Skip to main content

System Status: 

Best Practices in Internal Controls

Learn about documenting your department's key control activities to mitigate financial errors.

Click to view the Checklist for Best Practices in Internal Controls. (Best practice: download new copy at least quarterly or whenever new updates are posted in the Weekly Digest)

Click to view the Internal Controls Policy.

For questions on the policy or the checklist, please submit a ticket via Services & Support [About: Financial Accounting, Related to: Internal Controls, More Specifically: Internal Controls Support].

Why perform control activities

An internal control is an action your department takes to prevent and detect errors, omissions, or potential fraudulent transactions in its financial statements. Your department should already have key financial review and follow-up activities in place. Ongoing monitoring activities and other planned actions to address risks result in an effective internal control system. This ensures sound business practices, which minimizes our risk of inaccurate financial information and maintains the public trust.

To fulfill documentation requirements, departments should review those activities and identify key controls. The first steps are to determine:

  • What controls exist?
  • Are those controls working?
  • Are those control activities documented and properly performed and reviewed?

Internal control principles

The Regents of the University of California has adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

UC San Diego is committed to the adoption of the principles of internal controls published through COSO’s Internal Control – Integrated Framework.

In coordination with the University of California, Office of the President, UC San Diego develops campus-wide policies and procedures to ensure a system of internal control is maintained in accordance with policies established by the Board of Regents of the University of California and the University of California, Office of the President.

Internal control principles include:

  1. Authorization and approvala delegated individual with approval authority ensures a transaction is consistent with applicable policy, and is allowable, accurate, and reasonable before approving.
  2. Review and reconciliationdepartmental accounting records, transactions and documentation are compared with University financial system reports to verify their reasonableness, accuracy, and completeness.
  3. Separation of dutiesfinancial responsibilities are divided between different people so that a single person does not perform or has complete control over every aspect of a function or activity (common activities include authorizing, approving, certifying, disbursing, receiving, or reconciling).
  4. Security and custodyuniversity assets, including equipment, inventories, property, cash and cash equivalents, information systems, are safeguarded and protected from unauthorized access, risk of loss or misappropriation.

Why documenting control activities is critical

  • All units are required to document their performance and certification of control activities.
  • A checklist has been developed to assist departments with documenting who performed and certified the control activities.  See the control activities section below for more information.
  • It provides documented evidence that internal control activities are being performed on a regular basis as prescribed by SAS 115.
  • To demonstrate that review and follow-up activities were actually performed.
  • Retention of documentation is necessary for audit purposes.
  • Documentation should be saved electronically, in a location determined by department’s leadership, and accessible to authorized personnel.
  • If electronic sign-off is used, performers and certifiers should consider using electronic signature tools, like DocuSign, to document timeliness or review.


  • Performer is an individual within the department who is responsible for creating and storing the underlying documentation of the internal controls review. A performer should not review or certify their own work.
  • Certifier is an individual (i.e., department head, Department Business Officer, or Management Services Officer) within the department other than the performer. A certifier will verify that the control activities have been performed appropriately and within the prescribed accounting period.
  • Department Head establishes and delegates responsibilities to Department Administrators (i.e., the Performer and Certifier roles) within the department. Department heads are ultimately responsible for ensuring control activities have been completed. Contact Internal Controls & Accounting via Services and Support if you have questions about the delegation.
  • Department Administrators are responsible for ensuring that internal controls are established, properly documented, and maintained for activities within their jurisdiction and areas of responsibility.
  • Vice Chancellor offices should have jurisdiction over the departments within them and they may have additional requirements for department administrators to follow.
  • Internal Controls & Accounting is responsible for providing guidance and best practices for control activities (i.e., policies and procedures).
  • Audit and Management Advisory Services will have access to the documentation of control activities completed by departments, upon request.

Control Activities

A checklist has been developed to assist departments with documenting who performed and certified the control activities.  Some control activities are required by University policy while other activities can be optional as determined by the school or department's leadership.

Objectives and references to instruction are provided in the Checklist for Best Practices in Internal Controls. Some departments may have specific activities not listed below that are acceptable alternatives, if that is the case, please note the reason in the checklist.

Note: checklist content, links, and references are reviewed at least quarterly to ensure information is current.

Resolving internal control deficiencies

Department administrators and managers are responsible for prompt and effective corrective action on internal control findings and for implementing remediation or action plans as recommended by internal and external auditors.


Find answers, request services, or get help from our team at the UC San Diego Services & Support portal.