Skip to main content

System Status: 

Best Practices in Internal Controls

Learn about documenting your department's key control activities to mitigate financial errors.

Click to view the Checklist for Best Practices in Internal Controls. A fillable checklist is currently being developed and will be posted shortly.


Why perform control activities

An internal control is an action your department takes to prevent and detect errors, omissions, or potential fraudulent transactions in its financial statements. Your department should already have key financial review and follow-up activities in place. Ongoing monitoring activities and other planned actions to address risks result in an effective internal control system. This ensures sound business practices, which minimizes our risk of inaccurate financial information and maintains the public trust.

To fulfill documentation requirements, departments should review those activities and identify key controls. The first steps are to determine:

  • What controls exist?
  • Are those controls working?
  • Are those control activities documented and properly performed and reviewed?

Internal control principles

The Regents of the University of California has adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

UC San Diego is committed to the adoption of the principles of internal controls published through COSO’s Internal Control – Integrated Framework.

In coordination with the University of California, Office of the President, UC San Diego develops campus-wide policies and procedures to ensure a system of internal control is maintained in accordance with policies established by the Board of Regents of the University of California and the University of California, Office of the President.

Internal control principles include:

  1. Authorization and approvala delegated individual with approval authority ensures a transaction is consistent with applicable policy, and is allowable, accurate, and reasonable before approving.
  2. Review and reconciliationdepartmental accounting records, transactions and documentation are compared with University financial system reports to verify their reasonableness, accuracy, and completeness.
  3. Separation of dutiesfinancial responsibilities are divided between different people so that a single person does not perform or has complete control over every aspect of a function or activity (common activities include authorizing, approving, certifying, disbursing, receiving, or reconciling).
  4. Security and custodyuniversity assets, including equipment, inventories, property, cash and cash equivalents, information systems, are safeguarded and protected from unauthorized access, risk of loss or misappropriation.

Why documenting control activities is critical

  • All units are required to document their performance and certification of control activities.
  • A checklist has been developed to assist departments with documenting who performed and certified the control activities.  See control activities section below for the required control activities.
  • It provides documented evidence that internal control activities are being performed on a regular basis as prescribed by SAS 115.
  • To demonstrate that review and follow-up activities were actually performed.
  • Retention of documentation is necessary for audit purposes.
  • Documentation should be saved electronically, in a location determined by department’s leadership, and accessible to authorized personnel.
  • If electronic sign-off is used, performers and certifiers should consider using electronic signature tools, like DocuSign, to document timeliness or review.
  • Implementation begins when the internal controls policy is published in PPM.

Responsibilities

  • Performer is an individual within the department that is responsible for creating and storing the underlying documentation of the internal controls review. A performer should not review or certify their own work.
  • Certifier is an individual (i.e., department head, Department Business Officer, or Management Services Officer) within the department other than the performer. A certifier will verify that the control activities have been performed appropriately and within the prescribed accounting period.
  • Department Head establishes and delegates responsibilities to performers and certifiers within the department. Department heads are ultimately responsible for ensuring control activities have been completed. Contact Internal Controls & Accounting via Services and Support if you have questions about delegation.
  • Internal Controls & Accounting is responsible for providing guidance and best practices for control activities (i.e., policies and procedures).
  • Audit and Management Advisory Services will have access to the documentation of control activities performed and certified by departments, upon request.

Control Activities

The following activities must be performed and certified, unless not applicable to the department’s operations.  Objectives and references to instruction are provided in the Checklist for Best Practices in Internal Controls.

Monthly Control Activities

Transaction Verification

The High Risk Ledger Review provides a mechanism for departments to select transactions for periodic review.  This is an acceptable alternative to reviewing 100% of transactions. Select the appropriate filters (accounting periods, financial unit, person roles, etc.) and check the High Risk Ledger Review box to acquire transactions needing review.

  • Transaction Details Dashboard (High Risk Ledger Review)

Financial Accountability Reports

The Exceptions Panorama is designed to highlight the transaction discrepancies and errors in the Oracle financial system.

  • Department Exceptions Panorama
  • GL-PPM Reconciliation
Fiscal Operations Review (One or More of the Following)

Review of budget and expenditure reports with actual revenues and expenses monitored to ensure accuracy and reliability of budget and financial information.

  • UCSD Budget vs Actual Report
  • Net Operating Results and Fund Balance Report
  • Fund Summary
  • Total Budget Summary Report in Oracle Planning and Budgeting (EPBCS)
  • Alternative Ad-hoc Reporting Used

Monitoring and Tracking Key Personnel

Review and monitoring of key personnel to ensure award personnel are properly managed on the award.

  • Award Project Task Personnel Report

Overdraft Funds Review (One or More of the Following)

Overdraft conditions are monitored and documented for resolution in accordance with PPM 300-2 Financial Deficit Policy. Monitors monthly deficit fund/activity balances and makes sure resolution is achieved as anticipated.

  • Financial Deficit Report - Operating Funds
  • Financial Deficit Report - Sponsored Projects

Payroll Reconciliation

Identify and correct discrepancies between the UCPath Labor Ledger (DOPE) and the Oracle GL and Oracle GL/PPM.  These mismatches are caused by Oracle and/or UCPath chartstrings being incorrect, by fund entry errors in UCPath, or incorrect project end dates in UCPath or GL/PPM.

  • Resolve Discrepancies between Labor Ledger (DOPE) and OFC GL/PPM and No Project (0000000) Transactions
  • Default Project Payroll

Critical UCPath Reports

Monitor HR and Payroll reports for errors and pay-impacting issues.

  • Monitor UCPath Reporting
  • Funding Issues Report

Credit Card Activity (Not Procurement Card)

Review and reconciliation of department credit card clearing accounts and depository clearing accounts to ledger accounting entries. Periodic follow-up of variances to resolve. Process correcting entries within 30 days of occurrence as prescribed in policy (BUS-49).

  • Credit Card Payment Processing

Custodial Equipment Management

Equipment has been accounted for, tagged, and properly reported. Monthly review of property locator report indicating that all newly purchased equipment has been accounted for and properly tagged with a UCID inventory number. Certification of the location and identification of equipment forwarded to Equipment Management.

  • Obtain Property ID Tags
  • Report Fabrications Completed
  • Report Equipment Disposals
  • Report Equipment Transfers

Individual Security Access

Appropriate personnel have been assigned the proper system access.

  • Campus User Roles Report
  • Review of Separated and Transferred lists in the AccessLinkTNG Department Summary Screen by DSAs

Quarterly Control Activities

Verification of Petty Cash or Change Funds

Quarterly review of cash balances. An unannounced cash count and verification of change and petty cash funds is performed by someone other than the fund custodian. Verification of cash balances is performed in the presence of the petty cash/change funds custodian and documented.

  • Perform Verification Count

Semi-Annual Control Activities

Effort Reporting

All employee salaries charged directly to federal and federal flow-through funds must be certified according to OMB Uniform Guidance for federal awards. Effort reporting is the method of certifying to granting agencies that the required effort has actually been completed. Effort reports are certified by an official with firsthand knowledge of the work performed using ECERT.

  • Electronic Certification of Effort and Reporting Tool (ECERT)

Annual Control Activities

Physical Inventory of Equipment

At least every two years, every department must take a physical inventory of all University Inventorial Equipment, Government Inventorial Equipment, Other Government Property, and Other Inventorial Items, in accordance with UC Policy BUS-29, Section J.

  • Review Equipment Inventory Report

Physical Inventory of Equipment

Campus cash fund custodians (i.e., custodians of change funds and petty cash funds) will be required to certify on June 30th of each fiscal year that they possess the funds and are using the funds in compliance with the prevailing campus policy and procedures.

  • Petty Cash/Change Funds Custodial Certification

Resolving internal control deficiencies

Department administrators and managers are responsible for prompt and effective corrective action on internal control findings and for implementing remediation or action plans as recommended by internal and external auditors.

Resources

Find answers, request services, or get help from our team at the UC San Diego Services & Support portal.