Internal Controls


The University has established policies and procedures that incorporate internal controls to help safeguard resources and promote their effective and efficient use. This policy outlines the objectives and principles of campus internal controls, establishes and delineates department managers' responsibilities for implementing internal controls, and establishes Audit and Management Services as the campus unit responsible for reviewing the adequacy of departmental internal controls.

Adequate Control

Plans and organizational structures which provide reasonable assurance that organizational objectives will be achieved effectively and economically.


Record evidence that authority and responsibility were exercised.

Effective Control

Management-directed, -authorized, and -monitored performance, which includes periodically comparing actual with planned performance, and documenting these actions to provide reasonable assurance that organizational goals will be achieved.

Internal Controls

Policies and procedures which help ensure that the University's objectives and goals are met (as contrasted with external controls such as regulations and laws).


Supervise, observe, test activities, and report to responsible persons to verify progress toward goals.

Reasonable Assurance

Errors and other deviations are kept to a tolerable level; for example, in the normal course of their assigned duties, employees will prevent errors or improper acts or will detect and correct them within a reasonable time, thereby mitigating their detrimental effects.

A. The primary objectives of the University's internal control environment are to ensure:

1. reliability and integrity of information;

2. compliance with University policies, plans, procedures, and laws and regulations;

3. safeguarding of University assets;

4. economical and efficient use of University resources;

5. meeting established objectives and goals for University operations and programs.

B. Costs associated with internal controls should not exceed their benefit. Not all departments have sufficient resources to provide maximum control. In this case, department management must assess the costs, benefits, and risks and develop and implement alternative future controls to compensate for the risk.

C. General internal control principles for campus units are:

1. Separation of duties

a. Duties are separated so that one person's work routinely serves as a check on another's work.

b. No one person has complete control over more than one key function or activity (e.g., authorizing, approving, certifying, disbursing, receiving, or reconciling).

2. Authorization and approval

a. Proposed transactions are authorized when proper and consistent with University policy and the department's plans.

b. Transactions are approved by the person who is delegated approval authority, which is usually delegated on the basis of special competency or knowledge.

3. Custodial and security arrangements

a. Responsibility for physical security/custody of University assets is separated from recordkeeping/accounting for those assets.

b. Unauthorized access to University assets and accounting records is prevented.

4. Review and reconciliation

a. Departmental accounting records and documents are examined by employees who have sufficient understanding of the University accounting and financial system to verify that recorded transactions actually took place and were made in accordance with University policy and procedures.

b. Departmental accounting records and documentation are compared with University accounting system reports and financial statements to verify their reasonableness, accuracy, and completeness.

c. The general internal control principles should be applied to all departmental operations, especially accounting records and reports, payroll, purchasing/receiving/disbursement approval, equipment and supplies inventories, cash receipts, petty cash and change funds, billing and accounts receivable.

D. All campus systems, processes, operations, functions, and activities are subject to these evaluations. The overall results of these evaluations provide information regarding UCSF's overall system of control.

A. Department managers are responsible for establishing, maintaining, and supporting a system of internal controls, as well as discouraging circumvention of University internal controls and policies.

1. Adequate supervision is necessary to ensure that internal controls are operating as intended, and to ensure the reliability of accounting and operational controls by pointing out errors, omissions, exceptions, and inconsistencies in procedures.

2. Department managers should periodically review departmental procedures to ensure that the general principles of internal control are being followed. Management is responsible for strengthening internal controls when weaknesses are detected.

B. Audit and Management Services is responsible for reviewing the adequacy of departmental internal controls and for reporting any findings to the appropriate campus management. External auditors also study UCSF's overall system of internal controls.

C. Department managers are responsible for prompt corrective action on all internal control findings and recommendations made by internal and external auditors. The audit process is completed only after managers receive the audit results and take action to correct internal control weaknesses, improve systems, or demonstrate that management action is not warranted.