ACC Building

Understanding Internal Controls

Administrative Offices


The objectives of Understanding Internal Controls are to:

  • Convey to you that management is responsible for ensuring that internal controls are established, properly documented, maintained and adhered to in each unit, department, division and program of the University.
  • Convey to you that all employees of the University are responsible for compliance with internal controls.
  • Provide you with the tools to establish, properly document, maintain, and adhere to the University's system of internal controls.


Understanding Internal Controls applies to all University employees.

Definition of Internal Controls

The Committee on Sponsoring Organizations (COSO) defines internal controls as a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations,
  • Reliability of financial reporting, and
  • Compliance with applicable laws and regulations.

The key concepts regarding this definition of internal controls are:

  • Internal controls are a process; accordingly, they are a means to an end, not an end in itself.
  • Internal controls are affected by managers and employees of the University; it's not merely policy manuals and forms, but individuals at every level of the University who ensure that controls are effectively used.
  • Internal controls can be expected to provide only reasonable, not absolute, assurance to the University's management and Board of Trustees.
  • Internal controls are geared to the achievement of objectives in one or more separate but overlapping categories.

Responsibility for Internal Controls

Managers are responsible for "setting the tone at the top" and maintaining a culture of compliance. As such, management is responsible for establishing appropriate policies and procedures to ensure that a proper internal control framework is established and maintained.
Employees are responsible for carrying out their day-to-day responsibilities in accordance with the approved policies and procedures to affect the proper implementation of internal controls.

In addition, all employees are responsible for timely reporting breakdowns in internal controls to their manager or the Office of Internal Audit.

Internal Audit is responsible for assisting management in their oversight and operating responsibilities through independent audits and advisory services designed to evaluate and promote the systems of internal control.

Internal Control Process

The internal control process consists of 5 interrelated components, as follows:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring

Control Environment

The control environment is the control consciousness of the University; it is the atmosphere in which managers and employees conduct their activities and carry out their control responsibilities. It encompasses the "tone at the top" of the University and includes the management philosophy and operating style, culture of compliance, and institutional values and ethics of the University.
Listed below are some tips to enhance the University's control environment. This list is not all inclusive, nor will every item apply to every unit within the University. But, as a starting point, managers should ensure that:

  • Applicable University policies and procedures are available in your department
    (Hard copy or Internet access):
    • Administrative Procedures
    • Finance Policies and Procedures
    • Employee Handbook
    • Understanding Internal Controls
    • Purchasing Manual
    • PCard Policy
    • Conflict of Interest and Disclosure Policy
    • Personnel Memorandu
  • Each department has well-written departmental policies and procedures which address the department's significant activities and unique issues. Employee responsibilities, limits to authority, performance standards, control procedures, and reporting relationships should be clear.
  • Employees understand and adhere to the University policies and procedures that pertain to their job responsibilities.
  • Ethical issues are discussed with employees.
  • Employees comply with the Conflict of Interest and Disclosure policy.
  • A written job description exists for each position, which clearly states the employee's responsibility to adhere to established internal controls and translates desired competence levels into requisite knowledge, skills, and experience.
  • Hiring practices result in hiring qualified individuals.
  • Each department has an adequate training program for employees.
  • Employee performance evaluations are conducted periodically. Performance which meets or exceeds expectation should be valued highly and recognized in a positive manner.
  • Appropriate disciplinary action is taken when an employee does not comply with policies and procedures or behavioral standards.

Risk Assessment

A risk assessment is the process used by the University to identify, rank, and mitigate the risks that inhibit the University from achieving its objectives. Within the framework of a risk assessment process there is risk identification, risk ranking, and risk mitigation.

  • Risk Identification - the process that each unit of the University undertakes to identify risks that jeopardize the unit from achieving its objectives.
  • Risk Ranking - the process used to prioritize risks by:
    • Assessing the likelihood (probability) that the risk will occur, and
    • Estimating the impact (or consequence) if the risk does occur.
  • Risk Mitigation - the actions, procedures, and processes used to manage and monitor risks.

Control Activities

Control activities are actions, supported by policies and procedures that, when properly, effectively, and timely carried out, manage or reduce risks. Control activities consist of preventive and detective controls.

  • Preventive Controls - Proactive controls that attempt to deter or prevent undesirable events from occurring. Examples of preventive controls include, but are not limited to, approvals and authorizations, segregation of duties, and safeguarding of assets.
  • Detective Controls - Detect, or provide evidence that, an undesirable act has occurred. Examples of detective controls include, but are not limited to, reconciliations, supervisory reviews, physical inventory counts, and audits.

Information and Communication

Information and communication are essential to effecting a proper internal control environment. Accordingly, the process to inform and communicate the University's plans, control environment, risks, control activities, and performance must be communicated up, down, and across the University. Reliable and relevant information from both internal and external sources must be identified, captured, processed, and communicated to the employees who need it--in a form and timeframe that is useful. Information systems produce reports, containing operational, financial, and compliance-related information that makes it possible to run and control the University.

When assessing internal control over a significant activity (or process), the key questions to ask about information and communication are as follows:

  • Does your department get the information it needs from internal and external sources in a form and timeframe that is useful?
  • Does your department get information that alerts it to internal or external risks (e.g. legislative, regulatory, and developments)?
  • Does your department get information that measures its performance, such as information that tells the department whether it is achieving its operations, financial reporting, and compliance objectives?
  • Does your department identify, capture, process, and communicate the information that others need (e.g., information used by your customers or other departments) in a form and timeframe that is useful?
  • Does your department provide information to others that alerts them to internal or external risks?
  • Does your department communicate effectively--internally and externally?


Monitoring is the assessment of internal control performance over time; it is accomplished by ongoing monitoring activities and by separate evaluations of internal control, such as self-assessments, peer reviews, and internal audits. The purpose of monitoring is to determine whether internal controls are adequately designed, properly executed, and effective. Internal controls are adequately designed and properly executed if all five internal control components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) are present and functioning as designed. Internal controls are effective if management and interested stakeholders have reasonable assurance that:

  • They understand the extent to which operations objectives are being achieved,
  • Published financial statements are being prepared reliably, and
  • Applicable laws and regulations are being complied with.

UVI Audit Hotline: (340) 693-1576 E-mail: