Internal Audit

Table of Contents

Internal Control

Internal control is broadly defined as a process, affected by an entity’s board of trustees, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operation
  • Reliability of financial reporting
  • Compliance with applicable laws and regulation
  • Safeguarding of assets
Internal control consists of five interrelated components:
Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.

Risk Assessment

Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Information and Communication

Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.


Internal control systems need to be monitored-a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.

COSO Internal Control – Integrated Framework


Ethics refers to well-founded standards of right and wrong that prescribe what humans ought to do, usually in terms of rights, obligations, and benefits to society, fairness, or specific virtues.

Ethical standards include virtues of honesty, integrity, compassion and loyalty.   Ethics should not only apply to decisions we make as individuals but also to decisions made by the organization.  The organizations ethical standards are set by all levels of management and trickles down thru the organization.  The tone at the top determines the ethical standards at all levels of the organization.  Strong ethics is a key component of the control environment.

Question that may help with the ethical part of the decision making process is summarized in the Ethics Filters mnemonic word PLUS.

  • P = Policies
    Is it consistent with my organization’s policies, procedures and guidelines?
  • L= Legal
    Is it acceptable under the applicable laws and regulations?
  • U = Universal
    Does it conform to the universal principles/values my organization has adopted?
  • S= Self
    Does it satisfy my personal definition of right, good and fair?

Reporting Fraud, Waste, or Abuse

State law requires all public institutions of higher education to provide a means by which students, employees, or others may report suspected or known improper or dishonest acts. In addition, the College is committed to the responsible stewardship of our resources.

Whether you are part of departmental management, a faculty or staff member, a student, or an interested citizen, we encourage you to report known or suspected dishonest acts by employees, outside contractors, or vendors.

What Should I Report?

Dishonest acts, either known or suspected, should be reported, such as:

  • Theft or misappropriation of funds, supplies, property, or other university/college resources
  • Forgery or alteration of documents
  • Unauthorized alteration or manipulation of computer files
  • Improper and wasteful activity
  • Falsification of reports to management or external agencies
  • Pursuit of a benefit or advantage in violation of the college’s conflict of interests policy
  • Authorization or receipt of compensation for hours not worked

Think Before You Speak!

Before making allegations of dishonesty, be reasonably certain of any claims. Such allegations can seriously and negatively impact the accused individual’s life and adversely affect the working environment of the department.

Reporting Options

Several options are available to all college employees, students and others for reporting known or suspected dishonest acts.

You may report your concerns:

  • To your supervisor or department head
  • To an official at your campus or institute
  • To College Internal Audit at (423) 473-2391
  • To the Tennessee Board of Regents by email at
  • To the Tennessee Comptroller’s Hotline for Fraud, Waste and Abuse at 1-800-232-5454

If you are a supervisor, department head, or campus official and you receive a report of a dishonest act, contact Internal Audit at (423) 473-2391 for further assistance.


When Internal Audit receives allegations of dishonesty or other irregularity by an employee, outside contractor, or vendor, they are required to conduct an investigation.

Departmental management should not attempt to conduct investigations nor alert suspected employees of an impending investigation.

In an investigation, objectives include verifying the facts, maintaining objectivity and confidentiality, determining responsibility, and recommending corrective actions to help ensure that similar actions do not occur in the future.

Protection under State Law

As Internal Audit investigates allegations of dishonesty, the reporting individual’s confidentiality is protected under Tennessee Code Annotated Title 10, Chapter 7 (subject to court action requiring disclosure). Also, state law prohibits discrimination or retaliation of any kind against employees who report allegations of dishonest acts.

Reporting Responsibility

Internal Audit has reporting responsibility to the Audit Committee of the Tennessee Board of Regents through the Director of System-wide Internal Auditing. This reporting relationship enables them to independently and objectively review matters involving any level of administration at the college.

Preventing Fraud, Waste and Abuse

College management is responsible for establishing and implementing systems and procedures to prevent and detect fraud, waste and abuse.

The basic elements of a proper control system include:

  • Creating a culture of honesty and high ethics
  • Evaluating risks and implementing processes, procedures and controls to prevent, deter and detect fraud, waste and abuse
  • Developing an appropriate oversight process

Management at all levels of the college should review the information that is available from the American Institute of Certified Public Accountants in the document, Management Antifraud Programs and Controls: Guidance to Help Prevent and Deter Fraud, found as an exhibit in their Professional Auditing Standard AU 316 at this website: Professional Auditing Standards.

Please contact Internal Audit at (423) 473-2391 if you need assistance in reviewing risks, processes, procedures or controls, or in providing internal control training.

More Information


Contact Information

Denise Rogers Callais, CPA
Director of Internal Audit
Cleveland State Community College
P. O. Box 3570
Cleveland TN 37320-3570
(423) 473-2391