Internal Auditing

What are Internal Controls?

Internal control as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a process, affected by an entity's board of directors (trustees), management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

They include a wide range of activities that occur throughout the organization, by supervisory and front-line personnel.   Typically, management is responsible for developing an appropriate system of internal controls, but every employee is responsible for following and applying those practices.

Examples of Internal Controls

Segregation of Duties

When work duties are divided or segregated among different people to reduce the risk of error or inappropriate actions.

Physical Controls

When equipment, inventories, securities, cash and other assets are secured physically.  This can occur through the use of locks, safes, or other environmental controls. Access is restricted to those with authority to handle them.


Comparisons are made between similar records maintained by different people to verify transaction details are accurate and that all transactions are properly recorded.  Specific examples would include:  Performing a reconciliation from bank statements to check register/records.  Balancing/reconciling cash on hand to sales or transaction activity on the cash register totals.

Policies and Procedures

Established policies, procedures, and documentation that provide guidance and training to ensure consistent performance at a required level of quality.  These should be available at all levels of the organization.  Departmental and University/Organization wide.

Transaction and Activity Reviews

Management reviews of transaction, operating, and summary reports help to monitor performance against goals and objectives, spot problems, identify trends, etc. Specific examples include:  Monthly review of budget statements to actual expenses.  Review of telecommunication call activity reports for personal or non-business related phone calls.  Review of timecards and overtime hours by employees.

Information Processing Controls

When data is processed, a variety of internal controls are performed to check the accuracy, completeness and authorization of transactions. Data entered is subject to edit checks or matching to approved control files or totals. Numerical sequences of transactions are accounted for, and file totals are controlled and reconciled with prior balances and control accounts. Development of new systems and changes to existing ones are controlled, as is access to data, files and programs.