4-OP-A-9 Internal Controls

Responsible Executive:​  Vice President for Finance and Administration

Approving Official:  Vice President for Finance and Administration

Effective Date:  January 1, 2014

Last Revision Date:  Readopted January 1, 2014, revised July 1, 2019

    1. Objective
      1. The purpose of this policy is to provide guidance to help ensure the internal control objectives of the University are met. It is the responsibility of all University employees to ensure protection of University assets and resources. Administrators at all levels are responsible for establishing a strong control environment, setting the appropriate tone at the top, and displaying the proper attitude toward complying with these established controls.
    2. Definitions
      1. Control Environment - Core to any university is its people, and the internal Control Environmental tone is set by its leaders. Their individual attributes (integrity, ethical values, and competence) and the environment in which they operate set the tone for the organization and determine the sincerity with which the institution embraces the Control Environment.
      2. Risk Assessment - Process of identifying and analyzing risks related to the accomplishment of the University objectives.
      3. Control Activities - Processes and procedures put in place by the Board of Trustees, University Leadership, management, and other personnel, designed to provide reasonable assurance of effectiveness and efficiency of operations; safeguarding of assets; reliability of financial and operational reporting; and compliance with University policies and procedures, applicable laws, and regulations.
      4. Information and Communication - Pertinent information that is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. 
      5. Monitoring - Process that assesses the quality of internal controls over time. An effective system is able to react dynamically to changing conditions.
      6. Preventative Controls - Internal controls designed to catch or prevent errors and irregularities before they occur.
      7. Detective Controls - Controls designed to find errors or other issues after they occur so that corrective action can be taken.
      8. Corrective Controls – Internal controls designed to look for similar condition elsewhere, to strengthen polices, to provide additional training, to more closely monitor the issue, and to make the organization aware of the issue and consequences as appropriate for the situation.
    1. Roles and Responsibilities
      1. Deans, Directors, and Department heads shall develop practices and procedures for their respective units/departments that will establish a framework of internal controls protecting the University’s assets and resources and mitigating the risks that may prevent the University or the unit/department from accomplishing its goals and objectives.
      2. The framework shall be designed to ensure the following:
        1. Compliance with governing policies, laws, rules, and regulations
        2. Provide reliable information
        3. Assets are properly safeguarded
        4. Operations are efficient and effective
        5. Errors or irregularities are detected and reported in a timely manner
      3. Deans, Directors and Department heads may delegate their authority under this policy, but remain responsible for the actions and decisions of their respective units/departments.
    2. Internal Controls
      1. All employees of the University must perform their duties in accordance with proper internal controls as established by practices and procedures set by the Dean, Director, and Department Head (or designee). Deans, Directors, and Department heads will establish and maintain a system of internal controls that satisfies the University’s objectives in the following categories:
        1. Risks are identified and effectively managed
        2. Safeguarding of University assets
        3. Reliability and integrity of financial and non financial information
        4. Compliance with University policies, plans, procedures, laws and regulations
        5. Economical and efficient use of University resources
        6. Meeting established objectives and goals for University operations and programs
      2. A system of internal controls includes risk assessment; preventative, detective, and/or corrective controls; and monitoring.
      3. General internal control principles for campus units are:
        1. Separation of duties
          1. Duties are separated so that one person's work routinely serves as a check on another's work.
          2. No one person has complete control over more than one key function or activity (e.g., authorizing, approving/certifying, disbursing, receiving, or reconciling).
        2. Authorization and approval
          1. Transactions are authorized when proper and consistent with University policy and the department's plans.
          2. Transactions are approved by the person who has delegated approval authority, which is usually delegated on the basis of special competency or knowledge.
        3. Custodial and security arrangements
          1. Responsibility for physical security/custody of University assets is separated from record keeping/accounting for those assets.
          2. Unauthorized access to University assets and institutional data is prevented.
        4. Timely and accurate review and reconciliation
          1. Departmental accounting records and documents are examined by employees who have sufficient understanding of the University accounting and financial systems to verify that recorded transactions actually took place and were made in accordance with University policies and procedures.
          2. Departmental accounting records and documentation are compared with University accounting system reports and financial statements to verify their reasonableness, accuracy, and completeness.
        5. The general internal control principles should be applied to all departmental operations, especially accounting records and reports, payroll, purchasing/receiving/disbursement approval, equipment and supply inventories, cash receipts, petty cash and change funds, billing and accounts receivable.
      4. All employees are responsible for conducting their business activities in a manner consistent with good internal control.
    • BOG Regulation 1.001(6), (7); BOT Delegation to President, February 2010; President Delegation to the Vice President for Finance and Administration
    • This policy shall be reviewed by the Associate Vice President for Finance & Administration (AVP) every seven years for its effectiveness. The AVP shall make recommendations to the Vice President for Finance and Administration for any modification or elimination.