Internal Controls


Internal controls assist to offset negative risk events, which can be categorized into just four main titles: errors, omissions, delay and fraud.  Managers should design and implement internal controls to decrease risk to an acceptable level. By performing this balancing act "reasonable assurance” can be attained. It is not common nor desirable to decrease all risk to zero as this is cost prohibitive.

Examples of controls out of balance:

Excessive Risks

  • Loss of assets, donor or grants
  • Ineffective business decisions
  • Noncompliance
  • Increased regulations
  • Public scandal

Excessive Controls

  • Increased bureaucracy
  • Reduced productivity
  • Increased complexity
  • Increased cycle time
  • Increase of no-value activities

In order to achieve a balance between risk and controls, internal controls should be proactive, value-added, cost-effective, and reasonably address exposure to risk.

The Manager’s Responsibility

Managers are responsible for ensuring that internal controls are properly designed, implemented, balanced, and operating as intended. Through design, a system of internal controls can assist in providing managers a reasonable level of assurance that the unit’s mission and objectives will be achieved. Managers are also responsible for periodically re-evaluating the internal controls within their unit for balance and function.

Most internal controls can be classified as preventative or detective.  This is to:

  • conduct business in an orderly and efficient manner,
  • safeguard assets and resources, including electronic information resources
  • deter and detect errors, fraud, and theft,
  • ensure accuracy and completeness of accounting and critical operational data,
  • produce reliable and timely financial and management information, and
  • ensure adherence to policies and regulations

Audit and Compliance Services' Responsibility

The internal audit function of A&CS provides an independent evaluation of the adequacy of internal controls, works with managers and their unit to identify out of balance internal control and risk areas, and reports the results to appropriate management and the Board of Regents Audit and Finance Committee per Regents Policy P05.03.

Often, the auditor’s evaluation will include the following internal control elements:

  • Personnel – verify that clearly established lines in regards to authority and responsibility are documented in job descriptions and procedure manual
  • Authorization procedures – review supporting information to verify the propriety and validity of transactions
  • Segregation of duties – review the appropriate placement of duties to reduce the likelihood of errors and irregularities (one individual should not have responsibility for more than one of the three transaction components: authorization, custody, and record keeping)
  • Physical restrictions – review the safeguarding of university assets, processes, and data
  • Documentation and record retention – review the assurance information that assets and data are controlled and correctly recorded
  • Operational internal controls – review operational risks and how they are addressed

Suggestions for Internal Controls

  • Set an example. Display and expect ethical behavior from yourself and those around you.  This is also referred to as organization culture or the tone at the top.
  • Never sign something you do not understand or that is not completed properly.
  • Document approvals by signature and date of approval.
  • Provide yourself and your unit with the opportunities to stay knowledgeable with university policies and regulations and for topics essential to unit operations. Seek training provided by different departments within the university. Refer to the section below titled University of Alaska Guidance.
  • Keep written procedures current and available to the whole unit.
  • Evaluate your unit’s risks and internal controls for balance periodically. Ask A&CS for additional information or consulting.
  • Do not let one employee have complete control of a process.
  • Keep property and data safeguarded. Contact your risk management or information technology departments for ideas on techniques.
  • Reconcile data to ensure completeness and accuracy. Verify different sets of records contain the same data across the board. Financial data is important to reconcile, but not the only kind of data that needs reconciling. 
  • Maintain support documentation for transactions and key business decisions.
  • Perform employee performance reviews. Keep up to date on all areas of employee work related activities, goals, perceptions, ideas, etc.

Tools to Assist in Designing Internal Controls

  • Risk assessments
  • Process flowcharts
  • Walk-throughs
  • Transaction tracing
  • Questionnaires
  • Guidance from other departments

A&CS or your risk management department can assist by providing tools, hosting a training session or workshop, facilitating a risk assessment, or any combination of these items.

University of Alaska Guidance