Skip to main content Skip to navigation
Office of Internal Audit Internal Controls

University administration is responsible for developing a strong internal control system that will ensure compliance with applicable laws, policies and procedures, adequately safeguard University assets, and ensure proper and accurate reporting of University activities. It is important to note that an audit does not relieve University administrators and employees of assigned responsibilities. Therefore, University management should not place reliance on an audit as an oversight control in lieu of management’s supervisory oversight responsibilities.

Internal Control Definition

Internal control is a process designed by a college or university’s governing board, administration, faculty and staff to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

This definition reflects certain fundamental concepts:

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is effected by people. It is not merely policy manuals and forms, but people functioning at every level of the institution. All personnel are responsible to communicate problems in operations, deviations from established standards, and violations of policy or law.
  • Internal control is geared to the achievement of objectives in several overlapping categories.
  • Internal control can be expected to provide only reasonable assurance to an organization’s leaders regarding achievement of operational, financial reporting, and compliance objectives. It is not absolute assurance.

Internal Control Benefits

  • Internal controls help prevent errors and irregularities from occurring. If errors or irregularities do occur, internal controls will help ensure they are detected in a timely manner.
  • Internal controls encourage adherence to prescribed policies and procedures.
  • Internal controls protect employees: 1) by clearly outlining tasks and responsibilities, 2) by providing checks and balances, and 3) from being accused of misappropriations, errors or irregularities.

Key Internal Control Activities

Segregation of Duties

Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for receiving cash or checks, preparing the deposit to the Cashier’s Office, and reconciling the deposit to the cashier’s receipt and Balances should be separated.


Organizational structure – lines of authority and responsibility – should be clearly defined so that employees know where to go to report performance of duties, problems and questions related to position and the organization as a whole. An organization chart is a good means of defining this structure as long as it is kept up to date. Part of the structure is also the rules that employees must abide by. Written policies and procedures provide guidance to employees in carrying out their duties, provide for clear rules on allowable and expected activity, as well as provide means for enforcement. The department’s lines of authority and policies and procedures should be reviewed periodically to ensure they are in agreement with the organization’s strategic mission.

Authorization and Approval

Transactions should be authorized and approved to help ensure the activity is consistent with departmental or institutional goals and objectives. For example, a department may have a policy that all purchase requisitions and invoice vouchers must be approved by the director. The important thing is that the person who approves transactions must have the authority to do so and the necessary knowledge to make informed decisions.

Reconciliation and Review

Performance reviews of specific functions or activities may focus on compliance, financial or operational issues. Reconciliation involves comparing transactions or activity recorded to other sources to help ensure that the information reported is accurate. For example, revenue and expense activity recorded on accounting reports should be reconciled or compared to supporting documents to ensure that the transactions are recorded timely, in the correct account, and for the right amount.


Security may be physical, electronic (information system controls) or both. Equipment, inventories, cash, checks and other assets should be secured physically and periodically counted and compared with amounts shown on control records. For example, the periodic physical confirmation of equipment by individual departments is a physical security control. Virus detection software should be current and updated regularly to help protect integrity of systems. Hardware and access controls (passwords) should be changed periodically and rigorously safeguarded to protect from unauthorized access to database, computer systems, etc. Special physical and software controls (such as encryption software) should be developed for systems containing sensitive and/or confidential information.

Control Limitations

Internal controls, no matter how well designed and operated, can provide only reasonable assurance regarding the achievement of objectives. The concept of reasonable assurance recognizes the cost of internal controls should not exceed the benefits derived and also recognizes evaluation of these factors requires estimates and judgment by management. For objectives related to the effectiveness and efficiency of operations, internal controls can only help to ensure management is aware of the entity’s progress or lack of it.

Limitations which may hinder the effectiveness of an otherwise adequate system of internal controls include:

  • resource constraints
  • inadequate skill, knowledge or ability
  • degree of motivation by management and employees
  • faulty judgments
  • unintentional errors

Additionally, controls can be circumvented by collusion of two or more people. Even more important to recognize, management has the ability to override the internal control system.

These factors, combined with changing needs and personnel, make it risky to project any evaluation of internal control to future periods. On an ongoing basis, management must evaluate business risks and the controls needed to manage those risks and keep existing controls effective. Management evaluation generally leads to periodic adjustments and corrective action, which also helps assure the continuing effectiveness of the internal control system (see Risk Assessment).