Skip to Content

Internal Controls


All employees of the University are responsible for performing their duties in compliance with proper internal controls. Internal controls must reasonably assure that financial information is timely and accurate, that assets are safeguarded and properly accounted for, and that the University complies with all prevailing laws and administrative regulations of the Commonwealth of Virginia and the Federal government.

More information may be found in Policy FIN-021: Internal Control.


The most important aspect of internal controls is the segregation of duties. For example, the employee who receives and deposits payments on an account must not also have the responsibility of recording payments in the Integrated System.


All employees of the University have the following responsibilities:

  • safeguard assets
  • verify the accuracy and reliability of financial data
  • safeguard personal financial information
  • review projects and reconcile accounts periodically
  • promote operational efficiency
  • adhere to University policies and procedures
  • comply with the monitoring of internal controls by the Audit department
  • document departmental business operations
  • maintain internal controls
Safeguard Assets

Assets include all property of the University. Examples of assets are buildings, equipment, inventory, accounts receivable, and cash (including checks).

Extreme care must be exercised in safeguarding cash and items easily convertible to cash, such as accounts receivable. Appropriate physical safeguards must be employed to protect all assets. Cash must be secured in a locked facility (an appropriate safe is strongly recommended).


Any observed weaknesses in internal control should be brought to the attention of the University Comptroller immediately.

Verify Accuracy and Reliability of Data

The University's Integrated System maintains a comprehensive record of all financial transactions. Access to information about the status of individual projects, awards, tasks, and transactions is available through queries, pre-defined reports and custom reports.

It is the responsibility of departments and activities to process all transactions in a timely manner and to verify, promptly, the accuracy of all transactions posted to their projects and accounts. This will require, at least, a monthly review and approval of all transactions recorded in a given project or account. Any errors should be reported immediately to the originator or to the appropriate central financial office.

The reliability of information retrieved from the financial modules of the Integrated System is dependent on the timely recording of all transactions. Vouchers, travel expense reimbursement vouchers, billings of support service units, receipts, personnel/payroll actions, and any other financial transactions must be immediately entered into the Integrated System or forwarded promptly to the appropriate central financial office for processing.

The University's central financial offices will review accounts on a selective basis and seek resolution of any questionable transactions or balances.

Safeguard Personal Financial Information

Financial institutions, including colleges and universities, are subject to the provisions of the Gramm-Leach-Bliley Act (2000) as it pertains to ensuring the security and confidentiality of customer records such as names, addresses, phone numbers, bank and credit card account numbers, income and credit histories, and Social Security numbers. All University service providers are responsible for preparing and executing an Information Security Program to:

  • ensure the security and confidentiality of personal financial information;
  • protect against any anticipated threats to the security or integrity of such information; and
  • guard against the unauthorized access to or use of such information that could result in substantial harm or inconvenience to any member of the university community

The University must also comply with the Red Flags Rules issued by the Federal Trade Commission (FTC) and several federal banking agencies in late 2007 under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. This regulation requires that when providing credit or accepting payments, units watch for:

  • Presentation of suspicious documents, such as an altered or forged identification card.
  • Suspicious personal identifying information, such as a fictitious address or telephone number.
  • Unusual use of, or suspicious activity related to an account, such as mail sent to an individual which is repeatedly returned as undeliverable.

Review Projects and Reconcile Accounts

The Fiscal Administrator is the person responsible for monitoring and reconciling the activity in a group of projects or accounts. A Fiscal Administrator will usually have the Integrated System Funds Management responsibility of "Project Manager" or "Award Manager". Fiscal Administrators tare expected to be familiar with financial policies and procedures and serve as the primary resource for inquiries on that group of projects or accounts.

Fiscal Administrators are responsible for ensuring each assigned project or account is reviewed and reconciled to departmental records on a monthly basis, and that all transactions placed in suspense projects are also resolved monthly. Departments are responsible for maintaining source documentation for all transactions in accordance with established records retention and distribution schedules. Departments are also responsible for providing source documentation, in a timely manner, at the request of a central financial office or an internal or external audit.

Promote Operational Efficiency
  • The University is committed to achieving a high level of efficiency and effectiveness in the use of personnel and other resources.
  • The achievement of an acceptable level of operational efficiency is dependent on a proper organizational plan and sufficient training of employees.
  • Organizational plans must be designed to segregate duties so that no one employee controls all phases of a transaction.
  • New employees must be trained adequately for their responsibilities to ensure efficiency and accuracy.
  • Human Resources is responsible for the development and delivery of broad training programs and for specific training in Integrated System responsibilities.
  • Central administrative offices, including Financial Administration, Procurement Services, and the Office of Sponsored Programs, are responsible for the development and delivery of training programs relating to the policies, procedures, compliance issues, and internal control related items relevant to their institutional responsibilities.
  • Specific job training and assignment of job responsibilities are the responsibility of the department or activity head.
Adhere to University Policies and Procedures

The University's policies and procedures are a primary means of establishing internal controls. In addition to conforming to certain State and Federal regulations, these controls allow the University to fulfill the dictates of prudent management. All individuals who deal with financial and administrative matters must be familiar with and adhere to these policies and procedures. Failure to adhere to the University's policies and procedures may be considered misconduct, as stated in the State's Standard of Conduct Policy.

Comply with Monitoring of Internal Controls by the Audit Department

The University's Audit Department is an integral part of the internal controls system. This office will monitor and evaluate internal controls as part of its annual audit plan. Weaknesses in internal controls will be commented on by the Audit Department in its reports.

The appropriate department or activity head must make a written response to any findings of inadequate internal controls and take prompt corrective action as recommended.

Document Departmental Business Operations

Departments should document all unique business operations with internal policies and procedures. Such departmental policies/ procedures not only document current operating practices, but also enhance management's communication to employees, help produce consistency of effort during periods of turnover, and provide a training aid for new employees.

Any departmental business operations which deviate in any way from the published policies and procedures of the University must be fully documented and authorized by the University Comptroller. This deviation and authorization must also be documented and certified in the annual Internal Control Questionnaire response.

Maintain Internal Controls

In an effort to maintain an effective system of internal controls, University management has instituted the following measures:

  • Internal Audit's program of ongoing reviews throughout the year.
  • An annual Internal Control Questionnaire to verify the soundness of departmental internal controls.
  • An extensive questionnaire follow-up program with selective departments to ensure compliance with internal controls standards.
  • At least annually, review with the Audit Committee of The Board of Visitors the internal audit reports and both the external auditors' management comments and the progress reports to resolve those comments.
  • At least every four years, ensure all financial systems have been reviewed by external auditors, internal auditors, or by management.
  • An annual Agency Risk Management and Internal Control Standards (ARMICS) certification to verify the establishment and maintenance of an effective system of internal control to the Commonwealth of Virginia‚Äôs Department of Accounts.

Questions about the University of Virginia's Internal Controls Program? Contact us at: