Fraud is always expensive and prevention is more cost effective than any reactive measures.
• “There is not enough manpower to have adequate segregation of duties.”
  The problem of not having enough staff should be thoroughly assessed. What we would like to strive for in implementing controls is not segregating duties per se, but rather the segregation of incompatible duties. In most cases, placing compensating controls can solve observed control deficiencies.
• “Controls are unnecessary, we trust our employees.”
  The issue of trust is the one of the hardest to explain; especially for a mature organization whose personnel has worked together as a unit for a very long time. We understand that most TDOT employees are trustworthy and responsible. However, it is also the responsibility of management to remain objective. Thousands of fraud cases show that the most trusted employees are the ones who are involved in committing frauds.

There are many misunderstandings associated with internal controls, but here are the facts.

• MYTH: “Internal controls are implemented by internal auditors.”
  FACT: Senior Leadership, Division Directors, and Management are the owners of internal controls. Auditors only assess the presence, design, implementation, and effectiveness of those internal controls.
• MYTH: “Internal controls have nothing to do with operations. They are all about finance and accounting.”
  FACT: Internal controls are fundamental to every aspect of TDOTs business operations; it spans more than just finance and accounting.
• MYTH: “Internal controls result from policies. If a policy doesn’t exist, we don’t have to do it.”
  FACT: Partly true, internal controls are based on a robust control environment together with prudent business practices. In most organizations, these business processes are oftentimes defined and supported by written policies. However, the lack of formal policies is not a determinant of sound or prudent business practices. This is especially true for a very mature organization that operates effectively on an “unwritten” code. The absence of written policies should not preclude the presence of good internal controls.
• MYTH: “Internal controls inhibit us from performing daily activities and responsibilities.”
  FACT: To the contrary, internal controls make the right thing happen the first time and prevent unwanted incidents from happening. Internal controls should be built into, not onto, business processes and helps make performing daily activities better.
• MYTH: “If controls are robust, we can be assured that all errors and irregularities will always be detected.”
  FACT: Internal controls can only provide reasonable, not absolute, assurance that the organization’s objectives will be achieved. Just like any system, it will have its limitations.