Policy 3-018: Internal Controls

  1. Purpose & Scope
    1. The purpose of this policy is to communicate, to the entire campus community, the University's internal control objectives; and to establish standards for the design and operation of the University's system of internal controls in order to reduce the University's exposure to financial risks - such as mismanagement of funds and fraud.
  2. Definitions
    1. Internal Control - is broadly defined as a process, implemented by an entity's Board of Trustees, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. A system of effective internal controls helps identify and manage risks.
    2. Risk assessment - is the process of identifying, analyzing, and managing risks related to the accomplishment of the Board's and the University's objectives. Risk types include strategic, reputational, financial, legal, human resources, compliance, and operational risks.
    3. Monitoring - is the process that assesses the quality of internal controls over time. An effective system is able to react dynamically to changing conditions.
    4. Business Function - a generic term broadly used in this policy to refer collectively to programs, departments, colleges, units, museums, theatres, centers, institutes, etc. “Business”, in this instance, is not intended to be limited to traditional administrative functions, but rather to also refer to functions carried out in the academic and patient-centered areas where fiscal and budgetary responsibility rest.
    5. Faculty and Staff Leadership - personnel given fiscal and budgetary responsibility over a business function, as defined above. This includes those with administrative appointments serving as department chairs, deans, vice-presidents, and the like - anyone who is in a position to direct how university financial, capital and human resources are utilized.
  3. Policy
    1. Control environment - the core of any university is its people; and the internal control environmental tone is set by its leaders. Their individual attributes (integrity, ethical values, and competence) and the environment in which they operate set the tone for the organization and determine the sincerity with which the institution embraces the control environment. University leaders are expected to set an appropriate “tone at the top” that reflects the University's values and commitment to ethical conduct.
    2. Administration of Policy - Faculty and staff in leadership roles are responsible for the application of this policy and the design, development, implementation, and maintenance of an effective system of internal controls within their respective areas of responsibility. The University Controller's Office is the primary source of information, education, and assistance to faculty and staff leadership on this topic; and will make resources available to any business function on campus to assist in administering this policy - either through the Controller's on-going internal control training programs, or through tailored individual training to department chairs and deans upon request.
    3. Design of Internal Control Systems - Internal control systems will vary depending upon the operating environment, including the size of the business function, its diversity of operations and the degree of centralization of financial and administrative management. While there may be practical limitations to the implementation of some internal controls, each business function throughout the University must establish and maintain an effective system of controls designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with University policies and procedures, and applicable laws and regulations.
    4. Operation of Internal Control Systems - Faculty and staff responsible for internal control systems should understand the systems in sufficient detail so as to support ongoing monitoring of the systems' effectiveness.
    5. Information and communication - information must be timely and communicated in a manner that enables people to carry out their responsibilities. Specifically:
      1. All personnel must receive a clear message from their leaders that control responsibilities must be taken seriously.
      2. Employees must understand their own roles in the internal control system, as well as how individual activities relate to the work of others. To this end, whenever a new budgetary unit, financial activity, research project, etc. is set up, notification will be provided to the appropriate parties of the responsibilities incumbent on them for good business practices and sound financial management, including reference to the principles within this policy.
      3. Employees must have a means of communicating significant information to leaders.
      4. The university must communicate effectively with external parties, such as students, parents, funding providers, contractors, suppliers, regulators and other stakeholders.
      5. Faculty and staff in leadership positions have the responsibility to ensure that those who report to them (their direct reports) have adequate knowledge, skills, and abilities to function within, and contribute to, an effective internal control environment. This includes providing access to appropriate training on topics relevant to their job responsibilities.
    6. Review and Evaluation of Internal Controls - The Internal Audit Department, external auditors, and/or representatives from the Controller's Office have the authority to review and measure the effectiveness of the controls established within the framework of this policy as they relate to the University's accounting, financial and operating systems. In addition, they have the authority to make recommendations for improvements in internal controls. Upon issuance of an internal audit report, management is responsible for responding to findings and for implementing changes as appropriate. Reviews and audits, as described above, serve to:
      1. Ascertain the reliability and integrity of accounting, financial and operating information and the means of generating and reporting that information.
      2. Ensure that systems comply with University regulations and with applicable laws and regulations.
      3. Evaluate computer-based systems in production, in development, or undergoing change.
      4. Evaluate the systems development process and computer operations.
      5. Evaluate the adequacy of methods used to safeguard University assets.
      6. Improve the efficiency and effectiveness of University business processes.
    7. Segregation of Duties - Individuals responsible for a business function must take steps to assure that duties are appropriately segregated such that no one person has control over all aspects of a particular transaction.
  4. Rules, Procedures, Guidelines, Forms and other related resources
    1. Rules [reserved]
    2. Procedure [reserved]
    3. Guidelines [reserved]
    4. Forms [reserved]
    5. Other related resource materials [reserved]
  5. References
    1. Committee of Sponsoring Organizations of the Treadway Commission (COSO)
    2. Ethical Standards & Code of Conduct Handbook
    3. Policy 1-006; Conflict of Interest
    4. Policy 3-003; Authorizations and Approvals Required for Financial Transactions
    5. Policy 3-019; University of Utah Internal Audit Policy
    6. Policy 5-205; Code of Conduct for Staff
    7. State Board of Regents Policy R561, Accounting and Financial Controls
  6. Contacts:
    1. The Office of the Associate Vice President for Financial and Business Services, acting as policy owner, is responsible for answering questions regarding the application of this Policy; while the Office of the Vice President for Administrative Services, acting as policy officer, is authorized to allow exceptions to this Policy.
  7. History:
    1. Approved: Board of Trustees, 1/12/2010
      1. Executive Summary

Policy: 3-018 Rev: 0
Date: January 12, 2010