Skip to main content

Internal Controls


What are Internal Controls? 

One textbook definition is as follows: 

Internal controls encompass the plan of organization and all of the coordinate methods adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency and encourage adherence to prescribed managerial policies. This definition recognizes that a system of internal control extends beyond those matters which relate directly to the functions of the accounting and financial departments. 

Simply put, internal controls are anything we do to help us achieve our objectives. They are the policies, procedures, practices and organizational structures implemented in order to: 

  • Protect the University’s assets (including the University’s reputation); 
  • Ensure records are accurate; 
  • Promote operational efficiency; and 
  • Encourage adherence to policies and procedures. 

The Committee of Sponsoring Organizations (COSO) has developed an internal control framework that describes the components of internal control for any organization.  For additional information regarding the COSO Internal Control Framework, please click here. 

Are there Different Types of Internal Controls? 

Yes, generally speaking there are two types: preventive and detective controls. Both types of controls are essential to an effective internal control system. From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. However, detective controls play a critical role by providing evidence that the preventive controls are functioning as intended. 
Preventive Controls are designed to discourage errors or irregularities from occurring. They are proactive controls that help to ensure departmental objectives are being met. Examples of preventive controls are: 

  • Segregation of Duties: Duties are segregated among different people to  
    reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), recording transactions (accounting) and handling the related asset (custody) are divided. 
  • Approvals, Authorizations, and Verifications: Management authorizes employees to perform certain activities and to execute certain transactions within limited parameters. In addition, management specifies those activities or transactions that need supervisory approval before they are performed or executed by employees. A supervisor’s approval (manual or electronic) implies that he or she has verified and validated that the activity or transaction conforms to established policies and procedures. 
  • Security of Assets (Preventive and Detective): Access to equipment, inventories, securities, cash and other assets is restricted; assets are periodically counted and compared to amounts shown on control records. 

Detective Controls are designed to find errors or irregularities after they have occurred. Examples of detective controls are: 

  • Reviews of Performance: Management compares information about current performance to budgets, forecasts, prior periods, or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions that require follow-up. 
  • Reconciliations: An employee relates different sets of data to one another, identifies and investigates differences, and takes corrective action, when necessary. 
  • Physical Inventories 
  • Audits 

Who is Responsible for Internal Controls? 

Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the Institution’s internal control system. Therefore, all employees need to be aware of the concept and purpose of internal controls. 

How Can My Department Contribute to the University’s Control Environment? 

The control environment is the control consciousness of an organization; it is the atmosphere in which people conduct their activities and carry out their control responsibilities. An effective control environment is an environment where competent people understand their responsibilities, the limits to their authority, and are knowledgeable, mindful, and committed to doing what is right and doing it the right way. They are committed to following an organization’s policies and procedures and ethical and behavioral standards.  

As a Business Administrator/manager/employee of a department, you can do the following to enhance your department’s control environment: 

  • Make sure job descriptions exist, clearly state responsibility for internal control, and correctly translate desired competencies. 
  • Implement segregation of duties where duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction. 
  • Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with policy and funds are available.   
  • Ensure records are routinely reviewed and reconciled by someone other than the preparer or approver, to determine that transactions have been properly processed 
  • Make certain that equipment, inventories, cash and other property are secured physically, counted periodically, and compared with item descriptions shown on control records.  
  • Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting suspected improprieties. For example, if your department is a recipient of sponsored funds, make sure that individuals administering funds are well trained on federal rules and regulations regarding the use of grant funds. 
  • Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees (in either hard copy or internet based form) helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover. 
  • Make sure that employees comply with the VU Conflict of Interest Policy and disclose potential conflicts of interest. 
  • Make sure employee performance evaluations are conducted periodically. Good performance should be valued highly and recognized in a positive matter. 
  • Make sure that appropriate counseling and/or disciplinary action is taken when an employee does not comply with policies and procedures and/or behavioral standards. 


Internal Controls – Myths & Facts 

Because there are many misconceptions about internal controls, knowledge sharing is vitally important to an effective control system. Part of the educational process is to dispel the myths about internal controls. Here are a few myths and the corresponding facts 



Internal controls result from a strong set of policies and procedures (i.e., “If a policy doesn’t exist, we don’t have to do it”).

Internal controls are based on a strong control environment and solid business practices that, in most cases, will be supported by policies; however, lack of formal policies does not preclude good business practices.

Internal controls? That’s why we have internal auditors.

Management and departmental personnel are the owners of internal controls.

Internal controls are all about finance and accounting. We do what the Office of Financial Affairs or the Department of Finance tells us to do.

Internal controls are integral to every aspect of business.

Internal controls are essentially negative, like a list of “thou shalt nots.”

Internal controls make the right thing happen the first time.

Internal controls are a necessary evil. They take time away from our core activities and responsibilities.

Internal controls should be built into, not onto, business processes.

If controls are strong enough, we can be sure that errors and irregularities will always be detected.

Internal controls provide reasonable, but not absolute, assurance that the organization’s objectives will be achieved.