Internal Controls

"Internal control is a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

As defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in "The updated COSO Internal Control – Integrated Framework Executive Summary May 2013"

According to the COSO Framework, "Internal Control consists of five integrated components:

1. Control Environment:

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.  The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct.  Management reinforces expectations at the various levels of the organization. The control environment comprises the integrity and ethical values of the organization; the parameters enabling the board of directors to carry out its governance oversight responsibilities; the organizational structure and assignment of authority and responsibility; the process for attracting, developing, and retaining competent individuals; and the rigor around performance measures, incentives, and rewards to drive accountability for performance.  The resulting control environment has a pervasive impact on the overall system of internal control.

2. Risk Assessment:

Every entity faces a variety of risks from external and internal sources. Risk is defined as the possibility that an event will occur and adversely affect the achievement of objectives. Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.  Risks to the achievement of these objectives from across the entity are considered relative to established risk tolerances.  Thus, risk assessment forms the basis for determining how risks will be managed.

A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. Management specifies objectives within categories relating to operations, reporting, and compliance with sufficient clarity to be able to identify and analyze risks to those objectives.  Management also considers the suitability of the objectives for the entity.  Risk assessment also requires management to consider the impact of possible changes in the external environment and within its own business model that may render internal control ineffective.

3. Control Activities

Control activities are the actions established through policies and procedures that help ensure that management's directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventative or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews.  Segregation of duties is typically built into the selection and development of control activities.  Where segregation of duties is not practical, management selects and develops alternative control activities.

4. Information and Communication

Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives.  Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control.  Communication is the continual, iterative process of providing, sharing and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the organization, flowing up, down, and across the entity.  It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.

5. Monitoring Activities

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information.  Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations.  Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate."


Control Activities

Control Activities are designed to mitigate risk; the following are descriptions of some commonly used control activities:


Policies and procedures must be formally documented to ensure consistency in application and promote continuity of activities in the event of prolonged employee absences or turnover.


Transactions must be properly authorized, consistent with University policy and adequately funded.


Transactions must be reviewed for accuracy and completeness by appropriate personnel.


The accuracy of financial records must be validated through the periodic comparison of source documents to data recorded in accounting information systems.

Segregation of Duties

Functions must be segregated among different people to reduce the risk of error or inappropriate action. Responsibilities for authorizing transactions (approval), recording transactions (accounting/record keeping) and handling the related asset (custody) are divided.

Security of Assets

University assets must be safeguarded and protected from loss or damage due to accident, natural disaster, negligence or intentional acts of fraud, theft or abuse.


Types of Controls


Controls can be either preventative or detective, both types of controls are essential to an effective internal control system.

  • Preventative controls: Are designed to deter or prevent errors or irregularities from occurring. They are proactive controls that help to ensure departmental or unit objectives are being met. Examples of preventative controls include segregation of duties and pre-approval of transactions.
  • Detective Controls: Are designed to detect errors or irregularities which have already occurred and that they be corrected/addressed. Examples of detective controls include reconciliations and reviews of exception reports.



Last updated: Oct-2016

Back to top