Internal Controls

Internal controls are extremely important to ensure resource use is consistent with laws regulations and policies; that resources are safeguarded against waste, loss and misuse; and that reliable data is obtained, maintained and fairly disclosed in reports. In an effective internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives:

  1. Control Environment

    The control environment provides the atmosphere in which people conduct their activities and carry out their internal control responsibilities across the organization. It serves as the foundation for the other components and is comprised of the integrity and ethical values of the organization, governance oversight responsibilities, organizational structure (including assigned authority, roles, and responsibilities), the process for attracting, developing and retaining competent employees, and the rigor around metrics and rewards that drive performance.

    • Does your department have goals that align with the University’s strategic plan?
    • Are the University’s expectations for integrity and ethical values promoted in your department?
    • Are employees who violate policies or the code of conduct disciplined consistently?
    • Are employees aware of how to report their concerns (labor, work environment, fraud, etc.)?

  2. Risk Assessment

    Risk assessment is the process of identifying and analyzing risks and assessing the impacts of those risks and possible changes to the organization's operating environment in order to achieve the established objectives.

    • Have you performed a risk assessment for your area?
    • Does your department have any programs that might be considered a heightened risk, such as dealing with minors, hazards, or unsafe conditions?
    • Is there pressure to meet unrealistic goals or an over-emphasis on short-term results? (e.g. enrollment, grant money, etc.)

  3. Control Activities

    Control activities are implemented to address and help mitigate the risks that were identified. Examples of control activities are to follow policies and procedures, implement security, plan business continuity, perform outsourcing, safeguard assets, etc.

    • Are staff knowledgeable of applicable policies and procedures and kept informed of policy updates/changes?
    • Are duties properly segregated?
    • Do you have an operational continuity plan to respond to a significant unforeseen event such as an emergency or natural disaster? 

  4. Information and Communication

    This component of an internal control system is the means by which relevant information is captured and communicated throughout the organization, flowing up, down, and across the entity.

    • Do leaders meet with their direct reports regularly and communicate often and openly?
    • Are employees encouraged to provide input on recommendations for improvements?
    • Are delegated authorities and responsibilities clearly documented, communicated and defined in position descriptions?

  5. Monitoring

    The entire process is monitored and modified as conditions warrant. Ongoing evaluations are used to ascertain whether each of the five components of internal control (control environment, risk assessment, control activities, information & communication, and monitoring activities) are functioning and operating effectively.

    • Are budgets, financial activities and inventories monitored?
    • Do you monitor and assess key performance indicators (KPIs) or other metrics specific to your department?
    • Is employee turnover monitored, with any anomalies or unexpected attrition reviewed further?


If you have any questions or concerns about your department’s internal control environment or would like assistance in evaluating its effectiveness and/or improving your risk management process, please contact the OIA.