Components of Internal Controls

Control Environment

  • The control environment includes administrator’s attitudes that are then reflected in the employees’ attitudes. An administrator’s attitudes should support ethical values and good business practices. An administrator should promote compliance with university policies and procedures through his or her actions as well as through unit policies and procedures. He or she should ensure that employees also support ethical values and have the technical competence for the position. Background checks should be performed prior to hiring for key positions. Policies and procedures should be written, provided to all staff, and expectations for compliance communicated to staff. There should be no tolerance for fraud or conflicts of interests. Disciplinary action should be consistently applied to all employees.
  • Administrators must support compliance with university policies and procedures if they expect employees to have that attitude.

Risk Assessment

Administrators should identify and analyze the relevant risks to the achievement of unit goals and objectives. He or she should determine what can go wrong, what areas have the most risk, what assets are at risk, and who is in a position of risk. Risks may include:

  • Public scandal
  • Revenues not received or if received, not recorded properly
  • Assets (financial, personnel, space, personal property) not used efficiently
  • Assets not used to accomplish unit goals and objectives
  • Assets may be diverted to personal use
  • Information used for decision-making is not reliable, timely, or available

Control Activities

Control activities are those activities that provide a “reasonable” level of assurance that the unit’s goals and objectives will be accomplished. Absolute assurance is not possible due to costs, collusion, human error, and management’s ability to override controls. Control activities include:

  • Authorization to initiate or approve transactions should be limited to specific personnel. Authorizations can be limited by type of transactions or amount of transactions.
  • Separation of duties provide that one employee does not have the responsibility for all phases of a transaction. Generally, an employee with physical access to an asset should not also be responsible for accounting records relating to that asset.
  • Assets should be physically secured.
  • Access to assets should be limited.
  • Reconciliations of assets to accounting records should be prepared periodically and reconciling items should be resolved timely.
  • Physical assets should be counted periodically and the results of the counts compared to accounting records. Discrepancies should be reported to appropriate administrators and investigated.
  • Transactions should be properly documented and the records retained in an organized manner.

Control activities are designed to provide a reasonable level of assurance that the goals and objectives will be accomplished.

Information and Communication System

The purpose of the information and communication system is to help ensure that employees are aware of the unit’s goals and objectives, how they are to be accomplished, and who is responsible for the specific tasks to accomplish them. The information and communication system must also provide administrators with reports containing operational, financial, and compliance information to monitor progress toward accomplishing established goals and objectives and to allow administrators to make appropriate decisions. Information and communication systems include:

  • The university’s written policies and procedures
  • The unit’s goals and objectives
  • The unit’s documented policies and procedures
  • Organization charts
  • Position descriptions
  • Performance evaluations
  • Training programs
  • Periodic reports measuring progress toward the accomplishment of goals and objectives

An essential part of the internal control system is an effective information and communication system that ensures that employees know what they are supposed to accomplish and how they are to do it.


Monitoring ensures that the internal control system is operating as expected. It should be performed by supervisory personnel and focused on high-risk areas. It identifies changes in circumstances that may require changes to the internal control system. Monitoring activities include:

  • Spot checks of transactions to ensure compliance with policies and procedure
  • Reviews of financial reports such as comparisons of budgeted and actual revenues and expenditures and comparisons of current and prior months or years activities
  • Reviews of departmental ledgers and related reconciliations to departmental accounting records
  • Reviews of outstanding encumbrances
  • Reviews of high risk accounts or records including payroll pay lists and employee leave records
  • Evaluations of trends
  • Review of supporting documentation
  • Surprise cash and other asset counts
  • Documentation of software licenses
  • Reviews of tangible personal property and the related records
  • Follow up of complaints, rumors and allegations

Where internal controls are weak, increased compensating controls such as supervisory reviews are necessary.