Best Practices in Internal Controls

Learn about documenting your department's key control activities to mitigate financial errors.

Click to view the Checklist for Best Practices in Internal Controls.

Why perform control activities

An internal control is an action your department takes to prevent and detect errors, omissions, or potential fraudulent transactions in its financial statements. Your department should already have key financial review and follow-up activities in place. Ongoing monitoring activities and other planned actions to address risks result in an effective internal control system. This ensures sound business practices, which minimizes our risk of inaccurate financial information and maintains the public trust.

To fulfill documentation requirements, departments should review those activities and identify key controls. The first steps are to determine:

• What controls exist?
• Are those controls working?
• Are those control activities documented and properly performed and reviewed?

Internal control principles

The Regents of the University of California has adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

UC San Diego is committed to the adoption of the principles of internal controls published through COSO’s Internal Control – Integrated Framework.

In coordination with the University of California, Office of the President, UC San Diego develops campus-wide policies and procedures to ensure a system of internal control is maintained in accordance with policies established by the Board of Regents of the University of California and the University of California, Office of the President.

Internal control principles include:

1. Authorization and approval – a delegated individual with approval authority ensures a transaction is consistent with applicable policy, and is allowable, accurate, and reasonable before approving.
2. Review and reconciliation – departmental accounting records, transactions and documentation are compared with University financial system reports to verify their reasonableness, accuracy, and completeness.
3. Separation of duties – financial responsibilities are divided between different people so that a single person does not perform or has complete control over every aspect of a function or activity (common activities include authorizing, approving, certifying, disbursing, receiving, or reconciling).
4. Security and custody – university assets, including equipment, inventories, property, cash and cash equivalents, information systems, are safeguarded and protected from unauthorized access, risk of loss or misappropriation.

Why documenting control activities is critical

• All units are required to document their performance and certification of control activities.
• A checklist has been developed to assist departments with documenting who performed and certified the control activities.  See the control activities section below for more information.
• It provides documented evidence that internal control activities are being performed on a regular basis as prescribed by SAS 115.
• To demonstrate that review and follow-up activities were actually performed.
• Retention of documentation is necessary for audit purposes.
• Documentation should be saved electronically, in a location determined by department’s leadership, and accessible to authorized personnel.
• If electronic sign-off is used, performers and certifiers should consider using electronic signature tools, like DocuSign, to document timeliness or review.
• Implementation begins when the internal controls policy is published in PPM.

Responsibilities

• Performer is an individual within the department that is responsible for creating and storing the underlying documentation of the internal controls review. A performer should not review or certify their own work.
• Certifier is an individual (i.e., department head, Department Business Officer, or Management Services Officer) within the department other than the performer. A certifier will verify that the control activities have been performed appropriately and within the prescribed accounting period.
• Department Head establishes and delegates responsibilities to Department Administrators (i.e., performers and certifiers) within the department. Department heads are ultimately responsible for ensuring control activities have been completed. Contact Internal Controls & Accounting via Services and Support if you have questions about delegation.
• Internal Controls & Accounting is responsible for providing guidance and best practices for control activities (i.e., policies and procedures).
• Audit and Management Advisory Services will have access to the documentation of control activities completed by departments, upon request.

Control Activities

A checklist has been developed to assist departments with documenting who performed and certified the control activities.  Some control activities are required by University policy while other activities can be optional as determined by the Department's leadership.

Objectives and references to instruction are provided in the Checklist for Best Practices in Internal Controls. Some departments may have specific activities not listed below that are acceptable alternatives, if that is the case, please note the reason in the checklist.

Monthly Control Activities - Financial Reporting

In accordance with UC Policy BUS-10 Principles of Accountability with Respect to Financial Transactions, Department Heads and delegated Department Administrators must establish monitoring procedures to provide assurance that financial transactions are accurately recorded and comply with applicable regulations, policies, departmental budget plans, etc.

Transaction Verification - High Risk Ledger Review

• The High Risk Ledger Review provides a mechanism for departments to select transactions for periodic review.
• This is an acceptable alternative to reviewing 100% of transactions.
• Select the appropriate filters (accounting periods, financial unit, person roles, etc.) and check the High Risk Ledger Review box to acquire transactions needing review.

GL-PPM Reconciliation

• The GL-PPM Reconciliation report displays differences between amounts in General Ledger and amounts in PPM.
• A drillthrough report identifies the specific transactions that are causing the differences.
• Reconciliation of GL to PPM on sponsored projects is a required key control.

Overdraft Funds Review

• Overdraft conditions are monitored and documented for resolution in accordance with PPM 300-2 Financial Deficit Policy.
• Monitors monthly deficit fund/activity balances and makes sure resolution is achieved as anticipated.

Payroll Reconciliation

• Identify and correct discrepancies between the UCPath Labor Ledger (DOPE) and the Oracle GL and Oracle GL/PPM.
• These mismatches are caused by Oracle and/or UCPath chartstrings being incorrect, by fund entry errors in UCPath, or incorrect project end dates in UCPath or GL/PPM.

Department Exceptions Review

• The Department Exceptions Review is designed to highlight the transaction discrepancies and errors in the Oracle financial system.

Financial Management Reports

• Review of budget and expenditure reports with actual revenues and expenses monitored to ensure the accuracy and reliability of budget and financial information.

 Financial Management of Projects

• Review of project financial reporting to provide assurance that financial transactions are accurately recorded.

Contracts, Receivables & Cash Operations

• Review unpaid customer invoices.
• Identify errors that occur when a "Generate Invoices" job does not successfully generate an invoice for a specific contract or project.
• Identify non-sponsored contracts that are missing a project, task, or both.
• Identify non-sponsored contracts that are missing a revenue account, fund, or both.
• Identify errors that occur when a "Generate Revenue" job does not successfully generate revenue for a specific contract or project.

Procure to Pay and Concur

• Review requisitions, purchase orders, and vendor invoices that need action.
• Purchase Orders that are not closed still have a commitment amount pending to be invoiced.
• Review aging of non-paid vendor invoices.
• Review vendors invoices currently on hold.
• Review credit card charges that require action from the cardholder/traveler or a department approver.

Monthly Control Activities - UC Policy-Related Activities

Custodial Equipment Management

• Equipment has been accounted for, tagged, and properly reported, in accordance with UC Policy BUS-29 Management and Control of University Equipment.
• Monthly review of property locator report indicating that all newly purchased equipment has been accounted for and properly tagged with a UCID inventory number.
• Certification of the location and identification of equipment forwarded to Equipment Management.

Individual Security Access

• Appropriate personnel has been assigned the proper system access, in accordance with UC Policy IS-3 Policy for Electronic Information Security.

Receivables & Cash Operations

• Review and reconciliation of department credit card clearing accounts and depository clearing accounts to ledger accounting entries.
• Periodic follow-up of variances to resolve.
• Process correcting entries within 30 days of occurrence, in accordance with UC Policy BUS-49 Policy for Cash and Cash Equivalents Received.

Control Activities - As Needed By Departments

Recharge Operations

• Review account 773046 balances that should net to zero.
• Review unprocessed costs in PPM as well as cost transfers that fell into exception status.

Graduate Student Funding

• Verify funding sources for payroll, tuition, fees, and stipends across multiple terms/years by graduate student, department, financial unit, and project.
• Discern how a student is funded over their tenure as a graduate student.

Other Reporting

• Identify projects or tasks with wrong owning organization.
• Track transactions that were incorrectly posted to UCPath specific funds.

Quarterly Control Activities

Verification of Petty Cash or Change Funds

Quarterly review of cash balances. An unannounced cash count and verification of change and petty cash funds is performed by someone other than the fund custodian. Verification of cash balances is performed in the presence of the petty cash/change funds custodian and documented.

Monitoring and Tracking Key Personnel

Review and monitoring of key personnel to ensure award personnel are properly managed on the award per Uniform Guidance (2 CFR 200.308 section c).

Annual Control Activities

Physical Inventory of Equipment

At least every two years, every department must take a physical inventory of all University Inventorial Equipment, Government Inventorial Equipment, Other Government Property, and Other Inventorial Items, in accordance with UC Policy BUS-29, Section J.

Petty Cash & Change Funds Certification

Campus cash fund custodians (i.e., custodians of change funds and petty cash funds) will be required to certify on June 30th of each fiscal year that they possess the funds and are using the funds in compliance with the prevailing campus policy and procedures, in accordance with PPM 300-11 Certification of Possession of University Funds.

Resolving internal control deficiencies

Department administrators and managers are responsible for prompt and effective corrective action on internal control findings and for implementing remediation or action plans as recommended by internal and external auditors.

Resources

• Draft Policy and Interim Guidelines -  Internal Controls in Policy and Procedure Manual (PPM)
• FAQ on Control Activities Checklist
• Office Hours Support
  • Internal Controls Office Hours