Skip to main content

System Status: 

  1. Home
  2. Finance
  3. Accountability & Control
  4. Internal Controls
  5. SAS 115 Overview
  6. Best Practices in Internal Controls

Best Practices in Internal Controls

Last Updated: February 6, 2025 4:23:38 PM PST
Give feedback

Learn about documenting your department's key control activities to detect and correct financial errors.

Click the link to view the Internal Controls Policy.

 

Internal Controls Policy Highlights

Background

The Regents of the University of California have adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

UC San Diego is committed to upholding the principles of internal controls published through COSO’s Internal Control – Integrated Framework.

In coordination with the University of California, Office of the President, UC San Diego develops campus-wide policies and procedures to ensure a system of internal control is maintained per policies established by the Board of Regents of the University of California and the University of California, Office of the President.

Why perform control activities

An internal control is an action your department takes to prevent and detect errors, omissions, or potentially fraudulent transactions in its financial statements. Your department should already have key financial review and follow-up activities in place. Ongoing monitoring activities and other planned actions to address risks result in an effective internal control system. This ensures sound business practices, which minimizes our risk of inaccurate financial information and maintains public trust.

To fulfill documentation requirements, departments should review those activities and identify key controls.

Be able to answer these questions:

  • What controls exist?
  • Are those controls working?
  • Are those control activities documented, properly performed, and reviewed?

Why documenting control activities is critical

  • All units are required to document their performance and certification of control activities.
  • A checklist has been developed to assist departments with documenting who performed and certified the control activities.  See the control activities section below for more information.
  • It provides documented evidence that internal control activities are performed regularly as prescribed by SAS 115.
  • Documentation must provide evidence of performance and demonstrate that review and corrective action were completed. Communications like emails, letters, chat messages, etc. can be part of the documentation to be saved.
  • Retention of documentation is necessary for audit purposes.
  • Documentation should be saved electronically, in a location determined by the department’s leadership, and accessible to authorized personnel.
  • If electronic sign-off is used, performers and certifiers should consider using electronic signature tools, like DocuSign, to document timeliness or review.

Responsibilities

  • Performer is an individual within the department responsible for creating and storing the underlying documentation of the internal controls review. A performer should not review or certify their work.
  • Certifier is an individual (i.e., department head, Department Business Officer, or Management Services Officer) within the department other than the performer. A certifier will verify that the control activities have been performed appropriately and within the prescribed accounting period.
  • Department Head establishes and delegates responsibilities to Department Administrators (i.e., the Performer and Certifier roles) within the department. Department heads are ultimately responsible for ensuring control activities have been completed. Contact Internal Controls & Accounting via Services and Support if you have questions about the delegation.
  • Department Administrators are responsible for ensuring that internal controls are established, properly documented, and maintained for activities within their jurisdiction and areas of responsibility.
  • Vice Chancellor offices should have jurisdiction over their departments and may have additional requirements for department administrators to follow.
  • Internal Controls & Accounting provides guidance and best practices for control activities (i.e., policies and procedures).
  • Audit and Management Advisory Services will have access to the documentation of control activities completed by departments, upon request.

Resolving internal control deficiencies

Department administrators and managers are responsible for prompt and effective corrective action on internal control findings and for implementing remediation or action plans as internal and external auditors recommend.

Internal Controls Checklist

A checklist has been developed to assist departments with documenting who performed and certified the control activities.  Some control activities are required by University policy.  Other control activities can be optional as determined by the school or department's leadership.

Objectives and references to instruction are provided in the Checklist for Best Practices in Internal Controls. Some departments may have specific activities not listed below that are acceptable alternatives, if that is the case, please note the reason in the checklist.

Best practices:

  • Download the checklist at least quarterly and when new updates are posted in the Weekly Digest. A list of updates to the checklist is at the bottom of this Blink page.
  • Review What To Do guidance in the checklist for each activity to understand requirements.
  • Focus on running monthly reports and summarize items to take action on later (within 60 days).
  • To distribute effort, perform quarterly activities throughout a calendar quarter. It is not advised to concentrate all of the work at once. Also, quarterly activities can be performed more frequently if beneficial.

How to Get Help

How to get help

Checklist Instructions

  1. Determine the control activities to be performed.
    1. Note: See the tab named "Example Activities by FinU" as an example of one method to determine the activities to perform for the department's financial units.
  2. Use the "Applicable?" column to identify whether or not the activities will be performed.
    1. For "No" responses, explain (they should align with "No" items from the Example tab as noted in Step 1).
  3. For Monthly activities, complete activities as required by your Department Administrators within 60 days after the final close of each accounting period.
    1. Ledger close dates are reported on Blink.
    2. Best practice: use KB0035082 to schedule Cognos reports for automatic monthly delivery.
    3. Note: Activities do not need to be done all at once and can be worked on at different times within the 60-day timeframe unless there is a specific requirement by formal policy.
    4. The best practice is to correct errors within 60 days of discovery.
    5. UC policies or campus policies can require certain activities to be done in less than 60 days after the accounting period closes and those items have been noted on the checklist.
  4. For Quarterly activities, completion is done 4 times per fiscal year and can be done within 60 days after the quarter is finally closed.
    1. For example, the quarter ending in March and the final closed on 4/24 can be done by 6/23.
    2. Quarterly activities can be performed more frequently if the Department determines that frequency is appropriate for their operations because Department sizes/needs vary and you may choose to do reviews more often.
    3. Activities do not need to be done all at once and can be worked on at different times within the 60-day timeframe unless there is a specific requirement by formal policy.
    4. The best practice is to correct errors within 60 days of discovery.
  5. Performer completes the checklist and signs off on activities completed.
    1. Note: Corrective action needs to be documented within the checklist, it can be documented elsewhere as required by Department Administrators. Refer to Resources To Review and Objectives & Risks (What To Do) columns for guidance.
  6. Certifiers will review the checklist and supporting documentation (i.e., downloaded reports, notes, testing results) and sign off that work has been performed.
  7. Communicate deficiencies to the Department Administrators for corrective action.
  8. Either the Performer or Certifier will store documentation in a designated and secure location electronically (for example, a shared network drive, Google Drive, or SharePoint site). Warning: Do not save to your personal computer.
    1. Note: The documentation needs to be easily retrievable by department personnel when requested by auditors.

Monthly Financial Reporting Activities

Reports for Monthly Reconciliation (All of the following)

Activity Resources to Review Objectives & Risks (What to do)
Review: Transaction Details Report (TRD) - PPM High Risk Ledger Review

*For VCHS Departments, users have the option to use FINMAN-Detailed Ad-Hoc Data report as an alternative to fulfill this requirement.

*Depending on the volume of results, departments have the option to use sampling methods based on internal risk assessment (cost-benefit analysis) to ensure proper review is completed.

 Review the Blink page for instructions on how to run and use the report: Transaction Details Report.  Review the PPM High-Risk Ledger Review section for instructions on how to review transactions identified by risk type. Best Practice: Download report to Excel to make notes as to whether transactions are okay or require additional follow-up, as well as provide justification for charges that are questionable but acceptable.
1. Identify and correct transactions that have been miscoded as equipment. These impact the fixed asset capitalization process and result in incorrect indirect costs on sponsored projects.
2. Identify and correct transactions that have been inappropriately coded as cost share.  This impacts sponsor billing and the proper recording of indirect costs in the general ledger.
3. Review recharge transactions for applicability to the correct project. These may be reviewed on a summary or sampled basis. Note: For routine recharges such as water cooler rental and mail charges on non-sponsored projects, a less detailed review may be appropriate. (i.e., requesting documentation for all transactions may not be necessary).
4. Review transactions posted to sponsored projects after the award ended, as these have high audit risk and may represent new costs posted after FER submission.
5. Review costs posted to questionable expenditure types on sponsored projects, as these may be disallowed by auditors.
6. Review high dollar purchases to verify receipt of goods or services. Note: Subaward invoices and Concur Travel and Expense invoices are reviewed and approved prior to posting in Oracle; full transactional review is not required. 
Link to video demo here.
Review the article for common questions - FAQ: Control Activities Checklist.
VCHS Departments: Refer to FINMAN report website. Additional Data details that includes General Ledger and Sub Ledger details.
Review: Default Project Payroll Report Refer to Blink page for guidance on how to run the report: Default Project Payroll. What To Do: Identify transactions posted to the department default project that need to be moved to the correct project via Direct Retro or cost transfer in Oracle PPM.  Any transactions that have already been resolved through either PPM cost transfers or Direct Retros/Salary Cost Transfers in UCPath will not appear on the report.
How do I use the different tabs on the report? How does the report work?
Blink page for information on processing Payroll-Related Cost Transfers. Do I need to do a UCPath Salary Cost Transfer or an Oracle Cost Transfer?

Payroll Accounting & Reconciliation (All of the following)

Review: DOPE Report

Alternatives:
Project Management Dashboard: DOPES or Payroll by Earnings Month
Faculty and Researcher Dashboard: Payroll page
RSCore Payroll History report		 Blink resources: DOPE Report. What To Do: Review payroll expenses for a given payroll cycle.

Risks: Specific examples of items to look for include overtime recorded by employees that was not approved and/or not worked, and payments to employees that are not categorized correctly (i.e. regular pay categorized as a fellowship, which has tax consequences once discovered).
UC Policy requires monthly DOPE report review for all funding sources: IA-101: Internal Control Standards: Departmental Payrolls.
Review: Funding Issues Report

*Note: this report is a group of reports that identify specific issues or potential issues related to funding. If not addressed timely, payroll transactions will be recorded to your department default project.		 Refer to Detail Card for guidance on how to run the report tabs and how to make corrections: BAH HR/Payroll. What To Do: Review each report tab and make any necessary corrections per the tab instructions below:
Tab 1: Positions without Funding Report
Step 1: Filter the report by your Department area(s) using the "Department" column (if your department doesn't appear, you may ignore this report).
Step 2: Add funding for these positions in UCPath [*Health Sciences - submit funding changes to SWAT/HHR/ARC with the new Project Number, Expenditure Organization, Expenditure Type, Task Number, Award Number & Funding Source (POETAF)]
Step 3: Process a Direct Retro for any transactions related to these positions that recorded to your FinUnit default chartstring in UCPath in prior periods
Tab 2: Funding & Project End Date Report
Step 1: Filter the report by your Department area(s) using the "Department" column (if your department doesn't appear, you may ignore this report)
Step 2: Filter the "End Dates Category" column by the "End Date Past" category (if your department doesn't appear, go to step 4)
Step 3: Confirm if the end date relates to Position Funding or the Project  [*Health Sciences - submit a ticket to ARC/HHR]
        a. For expired Position Funding requiring position termination, request that your department HR initiator terminate the position in UCPath (employee will continue to get paid until this is complete!)
        b. For expired Position Funding where the end date needs extension, update the position funding in UCPath
        c. For expired Projects, update funding in UCPath
        d. For expired Projects pending an official modification from sponsor to extend award, submit extension to Sponsored Projects Finance; if not approved, update funding in UCPath
        e. For expired Projects getting replaced with a new one (i.e. an NIH Federal Flow Thru), update funding in UCPath
   **TIP: for multi-year Federal Flow Through (FFT) awards, projects are created in advance, so suggest setting up future funding with new projects once they're available
Step 4: Filter the "End Dates Category" column by all other categories (focusing on near term expirations first) and ensure that funding and or project updates have been made beyond the expiration date to prevent future defaults
Step 5: Process a Direct Retro for any expired entries that recorded to your FinUnit default chartstring in UCPath in prior periods
Step 6: Process an Oracle PPM Cost Transfer for entries that are correctly recorded in UCPath, but went to your default project in Oracle PPM

Tab 3: No Task or Funding Source
Step 1: Filter the report by your Department area(s) using the "Department" column (if your department doesn''t appear, you may ignore this report)
Step 2: Update funding where task and or funding source is missing. [*Health Sciences - submit funding changes to SWAT/HHR/ARC with new POETAF info]
Step 3: Process a Direct Retro for invalid entries that were recorded to your FinUnit default chartstring in UCPath in prior periods
Review: UCPath-Oracle Salary Reconciliation Report

*For sponsored projects, this report is required for award closeout.		 Blink resources: UCPath-Oracle Salary Reconciliation. What To Do: The report has three levels: a main report and two levels of drill-throughs. The third report level is where you will identify the reason for any differences between UCPath and Oracle and determine the corrective action to take.

Recommend reviewing Default Project Payroll report before completing this activity because it will identify most issues that need to corrected.

What do I do when I identify the reason for the variance?
Visit the UCPath Media Library for job aids.

Procure to Pay and Concur (All of the following)

Activity
Review: Procure to Pay Panorama - Procure to Pay Action Items - Only the Invoice Holds & Invoices Pending Approval areas. Review the Blink page for instruction on how to run the report: Procure to Pay Action Items. What To Do: Clear AP invoice holds and complete pending approvals. For items reviewed previously, reasonably determine if follow-up is needed in order to clear them from the list.

Risks: Unresolved invoice holds and delays in completing approvals causes late payments to vendors and potential violations of contracts.
Review article: How to Resolve an Accounts Payable Invoice Hold.
Review article: How to Approve Invoices in Oracle Procurement.
Review: Outstanding Card Charges Report Review the Blink page for instruction on how to run the report and guidance: Outstanding Card Charges Report. What To Do: Cardholder needs to reconcile expenses to clear them from the report. For items reviewed previously, reasonably determine if follow-up is needed in order to clear them from the list.

Risks: Card transaction expenses post to financial ledgers only once expense reports have been submitted and approved.  Outstanding card charges have not yet been recorded in the financial ledgers and may cause balances to be overstated. Also, a traveler won't get reimbursed for any out-of-pocket expenses until all associated charges on an expense report and it's final approved.  Cardholders may violate the Cardholder Agreement.
For instructions on how to reconcile, review Blink: Helpful information to faciliate reconciliation.

 

Activity
Review: Unprocessed Transactions With Errors Report

*Primarily for groups that are posting transactions into PPM.		 Visit  Collab: MCI+Import+File+Best+Practices+and+Error+Handling for resolution guidance. What To Do: Review unprocessed costs in PPM as well as cost transfers (Adjustments) that fell into exception status.
For Cost Transfers (Adjustments) visit Blink: Oracle PPM Cost Transfers.

 

Activity
Review: Recharge Billing Summary Report

*Pending confirmation to add (not required to be done)		 Blink resource: Recharge Billing Summary. What To Do: When searching by Document or Document Entry, the total recharge income (most commonly 775000) and expense (most commonly 770000) transactions should net to zero.  Non-zero amounts should be investigated.

Projects ending in the next 90 days are highlighted in red.

 

Activity
Review: Cost Share Reconciliation Dashboard > Misposted Transactions

*Once items are resolved, this report would not need to be run again.		 See Blink for guidance: Cost Share Reconciliation Dashboard. What To Do: For projects created prior to 8/1/2022, identify transactions posted to a cost share task and external funding source or non-cost share task and internal funding source to be resolved.

Blink guidance: Misposted Transactions.

Timeline of Checklist Changes

Date Description of Changes
1/28/2025 Budget & Finance Weekly Digest

Equipment Management Activities and the Graduate Student Funding Report were moved to the Quarterly activities. Additionally, the activities for Recharge Units and Cost Share Reconciliation were moved to the Monthly Financial Reporting activities to eliminate the third Monthly tab in the checklist. Finally, the Instructions have been updated to explain that Quarterly activities can be performed more frequently if the Department determines that frequency is appropriate for their operations because department sizes/needs vary and they may choose to do reviews more often.
1/22/2025 Budget & Finance Weekly Digest

The UCPath-Oracle Salary Reconciliation Report was moved from the Monthly As Needed activities to the Monthly Financial Reporting activities. This report identifies variances that need to be corrected on a monthly basis. As a reminder, The Default Project Payroll report is the best choice for reviewing corrections that need to be made to payroll posted to default project.
12/17/2024 Budget & Finance Weekly Digest As a result of the Department Exceptions Panorama Clean Up announced in last week’s digest, the internal controls checklist has been updated to reflect these changes.
9/17/2024 Budget & Finance Weekly Digest The checklist has been updated recently due to the Procure to Pay Panorama refresh announced in last week’s digest edition.  Also, the Budget & Finance User Group has endorsed the addition of the Award Project Task Personnel Report as a quarterly review activity for sponsored projects.
8/20/2024 Budget & Finance Weekly Digest The internal controls checklist has been updated to reflect the release of the new Consolidated Exceptions Report.
6/18/2024 Budget & Finance Weekly Digest Reminder: The internal controls checklist has been updated to reflect the feedback received from users.
6/11/2024 Budget & Finance Weekly Digest The internal controls checklist has been updated to reflect the feedback received from users.
4/16/2024 Budget & Finance Weekly Digest The internal controls checklist has been recently updated. Please refer to KB0033904 FAQ: Internal Controls Checklist for answers to Frequently Asked Questions.
3/5/2024 Budget & Finance Weekly Digest

The Internal Controls Policy (PPM 300-15) has been fully approved and published in the Policy & Procedure Manual. The policy formally establishes responsibilities and procedures regarding internal controls for departments and is effective as of February 29, 2024.

Efforts to draft the policy originally started in the calendar year 2019. They continued with the publication of the Best Practices in Internal Controls on Blink in calendar year 2022 and into calendar year 2023. Along the way, there were several ways the document was reviewed and vetted, and updates were shared through the Weekly Digest. Also, the review and approval process involved many levels of campus leadership including the areas of Audit & Management Advisory Services (AMAS), legal, Budget & Finance User Group (BFG), Finance Governance, Controllers, CFOs, and the Chancellor’s Office.

Thank you to everyone who made contributions or supported the input process, provided feedback, asked questions, reviewed, and approved the policy.

Additionally, the internal controls checklist has been updated, and you can obtain a copy of the current checklist on Blink.
4/18/2023 Budget & Finance Weekly Digest

Recently, it was discovered that the checklist for internal controls had broken links to Blink resources.  The issue has been resolved, so please be sure to download the latest version of the checklist from Blink
2/28/2023 Budget & Finance Weekly Digest

Over the past few months, the checklist for internal controls has been evolving as new reporting is made available to our University community.  Please be sure to download the latest version of the checklist from Blink.
6/21/2022 Budget & Finance Weekly Digest

Internal Controls & Accounting is working to improve the internal controls guidance to our University community on Blink: Best Practices in Internal Controls.

The internal controls guidance includes a checklist with periodic control activities to be performed and certified by departments across the University. The checklist allows departments to document the control activities that have been completed by performers and certifiers, and it includes links to articles and Blink pages that provide instructions on how to run reports and what to look for during the review process.

The Budget & Finance User Group (BFG) has endorsed a soft launch of the checklist during the next fiscal year for testing and process improvement. In addition, a workgroup is being formed by Internal Controls & Accounting to vet the requirements and guidance for quality assurance, and ensure departments are performing the control activities appropriately.

An internal controls policy will be issued in the campus Policy and Procedure Manual to make performance and certification of control activities a requirement for departments. A draft of the internal control policy can be found here. Currently, the target date for policy publication is set for July 1, 2023.
5/10/2022 Budget & Finance Weekly Digest

Along with the release of the new Transaction Details report in the Business Analytics Hub, Internal Controls & Accounting is publishing new internal controls guidance to our University community on Blink: Best Practices in Internal Controls.

The internal controls guidance includes a checklist with periodic control activities to be performed and certified by departments across the University. The checklist allows departments to document the control activities that have been completed by performers and certifiers, and it includes links to articles and Blink pages that provide instructions on how to run reports and what to look for during the review process.
Find answers, request services, or get help from our team at the UC San Diego Services & Support portal.