University of Rochester

Office of University Audit

Internal Controls

This section is designed to describe what internal controls are, provide some examples of internal controls, describe management's responsibility regarding controls, and explain why we audit.

What are internal controls?

Internal controls are operating practices used to help ensure the achievement of an objective. Internal controls help assure that departments operate according to plan; they are tools used every day by managers, from the unit levels to the President of the University. The internal control structure of the University includes such things as written policies and procedures, organizational design, and physical barriers. Simply put, internal controls are good business practices. For example, the following are internal controls used to achieve objectives:

Internal controls can provide assurance that:

Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities. For example: A manager's review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.

Detective controls are designed to identify an error or irregularity after it has occurred. For example: A comparison of validated Cash Receipt Vouchers to monthly ledger reports will detect deposits posted to erroneous account numbers.

Through careful design, the system of internal controls can help your department operate more efficiently and effectively and provide a reasonable level of assurance that the processes, services or products for which you are responsible are adequately protected.

Management's responsibility:

Management is responsible for ensuring that internal controls are established and functioning to achieve the missions and objectives of their unit or department. Changes in existing conditions may cause the effectiveness of a control to deteriorate or the degree of compliance to change. Management must respond to these changes by creating additional controls or alter existing controls to protect against loss.

Audit department's responsibilities:

The Office of University Audit provides an independent evaluation of the adequacy of internal controls and reports the results to University management and the Audit Committee of the Board of Trustees. The Internal Audit function is an internal control itself, in that it evaluates and appraises other University controls. The Audit Department reviews the effectiveness of internal controls and makes specific recommendations for improvements. Our findings, comments, and recommendations, and management's response to them, are reported to applicable University administration.