Internal Controls


Internal controls are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations


Internal controls consist of five interrelated components. These are derived from the way management runs an operation or function, and are integrated with the management process. Although the components apply to the entire University, small and mid-size departments may implement them differently than large ones. Its controls may be less formal and less structured, yet a small department can still have effective internal control. The internal controls components are:

Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the University.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

Information and Communication

Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that make it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across and up the organization.


Internal control systems need to be monitored - a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the Regents.

The internal control definition - with its underlying fundamental concepts of process, effected by people, providing reasonable assurance - together with the categorization of objectives and the components and criteria for effectiveness, and the associated discussions, constitute this internal control framework.