Skip to main content

System Status: 

Best Practices in Internal Controls

Learn about documenting your department's key control activities to mitigate financial errors.

Click to view the Checklist for Best Practices in Internal Controls. A fillable checklist is currently being developed and will be posted shortly.

Why perform control activities

An internal control is an action your department takes to prevent and detect errors, omissions, or potential fraudulent transactions in its financial statements. Your department should already have key financial review and follow-up activities in place. Ongoing monitoring activities and other planned actions to address risks result in an effective internal control system. This ensures sound business practices, which minimizes our risk of inaccurate financial information and maintains the public trust.

To fulfill documentation requirements, departments should review those activities and identify key controls. The first steps are to determine:

  • What controls exist?
  • Are those controls working?
  • Are those control activities documented and properly performed and reviewed?

Internal control principles

The Regents of the University of California has adopted the principles of internal controls published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.

UC San Diego is committed to the adoption of the principles of internal controls published through COSO’s Internal Control – Integrated Framework.

In coordination with the University of California, Office of the President, UC San Diego develops campus-wide policies and procedures to ensure a system of internal control is maintained in accordance with policies established by the Board of Regents of the University of California and the University of California, Office of the President.

Internal control principles include:

  1. Authorization and approvala delegated individual with approval authority ensures a transaction is consistent with applicable policy, and is allowable, accurate, and reasonable before approving.
  2. Review and reconciliationdepartmental accounting records, transactions and documentation are compared with University financial system reports to verify their reasonableness, accuracy, and completeness.
  3. Separation of dutiesfinancial responsibilities are divided between different people so that a single person does not perform or has complete control over every aspect of a function or activity (common activities include authorizing, approving, certifying, disbursing, receiving, or reconciling).
  4. Security and custodyuniversity assets, including equipment, inventories, property, cash and cash equivalents, information systems, are safeguarded and protected from unauthorized access, risk of loss or misappropriation.

Why documenting control activities is critical

  • All units are required to document their performance and certification of control activities.
  • A checklist has been developed to assist departments with documenting who performed and certified the control activities.  See control activities section below for the required control activities.
  • It provides documented evidence that internal control activities are being performed on a regular basis as prescribed by SAS 115.
  • To demonstrate that review and follow-up activities were actually performed.
  • Retention of documentation is necessary for audit purposes.
  • Documentation should be saved electronically, in a location determined by department’s leadership, and accessible to authorized personnel.
  • If electronic sign-off is used, performers and certifiers should consider using electronic signature tools, like DocuSign, to document timeliness or review.
  • Implementation begins when the internal controls policy is published in PPM.


  • Performer is an individual within the department that is responsible for creating and storing the underlying documentation of the internal controls review. A performer should not review or certify their own work.
  • Certifier is an individual (i.e., department head, Department Business Officer, or Management Services Officer) within the department other than the performer. A certifier will verify that the control activities have been performed appropriately and within the prescribed accounting period.
  • Department Head establishes and delegates responsibilities to performers and certifiers within the department. Department heads are ultimately responsible for ensuring control activities have been completed. Contact Internal Controls & Accounting via Services and Support if you have questions about delegation.
  • Internal Controls & Accounting is responsible for providing guidance and best practices for control activities (i.e., policies and procedures).
  • Audit and Management Advisory Services will have access to the documentation of control activities completed by departments, upon request.

Control Activities

The following activities must be performed and certified, unless not applicable to the department’s operations.  Objectives and references to instruction are provided in the Checklist for Best Practices in Internal Controls. Some departments may have specific activities not listed below that are acceptable alternatives, if that is the case, please note the reason in the checklist.

Monthly Control Activities

Transaction Verification

The High Risk Ledger Review provides a mechanism for departments to select transactions for periodic review.  This is an acceptable alternative to reviewing 100% of transactions. Select the appropriate filters (accounting periods, financial unit, person roles, etc.) and check the High Risk Ledger Review box to acquire transactions needing review.

  • Transaction Details Dashboard (High Risk Ledger Review)

GL-PPM Reconciliation

The GL-PPM Reconciliation report displays differences between amounts in General Ledger and amounts in PPM. A drillthrough report identifies the specific transactions that are causing the differences. Reconciliation of GL to PPM on sponsored projects is a required key control.

  • GL-PPM Reconciliation Report

Department Exceptions Review

The Department Exceptions Review is designed to highlight the transaction discrepancies and errors in the Oracle financial system.

  • 538000 on Non-Sponsored Funds
  • Transactions Incorrectly Posted to UCPath Specific Funds (CVR)
  • SP Funds Require Project Number in GL (CVR)
  • Incorrect PPM Budget Resources
  • Project Setup to GL Match Errors
  • Generate Invoice Process Errors - Non-Sponsored
  • Non-Sponsored Contract Lines Without Project or Task
  • Non-Sponsored Generate Revenue Process Errors
  • Transactions on No Project
  • SP Revenue and AR Wrong Accounting - PPM
  • Multiple Project Roles
  • Non-SP Projects with DFF Exceptions
  • Project Task Owning Org Mismatch
  • Closed Projects with GL Balances

Fiscal Operations Review 

Review of budget and expenditure reports with actual revenues and expenses monitored to ensure the accuracy and reliability of budget and financial information.

  • UCSD Budget vs Actual Report
  • Net Operating Results and Fund Balance Report
  • Fund Summary
  • GL Project Summary by Financial Unit

Overdraft Funds Review

Overdraft conditions are monitored and documented for resolution in accordance with PPM 300-2 Financial Deficit Policy. Monitors monthly deficit fund/activity balances and makes sure resolution is achieved as anticipated.

  • Financial Deficit Report - Operating Funds
  • Financial Deficit Report - Sponsored Projects

Payroll Reconciliation

Identify and correct discrepancies between the UCPath Labor Ledger (DOPE) and the Oracle GL and Oracle GL/PPM.  These mismatches are caused by Oracle and/or UCPath chartstrings being incorrect, by fund entry errors in UCPath, or incorrect project end dates in UCPath or GL/PPM.

  • DOPE with Combined Salary & Fringe, Condensed Column Set, and Employee Summary
  • Default Project Payroll
  • Funding Issues Report

Receivables & Cash Operations

Review and reconciliation of department credit card clearing accounts and depository clearing accounts to ledger accounting entries. Periodic follow-up of variances to resolve. Process correcting entries within 30 days of occurrence as prescribed in policy (BUS-49).

  • Credit Card Payment Processing (Not Procurement Card)
  • Receivables Aging Report

Custodial Equipment Management

Equipment has been accounted for, tagged, and properly reported. Monthly review of property locator report indicating that all newly purchased equipment has been accounted for and properly tagged with a UCID inventory number. Certification of the location and identification of equipment forwarded to Equipment Management.

  • Place Property ID Tags on Equipment
  • Report Fabrications Completed
  • Report Equipment Disposals
  • Report Equipment Transfers

Individual Security Access

Appropriate personnel have been assigned the proper system access.

  • Campus User Roles Report
  • Review of Separated and Transferred lists in the AccessLinkTNG Department Summary Screen by DSAs

Projects & Awards

Verify transactions are correctly accounted for and discrepancies or errors are resolved in the Oracle financial system.

  • Project Management Dashboard
  • Contract Management Dashboard
  • GL Project Balances

Procure to Pay

Review requisitions and purchase orders and invoices that need action.

  • Procure to Pay Action Items 

Quarterly Control Activities

Verification of Petty Cash or Change Funds

Quarterly review of cash balances. An unannounced cash count and verification of change and petty cash funds is performed by someone other than the fund custodian. Verification of cash balances is performed in the presence of the petty cash/change funds custodian and documented.

  • Perform Verification Count

Monitoring and Tracking Key Personnel

Review and monitoring of key personnel to ensure award personnel are properly managed on the award per Uniform Guidance (2 CFR 200.308 section c).

  • Sponsored Compliance Dashboard

Annual Control Activities

Physical Inventory of Equipment

At least every two years, every department must take a physical inventory of all University Inventorial Equipment, Government Inventorial Equipment, Other Government Property, and Other Inventorial Items, in accordance with UC Policy BUS-29, Section J.

  • Review Equipment Inventory Report

Physical Inventory of Equipment

Campus cash fund custodians (i.e., custodians of change funds and petty cash funds) will be required to certify on June 30th of each fiscal year that they possess the funds and are using the funds in compliance with the prevailing campus policy and procedures.

  • Petty Cash/Change Funds Custodial Certification

Resolving internal control deficiencies

Department administrators and managers are responsible for prompt and effective corrective action on internal control findings and for implementing remediation or action plans as recommended by internal and external auditors.


Find answers, request services, or get help from our team at the UC San Diego Services & Support portal.