Skip to content

Policy 3-018: Internal Controls

Revision 0. Effective date: January 12, 2010

View PDF

  1. Purpose and Scope
  2. Definitions
  3. Policy
    1. Control environment
    2. Administration of Policy
    3. Design of Internal Control Systems
    4. Operation of Internal Control Systems
    5. Information and communication
    6. Review and Evaluation of lnternal Controls
    7. Segregation of Duties
  4. Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources
  5. References
  6. Contacts
  7. History

  1. Purpose and Scope‌

    1. Purpose.

      The purpose of this policy is to communicate, to the entire campus community, the University's internal control objectives; and to establish standards for the design and operation of the University's system of internal controls in order to reduce the University's exposure to financial risks - such as mismanagement of funds and fraud.

    2. Scope.


  2. Definitions‌

    The following definitions apply for the limited purposes of this policy and any associated regulations.

    1. Internal Control - is broadly defined as a process, implemented by an entity's Board of Trustees, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. A system of effective internal controls helps identify and manage risks.

    2. Risk assessment - is the process of identifying, analyzing, and managing risks related to the accomplishment of the Board's and the University's objectives. Risk types include strategic, reputational, financial, legal, human resources, compliance, and operational risks.

    3. Monitoring - is the process that assesses the quality of internal controls over time. An effective system is able to react dynamically to changing conditions.

    4. Business Function - a generic term broadly used in this policy to refer collectively to programs, departments, colleges, units, museums, theatres, centers, institutes, etc. “Business”, in this instance, is not intended to be limited to traditional administrative functions, but rather to also refer to functions carried out in the academic and patient-centered areas where fiscal and budgetary responsibility rest.

    5. Faculty and Staff Leadership - personnel given fiscal and budgetary responsibility over a business function, as defined above. This includes those with administrative appointments serving as department chairs, deans, vice- presidents, and the like - anyone who is in a position to direct how university financial, capital and human resources are utilized.

  3. Policy‌

    1. Control environment‌

      The core of any university is its people; and the internal control environmental tone is set by its leaders. Their individual attributes (integrity, ethical values, and competence) and the environment in which they operate set the tone for the organization and determine the sincerity with which the institution embraces the control environment. University leaders are expected to set an appropriate “tone at the top” that reflects the University's values and commitment to ethical conduct.

    2. Administration of Policy‌

      Faculty and staff in leadership roles are responsible for the application of this policy and the design, development, implementation, and maintenance of an effective system of internal controls within their respective areas of responsibility. The University Controller's Office is the primary source of information, education, and assistance to faculty and staff leadership on this topic; and will make resources available to any business function on campus to assist in administering this policy - either through the Controller's on-going internal control training programs, or through tailored individual training to department chairs and deans upon request.

    3. Design of Internal Control Systems‌

      Internal control systems will vary depending upon the operating environment, including the size of the business function, its diversity of operations and the degree of centralization of financial and administrative management. While there may be practical limitations to the implementation of some internal controls, each business function throughout the University must establish and maintain an effective system of controls designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with University policies and procedures, and applicable laws and regulations.

    4. Operation of Internal Control Systems‌

      Faculty and staff responsible for internal control systems should understand the systems in sufficient detail so as to support ongoing monitoring of the systems' effectiveness.

    5. Information and communication‌

      Information must be timely and communicated in a manner that enables people to carry out their responsibilities. Specifically:

      1. All personnel must receive a clear message from their leaders that control responsibilities must be taken seriously.

      2. Employees must understand their own roles in the internal control system, as well as how individual activities relate to the work of others. To this end, whenever a new budgetary unit, financial activity, research project, etc. is set up, notification will be provided to the appropriate parties of the responsibilities incumbent on them for good business practices and sound financial management, including reference to the principles within this policy.

      3. Employees must have a means of communicating significant information to leaders.

      4. The university must communicate effectively with external parties, such as students, parents, funding providers, contractors, suppliers, regulators and other stakeholders.

      5. Faculty and staff in leadership positions have the responsibility to ensure that those who report to them (their direct reports) have adequate knowledge, skills, and abilities to function within, and contribute to, an effective internal control environment. This includes providing access to appropriate training on topics relevant to their job responsibilities.

    6. Review and Evaluation of Internal Controls

      The Internal Audit Department, external auditors, and/or representatives from the Controller's Office have the authority to review and measure the effectiveness of the controls established within the framework of this policy as they relate to the University's accounting, financial and operating systems. In addition, they have the authority to make recommendations for improvements in internal controls. Upon issuance of an internal audit report, management is responsible for responding to findings and for implementing changes as appropriate. Reviews and audits, as described above, serve to:

      1. Ascertain the reliability and integrity of accounting, financial and operating information and the means of generating and reporting that information.

      2. Ensure that systems comply with University regulations and with applicable laws and regulations.

      3. Evaluate computer-based systems in production, in development, or undergoing change.

      4. Evaluate the systems development process and computer operations.

      5. Evaluate the adequacy of methods used to safeguard University assets.

      6. Improve the efficiency and effectiveness of University business processes.

    7. Segregation of Duties‌

      Individuals responsible for a business function must take steps to assure that duties are appropriately segregated such that no one person has control over all aspects of a particular transaction

      Sections IV- VII are for user information and are not subject to the approval of the Academic Senate or the Board of Trustees. The Institutional Policy Committee, the Policy Owner, or the Policy Officer may update these sections at any time.

  4. Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources‌

    1. Policies/ Rules.

      1. R3-003B: Safeguarding University Resources

    2. Procedures, Guidelines, and Forms. [reserved]

    3. Other Related Resources. [reserved]

  5. References‌

    1. Committee of Sponsoring Organizations of the Treadway Commission (COSO)

    2. Ethical Standards & Code of Conduct Handbook

    3. Policy 1-006: Individual Conflict of Interest Policy

    4. Policy 3-003: Authorizations and Approvals Required for Financial Transactions

    5. Policy 3-019: University of Utah Internal Audit Policy

    6. Policy 5-205: Code of Conduct for Staff

    7. Utah Board of Higher Education Policy R561: Accounting and Financial Controls

  6. Contacts‌

    The designated contact officials for this regulation are

    1. Policy Owner(s) (primary contact person for questions and advice): Associate Vice President for Financial and Business Services

    2. Policy Officer(s): Vice President for Administrative Services

      See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

  7. History‌

    1. Current version. Revision 0

      1. Approved by Board of Trustees January 12, 2010 with effective date of January 12, 2010

      2. Legislative History

      3. Editorial Revisions

        1. Editorially revised August 29, 2022 to move to current template.

    2. Renumbering

      1. Not applicable

Last Updated: 8/29/22