Internal Control

Self-Assessment Checklist
Unit management throughout the University is responsible to establish internal controls to keep
their unit on course toward its financial goals, to help it achieve its mission, to minimize
surprises and risks, and to allow the organization to successfully deal with change. Internal
controls are defined as activities undertaken to increase the likelihood of achieving management
objectives in three areas:
Efficiency and effectiveness of operations
Reliability of financial reporting
Compliance with laws and regulations
Some internal controls are established at the institutional level; others are established by unit
management. To achieve success, unit management needs to (1) be knowledgeable about, and
support, institutional controls, and (2) implement practical and effective internal controls specific
to the particular unit.
The following checklist is provided to facilitate a self-assessment of internal controls by
management of individual departments. It is intended to address general aspects of internal
controls, and does not include specific controls applicable to individual units.
Organization of the checklist is consistent with the five interrelated components of internal
control defined by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO).
We encourage department heads and other unit management to use this self-assessment checklist
to evaluate internal controls in their areas of responsibility. Management should also add to the
checklist other controls that apply specifically their units.
Internal Audit would be pleased to consult on methods to improve your internal controls.

Index
1. Control Environment 3. Control Activities
1. Integrity and Ethical Values 10. Written Policies and Procedures
2. Commitment to Competence 11. Control Procedures
3. Management's Philosophy and 12. Controls over Information Systems
Operating Style 4. Information and Communication
4. Organizational Structure
5. Assignment of Authority and 13. Access to Information
Responsibility 14. Communication Patterns
6. Human Resource Policies and 5. Monitoring
Practices
15. Management Supervision
2. Risk Assessment 16. Outside Sources
7. Organizational Goals and 17. Response Mechanisms
Objectives 18. Self-Assessment Mechanisms
8. Risk Identification and
Prioritization
9. Managing Change
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5

Section 1 Control Environment

1 - Integrity and Ethical Values
Unit management (faculty and supervisory
staff) understand the University's policies
1.1 Acceptable business practices. Policies are poorly understood
covering matters such as legitimate use of
University resources.
Unit management understand the University's
policies governing relationships with sponsors,
1.2 Codes of conduct. Policies are poorly understood.
suppliers, creditors, regulators, the community,
and the public at large.
Unit management understand the University's
1.3 Conflicts of interests. Policies are poorly understood.
policies regarding potential conflicts of interest.
Unit management sets a good example and Management does not set a good example
1.4 Integrity. regularly communicates high expectations and/or does not communicate high expectations
regarding integrity and ethical values. regarding integrity and ethical values.
2 Commitment to Competence
Responsibilities are clearly defined in writing Responsibilities are poorly defined or poorly
2.1 Job descriptions.
and communicated as appropriate. communicated.
Unit management (faculty and supervisory
Management does not adequately consider
2.2 Knowledge and Skills. staff) understand the knowledge and skills
knowledge and skill requirements.
required to accomplish tasks.
Unit management is aware of competency Management is not adequately aware of
2.3 Employee competence. levels, and is involved in training and increased competency levels, or does not actively address
supervision when competency is low. problems.
3 Managements Philosophy and Operating Style
Unit management insists on full and open
Management is secretive and reluctant to
3.1 Communication with Faculty, College disclosure of financial or business issues with
conduct business or deal with issues in an open
and University. appropriate faculty, college and University
manner.
personnel.
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
There is active concern and effort to ensure
Management is willing to risk the consequences
3.2 Laws and regulations. compliance with the letter and intent of laws
of noncompliance.
and regulations.
Management is concerned with and exerts Management is willing to get the job done
3.3 Getting the job done.
effort to get the job done right the first time. without adequate regard to quality.
Exceptions to policy are infrequent. When they
Exceptions to policy are the norm and are
3.4 Exceptions to policy. occur they must be approved and well
rarely documented.
documented.
Managements approach shows concern and
appreciation for accurate and timely reporting.
3.5 Approach to financial accountability. Financial accountability is given low priority.
Budgeting and other financial estimates are
generally conservative.
Realistic budgets are established and results are
Management either shows little concern
3.6 Emphasis on meeting budget and other actively monitored. Corrective action is taken
(climate of laxness), or makes unreasonable
financial and operating goals. as necessary. The unit learns from, and does not
demands (climate of fear).
repeat, mistakes.
Decision-making processes are deliberate and
consistent. Decisions are made after careful Decision making is nearly always informal.
3.7 Approach to decision making. consideration of relevant facts. Policies and Management makes arbitrary decisions with
procedures are in place to ensure appropriate inadequate discussion and analysis of the facts.
levels of management are involved.
4 Organizational Structure
Complexity of the structure is commensurate Lines of responsibility are unclear or
4.1 Complexity of the organizational
with the organization. Lines of reporting are unnecessarily complicated for the size and
structure.
clear and documentation is up-to-date. activities of the entity.
Documentation does not exist or is out-of-date.
4.2 Organization charts. Documentation exists and is up to date. The documented structure does not correspond
with actual responsibilities.
Size is commensurate with the complexity of Size is not appropriate (e.g., too many levels,
4.3 Size of the management group.
the unit and its growth. too dispersed, or too "thin").
4.4 Stability of the management group. Low turnover. High turnover.
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
5 Assignment of Authority and Responsibility
5.1 Delegation of authority and assignment Delegation of authority and assignment of Decisions are dominated by one or a few
of responsibility for operating and responsibility is clearly defined. Individuals are individuals. Roles and responsibilities of
financial functions. held accountable for results. middle management are unclear.
Authority limits are clearly defined in writing Policies and procedures covering authority
5.2 Authority limits.
and communicated as appropriate. limits are informal or poorly communicated.
Appropriate limits have been placed on each Signature authority is delegated without
delegation of signature authority. Management adequate consideration. Delegated authority is
5.3 Delegated signature authority.
reviews and updates signature records as not in line with employee knowledge, training,
turnover occurs. or competence.
Key personnel are knowledgeable and Key personnel are inexperienced. Management
5.4 Knowledge and experience. experienced. Management does not delegate delegates authority without regard to
authority to inexperienced individuals. knowledge and experience.
Management provides the resources needed for Management does not provide necessary
5.5 Resources.
employees to carry out their duties. resources.
6 Human Resource Policies and Practices
A careful hiring process is in place. The
The hiring process is informal, and sometimes
Human Resources Department is involved in
6.1 Selection of personnel. proceeds without adequate involvement by
identifying potential employees based on job
higher-level supervisors.
requirements.
On-the-job and other training programs have
Training programs are inconsistent, ineffective,
6.2 Training. defined objectives. They are effective and
or are given low priority.
important.
Regular supervision does not exist or is
Personnel are adequately supervised. They have
6.3 Supervision policies. ineffective. Employees are frustrated and feel
a regular resource for resolving problems.
they have nowhere to go with issues.
Inappropriate behavior is consistently
Reprimands are not timely, direct, or are not
6.4 Inappropriate behavior. reprimanded in a timely and direct manner,
consistently applied (climate of favoritism).
regardless of the individual's position or status.
 Assessment Factor
6.5 Evaluation of personnel.
6.6 Methods to compensate personnel.
6.7 Staffing of critical functions.
6.8 Turnover. Particularly turnover in
financially responsible positions.
Indication of Stronger Controls
An organized evaluation process exists.
Compensation decisions are based on a formal
process with meaningful involvement of more
than one level of management. The effect of
performance evaluations on compensation
decisions is defined and communicated.
Critical functions are adequately staffed, with
reasonable workloads.
Low turnover. Management understands root
causes of turnover.
Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
The evaluation process is ad hoc and
inconsistent. Performance issues are not
formally addressed.
Compensation decisions are ad hoc,
inconsistent, or inadequately reviewed by
management.
There is inadequate staffing and frequent
periods of overwork and "organizational
stress."
High turnover. Management does not
understand root causes.

Section 2 Risk Assessment

7 Organizational Goals and Objectives
A formal unit-wide mission or value statement
A unit-wide mission or value statement does
7.1 Unit-wide objectives. is established and communicated throughout
not exist.
the unit.
Factors that are critical to achievement of unit-
wide objectives are identified. Resources are
7.2 Critical success factors. Success factors are not identified or prioritized.
appropriately allocated between critical success
factors and objectives of lesser importance.
Realistic objectives are established for all key
7.3 Activity-level objectives. activities including operations, financial Activity-level objectives do not exist.
reporting and compliance considerations.
Unit-wide and activity level objectives include
Performance regarding objectives is not
7.4 Measurement of objectives. measurement criteria and are periodically
measured. Targets are not set.
evaluated.
Employees at all levels are represented in Management dictates objectives without
7.5 Employee involvement.
establishing the objectives. adequate employee involvement.
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Long and short-range plans are developed and
No organized planning process exists. There are
7.6 Long and short-range planning. are written. Changes in direction are made only
frequent shifts in direction or emphasis.
after sufficient study is performed.
Detailed budgets are developed by area of
responsibility following prescribed procedures Budgets do not exist or are "backed into"
7.7 Budgeting system.
and realistic expectations. Plans and budgets depending on desired outcome.
support achievement of unit-wide action steps.
Planning for future needs is done well in
7.8 Strategic planning for information The information system lags significantly
advance of expected needs and considers
systems. behind the needs of the business.
various scenarios.
8 Risk Identification and Prioritization
A process exists to identify and consider the
implications of external risk factors (economic
changes, changing sponsor, student and
8.1 Identification and consideration of Potential or actual external risk factors are not
community needs or expectations, new or
external risk factors. effectively identified or evaluated.
changed legislation or regulations,
technological developments, etc.) on unit-wide
objectives and plans.
A process exists to identify and consider the
implications of internal risk factors (new
8.2 Identification and consideration of personnel, new information systems, changes in Potential or actual internal risk factors are not
internal risk factors. management responsibilities, new or changed effectively identified or evaluated.
educational or research programs, etc.) on unit-
wide objectives and plans.
The likelihood of occurrence and potential
impact (monetary and otherwise) have been
8.3 Prioritization of risks. Risks have not been prioritized.
evaluated. Risks have been categorized as
tolerable or requiring action.
In-depth, cost / benefit studies are performed
8.4 Approach to studying risks. Risks are accepted with little or no study.
before committing significant unit resources.
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Exposure is dealt with on a case by case basis.
A risk management program is in place to
8.5 Process for monitoring risks. Regular efforts or programs to manage risks do
monitor and help mitigate exposures.
not exist.
Internal expertise regarding risk and control
External advisors are consulted as needed to
8.6 Consultation with external advisors. issues is inadequate. Assistance is never sought
supplement internal expertise.
from outside sources.
9 Managing Change
Management promotes continuous Management promotes the status quo, even
9.1 Commitment to change. improvement and solicits input and feedback on when changes are needed to meet important
the implications of significant change. business needs.
Management is willing to commit resources to Management offers no resources to facilitate
9.2 Support of change.
achieve positive change. change.
Mechanisms exist to identify, prioritize, and
react to routine events (i.e., turnover) that affect
9.3 Routine change. Procedures are not present or are ineffective.
achievement of unit-wide objectives or action
steps.
Mechanisms exist to identify and react to
9.4 Economic change. Procedures are not present or are ineffective.
economic changes.
Mechanisms exist to identify and react to
regulatory changes (maintain membership in
9.5 Regulatory change. Procedures are not present or are ineffective.
associations that monitor laws and regulations,
participate in University forums, etc.).
Mechanisms exist to identify and react to
9.6 Technological change. technological changes and changes in the Procedures are not present or are ineffective.
functional requirements of the unit.

Section 3 Control Activities

10 Written Policies and Procedures
Unit staff have available up to date University
10.1 Access to University policies and University policy and procedures are not
policy and procedures and know how to use
procedures. available or are rarely used.
them.
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
The unit has documented its own policies and
10.2 Unit policies and procedures. procedures. They are well understood by unit Unit policies and procedures do not exist.
staff.
11 Control Procedures
11.1 Senior management (University or Senior management monitors the unit's Senior management does not monitor unit
College) reviews. performance against objectives and budget. performance.
Reviews are made of actual performance
11.2 Top level (unit-wide) objective
compared to objectives and previous periods Analyses are not performed or management
performance reviews by unit
for all major initiatives. Management analyzes does not follow up on significant deviations.
management.
and follows up as needed.
Reviews are made of actual performance versus
11.3 Top level (unit-wide) financial
budgets, forecasts, and performance in prior Analyses are not performed or management
performance reviews by unit
periods for all major initiatives. Management does not follow up on significant deviations.
management.
analyzes and follows up as needed.
Performance reviews are made of specific
11.4 Direct functional or activity management
functions or activities, focusing on compliance, No performance reviews occur.
by unit management.
financial or operational issues.
Unexpected operating results or unusual trends
11.5 Performance indicators. Operating results and trends are not monitored.
are investigated.
Accounting statements and key reconciliations Reconciliations are not performed timely or
11.6 Accounting statements and key are completed timely. Management performs a regularly. Management does not carefully
reconciliations. diligent review and signifies approval by review or formally approve statements or
signature and date. reconciliations.
Sponsored project accounts are reviewed and
reconciled. PIs certify the expenditures timely.
Sponsored project accounts are not monitored;
11.7 Sponsored project account management. Unit management monitors the portfolio of
reconciliations and certifications are not timely.
sponsored accounts for compliance and fiscal
responsibility.
Restrictions on use are well documented, and
Restrictions are not clearly documented.
are understood by employees who administer
11.8 Use of restricted funds (gifts). Restricted fund accounts are not monitored;
the funds. Usage is monitored by management,
usage may not match restrictions.
accounts are reconciled.
 Assessment Factor
11.9 Information processing.
11.10 Physical controls.
11.11 Training and guidance for asset
custodians.
11.12 Separation of duties.
11.13 Record retention.
11.14 Disaster response plan.
12 Controls over Information Systems
12.1 Local information systems and LANs.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Controls exist to monitor the accuracy and
No information processing controls are in
completeness of information as well as
place.
authorization of transactions.
Equipment, supplies, inventory, cash and other
Equipment, supplies, inventory, cash and other
assets are physically secured and periodically
assets are not protected. Control records do not
counted and compared to the amounts shown
exist or are not up to date.
on control records.
Adequate guidance and training are provided to
No training or guidance is provided.
personnel responsible for cash or similar assets.
Financial duties are divided among different
people (responsibilities for authorizing No significant separation of financial duties
transactions, recording them and handling the among different employees.
asset are separated).
Unit employees understand which records they
Unit employees do not understand which
are responsible to maintain and the required
records they are responsible for maintaining.
retention period. Records are appropriately
The filing system is inadequate.
filed.
A disaster response and recovery plan has been
No disaster response or recovery plan exists.
developed and is understood by key personnel.
System operations are documented; software is
appropriately acquired and maintained; access
to the system, programs and data is controlled; Inadequate controls over local information
the system is maintained in a secure systems or LANs.
environment; applications are appropriately
developed and maintained.
 Assessment Factor
12.2 Application controls.
12.3 Back Up.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
The unit controls its computer applications by
diligent and timely response to edit lists,
rejected transactions and other control and
balancing reports. Controls ensure a high level Application controls are not used.
of data integrity including completeness,
accuracy, and validity of all information in the
system.
Key data and programs on LANs or desktop
No formal back up procedures exist.
computers are appropriately backed up and
Management has not informed staff of back up
maintained. Off-site storage is adequate
requirements.
considering possible risks of loss.
 Assessment Factor
13 Access to Information
13.1 Relevant external information.
13.2 Management reporting system.
13.3 Management of information security.
14 Communication Patterns
14.1 Trust.
14.2 Policy enforcement and discipline.
14.3 Recommendations for improvement.
14.4 Formal communications.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Section 4 Information and Communication
Unit members receive relevant information
regarding legislation, regulatory developments,
Relevant information is not available.
economic changes or other external factors that
affect the unit.
An executive information system exists.
Information and reports are provided timely. A formal reporting system does not exist.
Report detail is appropriate for the level of Reports are not timely or are not at appropriate
management. Data is summarized to facilitate levels of detail.
decision making.
Information is evaluated and classified based
on level of integrity, confidentiality and Information used by the unit has not been
availability. Individuals with access to evaluated and classified. Employees are not
information are trained to understand their trained with respect to information security.
responsibilities related to the information.
Management promotes and fosters trust Interactions among faculty, staff and/or with
between employees, supervisors and other other units is characterized by low levels of
units. trust.
Employees who violate an important policy are Violations, while not condoned officially, are
disciplined. Management's communications often overlooked. Management's actions are
and actions are consistent with policies. inconsistent with official policies.
Employees are encouraged to provide
recommendations for improvement. Ideas are Employees' ideas are not welcomed.
recognized and rewarded.
Formal methods are used to communicate unit
policies and procedures (e.g., manuals, training To the extent that they exist, policies are buried
programs, written codes of conduct, and in unused manuals and documents.
acceptable business practices).
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Standards and expectations are communicated
to key outside groups or individuals (e.g., No external communication of standards and
14.5 External communications.
vendors, consultants, donors, sponsors, expectations.
subcontractors, sub-recipients).
Employees are kept informed of important
matters (downward communication) and are
able to communicate problems to persons with Most information is received by the
14.6 Informal communications.
authority (upward communication). There is "grapevine."
effective functional coordination within the unit
(lateral communication).
Information is openly shared with outside Information is kept secret from outside
14.7 Communication with evaluators.
evaluators. evaluators.

Section 5 Monitoring
15 Management Supervision
Management routinely spot-checks
15.1 Effectiveness of key control activities. transactions, records and reconciliations to Management never performs spot-checks.
ensure expectations are met.
Accounting policies are defined and adopted
15.2 Management supervision of accounting
after appropriate consideration. Policies are Policies are ad hoc or poorly communicated.
function.
effectively communicated (in writing).
Policies are defined for developing new
systems or changes to existing systems
15.3 Management supervision of new systems Policies and procedures are ad hoc, poorly
(cost/benefit analysis, team composition, user
development. communicated, or ineffective.
specifications, documentation, acceptance
testing, and user approval).
Budgets are compared to actual results and
An analysis of actual versus budgeted results is
deviations are followed up on a timely basis.
15.4 Budget analysis. not performed, or management does not follow
Adequate consideration is given to
up on deviations.
commitments.
16 Outside Sources
 Assessment Factor
16.1 Industry and professional associations.
16.2 Regulatory authorities.
16.3 Sponsors, students, suppliers, creditors,
and other third parties.
16.4 External auditors.
17 Response Mechanisms
17.1 Management follow-up of violations of
policies.
17.2 External or internal audit findings.
17.3 Changes in conditions (e.g., economic,
regulatory, technological, or
competitive).
18 Self-Assessment Mechanisms
18.1 Monitoring of control environment.
18.2 Evaluation of risk assessment process.
18.3 Assessment of design and effectiveness
of internal controls.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Data is used to compare the units performance
Comparative data is not regularly monitored.
with peers or industry standards.
Reports from regulatory bodies are considered Response is limited to what is necessary to "get
for their internal control implications. by" the regulators.
Root causes of inquiries or complaints are
Inquiries or complaints are dealt with case-by-
investigated and considered for internal control
case, with little or no follow-up.
implications.
Information provided by external auditors
Findings are referred to lower levels or are
about control-related matters are considered
explained away.
and acted on at high levels.
Timely corrective action is taken. Follow-up is sporadic.
Findings are considered and immediately acted Consideration of findings is delegated to lower
upon at appropriate levels. levels or is given low priority.
Changes are anticipated and routinely
integrated into ongoing long- and short-range Responses are reactive rather than proactive.
planning.
Management periodically assesses employee
attitudes, reviews the effectiveness of the
Assessment processes do not exist.
organization structure, and evaluates the
appropriateness of policies and procedures.
Management periodically evaluates the
Assessment processes do not exist.
effectiveness of its risk assessment process.
Internal controls are subject to a formal and
Assessment processes do not exist.
continuous internal assessment process.
 Assessment Factor
18.4 Evaluation of information and
communication systems.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Management periodically evaluates the
accuracy, timeliness and relevance of its
information and communication systems.
Assessment process does not exist.
Management questions information on
management reports that appears unusual or
inconsistent.