Skip to main content

System Status: 

  1. Home
  2. Finance
  3. Accountability & Control
  4. Internal Controls
  5. SAS 115 Overview
  6. Best Practices in Internal Controls

Best Practices in Internal Controls

Last Updated: October 14, 2024 9:31:57 AM PDT
Give feedback

Learn about documenting your department's key control activities to mitigate financial errors.

Internal controls policy

The Regents of the University of California have adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

UC San Diego is committed to upholding the principles of internal controls published through COSO’s Internal Control – Integrated Framework.

In coordination with the University of California, Office of the President, UC San Diego develops campus-wide policies and procedures to ensure a system of internal control is maintained per policies established by the Board of Regents of the University of California and the University of California, Office of the President.

Click the link to view the Internal Controls Policy.

Checklist

A checklist has been developed to assist departments with documenting who performed and certified the control activities.  Some control activities are required by University policy.  Other control activities can be optional as determined by the school or department's leadership.

Objectives and references to instruction are provided in the Checklist for Best Practices in Internal Controls. Some departments may have specific activities not listed below that are acceptable alternatives, if that is the case, please note the reason in the checklist.

Best practice: download new copy at least quarterly and when new updates are posted in the Weekly Digest.

How to get help

Why perform control activities

An internal control is an action your department takes to prevent and detect errors, omissions, or potentially fraudulent transactions in its financial statements. Your department should already have key financial review and follow-up activities in place. Ongoing monitoring activities and other planned actions to address risks result in an effective internal control system. This ensures sound business practices, which minimizes our risk of inaccurate financial information and maintains public trust.

To fulfill documentation requirements, departments should review those activities and identify key controls.

Be able to answer these questions:

  • What controls exist?
  • Are those controls working?
  • Are those control activities documented, properly performed, and reviewed?

Why documenting control activities is critical

  • All units are required to document their performance and certification of control activities.
  • A checklist has been developed to assist departments with documenting who performed and certified the control activities.  See the control activities section below for more information.
  • It provides documented evidence that internal control activities are performed regularly as prescribed by SAS 115.
  • To demonstrate that review and follow-up activities were performed.
  • Retention of documentation is necessary for audit purposes.
  • Documentation should be saved electronically, in a location determined by the department’s leadership, and accessible to authorized personnel.
  • If electronic sign-off is used, performers and certifiers should consider using electronic signature tools, like DocuSign, to document timeliness or review.

Responsibilities

  • Performer is an individual within the department responsible for creating and storing the underlying documentation of the internal controls review. A performer should not review or certify their work.
  • Certifier is an individual (i.e., department head, Department Business Officer, or Management Services Officer) within the department other than the performer. A certifier will verify that the control activities have been performed appropriately and within the prescribed accounting period.
  • Department Head establishes and delegates responsibilities to Department Administrators (i.e., the Performer and Certifier roles) within the department. Department heads are ultimately responsible for ensuring control activities have been completed. Contact Internal Controls & Accounting via Services and Support if you have questions about the delegation.
  • Department Administrators are responsible for ensuring that internal controls are established, properly documented, and maintained for activities within their jurisdiction and areas of responsibility.
  • Vice Chancellor offices should have jurisdiction over their departments and may have additional requirements for department administrators to follow.
  • Internal Controls & Accounting provides guidance and best practices for control activities (i.e., policies and procedures).
  • Audit and Management Advisory Services will have access to the documentation of control activities completed by departments, upon request.

Resolving internal control deficiencies

Department administrators and managers are responsible for prompt and effective corrective action on internal control findings and for implementing remediation or action plans as internal and external auditors recommend.

Release Notes & Communications

Date Release Notes & Communications
9/17/2024 Budget & Finance Weekly Digest The checklist has been updated recently due to the Procure to Pay Panorama refresh announced in last week’s digest edition.  Also, the Budget & Finance User Group has endorsed the addition of the Award Project Task Personnel Report as a quarterly review activity for sponsored projects.
8/20/2024 Budget & Finance Weekly Digest The internal controls checklist has been updated to reflect the release of the new Consolidated Exceptions Report.
6/18/2024 Budget & Finance Weekly Digest Reminder: The internal controls checklist has been updated to reflect the feedback received from users.
6/11/2024 Budget & Finance Weekly Digest The internal controls checklist has been updated to reflect the feedback received from users.
4/16/2024 Budget & Finance Weekly Digest The internal controls checklist has been recently updated. Please refer to KB0033904 FAQ: Internal Controls Checklist for answers to Frequently Asked Questions.
3/5/2024 Budget & Finance Weekly Digest

The Internal Controls Policy (PPM 300-15) has been fully approved and published in the Policy & Procedure Manual. The policy formally establishes responsibilities and procedures regarding internal controls for departments and is effective as of February 29, 2024.

Efforts to draft the policy originally started in the calendar year 2019. They continued with the publication of the Best Practices in Internal Controls on Blink in calendar year 2022 and into calendar year 2023. Along the way, there were several ways the document was reviewed and vetted, and updates were shared through the Weekly Digest. Also, the review and approval process involved many levels of campus leadership including the areas of Audit & Management Advisory Services (AMAS), legal, Budget & Finance User Group (BFG), Finance Governance, Controllers, CFOs, and the Chancellor’s Office.

Thank you to everyone who made contributions or supported the input process, provided feedback, asked questions, reviewed, and approved the policy.

Additionally, the internal controls checklist has been updated, and you can obtain a copy of the current checklist on Blink.
4/18/2023 Budget & Finance Weekly Digest

Recently, it was discovered that the checklist for internal controls had broken links to Blink resources.  The issue has been resolved, so please be sure to download the latest version of the checklist from Blink
2/28/2023 Budget & Finance Weekly Digest

Over the past few months, the checklist for internal controls has been evolving as new reporting is made available to our University community.  Please be sure to download the latest version of the checklist from Blink.
6/21/2022 Budget & Finance Weekly Digest

Internal Controls & Accounting is working to improve the internal controls guidance to our University community on Blink: Best Practices in Internal Controls.

The internal controls guidance includes a checklist with periodic control activities to be performed and certified by departments across the University. The checklist allows departments to document the control activities that have been completed by performers and certifiers, and it includes links to articles and Blink pages that provide instructions on how to run reports and what to look for during the review process.

The Budget & Finance User Group (BFG) has endorsed a soft launch of the checklist during the next fiscal year for testing and process improvement. In addition, a workgroup is being formed by Internal Controls & Accounting to vet the requirements and guidance for quality assurance, and ensure departments are performing the control activities appropriately.

An internal controls policy will be issued in the campus Policy and Procedure Manual to make performance and certification of control activities a requirement for departments. A draft of the internal control policy can be found here. Currently, the target date for policy publication is set for July 1, 2023.
5/10/2022 Budget & Finance Weekly Digest

Along with the release of the new Transaction Details report in the Business Analytics Hub, Internal Controls & Accounting is publishing new internal controls guidance to our University community on Blink: Best Practices in Internal Controls.

The internal controls guidance includes a checklist with periodic control activities to be performed and certified by departments across the University. The checklist allows departments to document the control activities that have been completed by performers and certifiers, and it includes links to articles and Blink pages that provide instructions on how to run reports and what to look for during the review process.
Find answers, request services, or get help from our team at the UC San Diego Services & Support portal.