Internal Controls

What are internal controls?

Internal controls are the plan of organization and all of the methods (processes and procedures) adopted in an organization to safeguard its assets, check the accuracy and reliability of its accounting and reporting data, promote operational efficiency, and encourage adherence to policies. This definition recognizes that a system of internal control extends beyond the accounting and finance departments to all functions of the organization.

The objectives of our internal control program are:

  • Successful achievement of the District’s mission
  • Accurate collection, maintenance and reporting of district data
  • Safeguarding of assets
  • Effective, efficient and economical programs and operations
  • Compliance with laws, regulations and policies
  • Prevent/detect fraud, waste, and abuse

Internal controls are everyone’s responsibility! At OCPS the internal control environment reflects management’s integrity and its commitment to ethical values. It begins with the School Board and is exemplified by the tone at the top as established by our superintendent and communicated to all employees.

A strong internal control program promotes:

  • Continuous improvement
  • Efficiency of operations
  • Effective communication
  • Accountability
  • Risk awareness and planning
  • Reliable reporting

Internal control framework:

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provided a common language regarding controls and created an integrated control framework for managing business risks. The framework consists of five interrelated components:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

Requirements of Florida Statutes:

Florida Statutes require that school districts establish and maintain internal controls designed to:

  • Prevent and detect fraud, waste, and abuse
  • Promote and encourage compliance with applicable laws, rules, contracts, grant agreements, and best practices
  • Support economical and efficient operations
  • Ensure reliability of financial records and reports
  • Safeguard assets

What is meant by fraud, waste and abuse?

According to Florida Statutes:

“Fraud” means obtaining something of value through willful misrepresentation, including, but not limited to, intentional misstatements or intentional omissions of amounts or disclosures in financial statements to deceive users of financial statements, theft of an entity’s assets, bribery, or the use of one’s position for personal enrichment through the deliberate misuse or misapplication of an organization’s resources.

“Waste” means the act of using or expending resources unreasonably, carelessly, extravagantly, or for no useful purpose.

“Abuse” means behavior that is deficient or improper when compared with behavior that a prudent person would consider a reasonable and necessary operational practice given the facts and circumstances. The term includes the misuse of authority or position for personal gain.

How are internal controls classified?

Directive controls ensure a particular outcome is achieved. Examples include guidelines, training and incentives.

Preventive controls are designed to reduce the chance that errors or irregularities may occur. For example, reading and understanding policies and procedures or approving payments before they are processed. Additional examples include the tone at the top, authorization, segregation of duties and password protection.

Detective controls are designed to detect errors or irregularities after they have occurred so they can be corrected. Examples include reconciling the bank statement and performing periodic inventories of equipment.

Corrective (or compensating) controls correct undesirable outcomes that have occurred or reduce risk to an acceptable level when other controls have failed or are not cost-effective. Examples include close supervision and management review.

Everyone plays a part in the district’s internal control system. Management ensures that controls are in place and every employee makes sure the internal control system functions by following the controls and reporting any breakdowns in them. Internal Audit examines the adequacy and effectiveness of the district’s internal controls and makes recommendations where control improvements are needed.

What do good internal controls involve?

  • Risk assessment
  • Managers should identify and analyze relevant risks to the achievement of business unit goals and objectives by determining what could go wrong, what areas have more risk, what assets are at risk, and who is in positions of risk. Risks may include:
  • Damage to reputation and public image
  • Revenues not received
  • Assets not used efficiently
  • Assets not used properly
  • Assets diverted to outside or personal use
  • Unreliable, untimely or unavailable information needed for decision making
  • Reasonable assurance
  •  Internal controls should provide reasonable assurance that the objectives of the systems will be accomplished.
  • Supportive attitude
  • Managers and employees should maintain and demonstrate a positive and supportive attitude towards internal controls at all times.
  • Competent personnel
  • Managers and employees should have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties. They should also understand the importance of establishing and implementing good internal controls. 
  • Personal and professional integrity is demonstrated when you: 
  • Commit to honesty and fairness
  • Respect the organization and authority
  • Adhere to laws and policies
  • Respect the rights of all employees
  • Commit to excellence
  • Control objectives
  • Internal control systems should help assure compliance with laws and that the district is meeting its goals and objectives based on risk assessments 
  • Control techniques
  • These are the means by which we accomplish the objectives of internal control systems.
  • Our specific standards of internal control involve the following techniques:
  • Documentation – adequate records of all internal control systems and all transactions and events should be maintained.
  • Records – all transactions and events should be recorded promptly and accurately.
  • Authorization – all transactions and events should be authorized and executed by persons within the scope of their authority.
  • Structure – key duties and responsibilities in authorizing, processing, recording and reviewing transactions should be separated.
  • Supervision – adequate supervision should be provided to ensure that internal control objectives are achieved.
  • Security – access and accountability for assets and records should be limited to authorized individuals.

What can jeopardize internal controls?

  • Where there is an inadequate segregation of duties
  • Where there is inappropriate access to assets
  • Where there is inadequate knowledge of district policies and procedures
  • Where control procedures are performed in a perfunctory manner (as when a reviewing manager signs a document without adequate review and evaluation)
  • Where controls are overridden
  • Where inherent limitations cannot be overcome by compensating controls

Do internal controls deter and detect fraud?

The Association of Certified Fraud Examiners’ (ACFE) Report to the Nations, 2022 Global Study on Occupational Fraud and Abuse noted nearly HALF of fraud cases occurred due to lack of internal controls or override of existing controls. Tips are the most common initial detection method by a wide margin with more than half of the tips coming from employees. Fraud losses were about 50% smaller and detected more quickly at organizations with hotlines than those without.

The report noted that, aside from a lack of internal controls in the first place, a large percentage of frauds attributed to internal control weaknesses were due to overrides of existing controls and lack of management review. This is why the district’s internal control program is critically important. Employees and managers should ensure that controls are not overridden and managers should never take shortcuts in their review responsibilities.

Reporting concerns and fraud:

If you are unsure what to do, ask questions. If you see something you think is not right, raise your concerns with your supervisor and/or one of the following:

  • Hotline 407-317-3976
  • OCPS Internal Audit 407-317-3200, 2002897
  • OCPS Legal Services 407-317-3411
  • OCPS Police 407-317-3325


OCPS Internal Control Program Brochure

OCPS Internal Controls and Stakeholder Value

Risk Assessment & Internal Control

Risks and Controls for Managers