The first step in the internal Control Process is to segment the organization by identifying the program and administrative functions necessary for the campus to carry out its mission. Functions identified through this process are called "assessable units" and provide the framework for the Internal Control Program. After the campus is segmented into assessable units, each unit's risk is assessed. This may be done through a self-assessment survey or a one-on-one discussion with the unit manager and the Internal Control Officer.
Through this process, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. Some of the factors examined in the risk assessment are: inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover. Upon completing a risk assessment, each assessable unit is given a rating of low, medium, or high risk. These ratings are considered when scheduling area internal control reviews to analyze procedures and policies and ensure that areas are functioning as intended and assist the campus in meeting its goals and objectives.
Examples of procedures and policies that may be evaluated during an area review are planning activities, program evaluations, the budget cycle, personnel transactions, information systems, cash activities, contract management, and capital programs. Upon completion of the area review, recommendations may be made to add, delete, or change internal controls or procedures for the assessable unit.
The final component in the process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.