Please consider downloading the latest version of Internet Explorer
to experience this site as intended.
Skip to content

Office of University Audit

Best Practices Presentations

Thank you for visiting the Office of University Audit’s Best Practices page.  Below you will find tools and resources that will assist with identifying, understanding, mitigating and managing risk.  Also of note, we have provided guidance regarding the key roles and responsibilities for an effective system of financial management controls.  Please do not hesitate to reach out to any of my staff if you have comments, questions regarding any of the information below, or if you would like to see additional guidance documentation provided.  Meliora!

Financial Management and Internal Controls (.pdf)

  • revised February 2017 

    A critical component of the University’s internal control environment over financial transactions is the departmental Financial Management activities of analyzing, reviewing and reconciling transactions in a timely manner. There are limited preventive (or “front-end”) internal controls for the processing of revenue and expenditure transactions due to established University procedures, as well as the decentralized University environment. Furthermore, within the initiating departments (at the “back-end”), there is no single internal control that would detect incorrect, unauthorized or inappropriate transactions. Rather there is a set of controls working together to mitigate risk to acceptable levels. The purpose of this document is to:
    • - define key internal control terminology,
    • - recommend internal control procedures, and
    • - provide detailed written guidance for all departments and sub-units regarding Financial Management and internal control procedures.

      An important first step to implement Financial Management and internal control procedures is to complete the FAO Inventory and Self-Analysis Worksheet (.xls). The FAO Inventory identifies all FAOs within a department.  Performing the Self-Analysis assists in determining which internal control procedures will be used to address the risk associated with each FAO and documents department management’s expectation of the scrutiny and accountability placed on these FAOs.  Members of OUA are available to discuss internal controls, including those presented in this document.

Fraud in the Workplace: Prevention and Detection (.pdf) September 2013

Overview of Internal Controls and Risk(.pdf) August 2018

Three Lines of Defense Model (.pptx)

  • Internal controls are a set of systems, processes and people that collectively ensure that the University achieves the its goals (Operational, Internal and External Financial Reporting and Legal and Regulatory Compliance). In order to achieve these goals, the University must have in place an effective internal control and risk management structure across the institution.  The Lines of Defense model provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives. Key stakeholders in the Lines of Defense model are:
    1. Board of Trustees, Audit and Risk Committees and Executive Management
    2. Business Operations: Departmental, Operational and Functional Management
    3. Oversight Functions: Risk Assurance Functions (Academic and Medical)
    4. Independent and Objective Assurance: Internal Audit
    5. External Auditors and Regulators

  • All lines of defense should exist in some form at every organization, regardless of size or complexity. Risk management normally is strongest when there are separate and clearly identified lines of defense.  Regardless of how a Lines of Defense model is implemented, senior management and governing bodies should clearly communicate the expectation that information be shared and activities coordinated among each of the groups responsible for managing the organization’s risks and controls.

Internal Controls Presentation

  • An overview of “risk” and “internal controls” as they pertain to the University of Rochester. Presented at the 2018 Administration and Finance conference.

2019 Administration and Finance Conference

  • A refresher on the Three Lines of Defense model and the importance of being familiar with key University policies related to our risk management roles and responsibilities. Presented at the 2019 Administration and Finance conference.

Expense Report Best Practices

  • Best practices presented during the 2018 A&F Conference for Expense Report Reimbursement. Emphasized by discussions about adequate supporting documentation, business purpose explanations, and proper approvals.

Required Departmental Internal Controls for Sponsored Research Effort Reporting 1-8-24 (.pdf) August 2024