350-12: Internal Controls

Questions? Contact Campus Administrative Policies


Outlines the objectives and principles of campus internal controls.


The University has established policies and procedures that incorporate internal controls to help safeguard resources and promote their effective and efficient use. This policy outlines the objectives and principles of campus internal controls, establishes and delineates department managers' responsibilities for implementing internal controls, and establishes Audit and Management Services as the campus unit responsible for reviewing the adequacy of departmental internal controls.


Plans and organizational structures which provide reasonable assurance that organizational objectives will be achieved effectively and economically.

Record evidence that authority and responsibility were exercised.

Performance of actions directed, authorized, and monitored by management, which includes periodically comparing actual with planned performance and documenting these actions to provide reasonable assurance that organizational goals will be achieved.

Processes, policies, and procedures which help ensure that the University's objectives and goals are met (as contrasted with external controls such as regulations and laws).

Supervise, observe, test activities, and report to responsible persons to verify progress toward goals.

Errors and other deviations are kept to a tolerable level; for example, in the normal course of their assigned duties, employees will prevent errors or improper acts or will detect and correct them within a reasonable time, thereby mitigating their detrimental effects.


A. The primary objectives of the University's internal control environment are to ensure:

1. Reliability and integrity of information;

2. Compliance with University policies, plans, procedures, and laws and regulations;

3. Safeguarding of University assets;

4. Economical and efficient use of University resources; and

5. Established objectives and goals for University operations and programs are met.

B. Costs associated with internal controls should not exceed their benefit. Not all departments have sufficient resources to provide maximum control. In this case, department management must assess the costs, benefits, and risks and develop and implement alternative future controls to compensate for the risk.

C. General internal control principles for campus units

1. Separation of duties

a. Duties are separated so that one person's work routinely serves as a check on another's work.

b. No one person has complete control over more than one key function or activity (e.g., authorizing, approving, certifying, disbursing, receiving, or reconciling).

2. Authorization and approval

a. Proposed transactions are authorized when proper and consistent with University policy and the department's plans.

b. Transactions are approved by the person who is the delegated approval authority. Delegation of authority is usually based on special competency or knowledge.

3. Custodial and security arrangements

a. Responsibility for physical security/custody of University assets is separated from recordkeeping/accounting for those assets.

b. Unauthorized access to University assets and accounting records is prevented.

4. Review and reconciliation

a. Departmental accounting records and documents are examined by employees who have sufficient understanding of the University accounting and financial system to verify that recorded transactions actually took place and were made in accordance with University policy and procedures.

b. Departmental accounting records and documentation are compared with University accounting system reports and financial statements to verify their reasonableness, accuracy, and completeness.

c. The general internal control principles should be applied to all departmental operations, especially accounting records and reports, payroll, purchasing/receiving/disbursement approval, equipment and supplies inventories, cash receipts, petty cash and change funds, billing and accounts receivable.

D. All campus systems, processes, operations, functions, and activities are subject to these evaluations. The overall results of these evaluations provide information regarding UCSF's overall system of control.


A. Department managers are responsible for establishing, maintaining, and supporting a system of internal controls, as well as discouraging circumvention of University internal controls and policies.

1. Adequate supervision and ongoing monitoring is necessary to ensure that internal controls are operating as intended, and to ensure the reliability of accounting and operational controls by pointing out errors, omissions, exceptions, and inconsistencies in procedures.

2. Department managers should periodically review departmental procedures to ensure that the general principles of internal control are being followed. Management is responsible for strengthening internal controls when weaknesses are detected.

3. Reliable and relevant information (e.g. reports containing operational, financial and compliance-related information that make it possible to run and control a business or academic unit) must be identified, captured, and communicated in a form and timeframe that enables a manager and staff to carry out their responsibilities efficiently.

4. Effective communication must occur to enable staff to understand their own role in the internal control system, as well as how activities interrelate. Department policies and operating procedures shall be written, communicated, promoted, and accessible. Training is to be provided to ensure employees are equipped to fulfill their job duties.

B. Audit and Advisory Services is responsible for reviewing the adequacy of departmental internal controls and for reporting any findings to the appropriate campus management. External auditors also study UCSF's overall system of internal controls.

C. Department managers are responsible for prompt corrective action on all internal control findings and recommendations made by internal and external auditors. The audit process is completed only after managers receive the audit results and take action to correct internal control weaknesses, improve systems, or demonstrate that management action is not warranted.