Internal Control Checklist

The objective of the Internal Control Checklist is to provide the campus community with a tool for evaluating their internal control structure and general compliance, while also promoting effective and efficient business practices. The effective utilization of this checklist will strengthen controls, improve compliance, and eliminate many potential audit comments.

Questions and Answers

 What is Internal Control?

Internal control in its broader sense is defined as a process affected by an organization’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of reporting
  • Compliance with applicable rules, laws and regulations

Internal Control components include Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring.

Most of the time the emphasis is on common control activities which may include the following:

  • Segregation of functional responsibilities to create a system of checks and balances.
  • A system of authorization and record procedures adequate to provide reasonable accounting control over assets, liabilities, revenues, and expenditures.
  • Development of policies and procedures for prescribing and documenting the business and control processes. This should consist of a well thought out strategy and be reviewed and adjusted periodically to reflect changes in the business and control environment.

 Are there policies or principles established by the University of Florida regarding internal controls and financial management?

The University of Florida and its governing board adopted the Guiding Principles of Financial Management and Internal Control Principles.

 What is Internal Control?

For purposes of this document, legal and managerial compliance is simply intended to refer to compliance with the various laws, rules, policies, directives, and procedures that prescribe the guidelines and parameters that we must operate within. Some of these are self-imposed to ensure effective business and/or control practices. Legal and managerial compliance requirements which govern how we operate include, but are not limited to the following:

Federal Constitution, Laws, and Regulations
Florida Constitution, Statutes, and Administrative Code
University of Florida Board of Trustee Policies, Resolutions, and By-laws
University of Florida Finance and Accounting Directives and Procedures
University Controller Memoranda
Departmental Polices and Procedures

  How can I operate more efficiently?

There is no pat answer to this question. Obviously, skilled, well-informed and motivated faculty and staff is an important ingredient to an effective operation. Staff should be provided adequate training opportunities and understand what is expected of them. Good lines of communications are important.

With the fast pace of changes in technology, coupled with changes in regulatory compliance requirements and staff turnover, it is usually useful to review the various processes from time to time asking why the various tasks are being performed and determining if the tasks add any value to the process, or if there is a better way to accomplish them.

Examining crises that have occurred in the past is often a useful way of preventing them in the future. Reviewing the structure or operations of similar organizations may also provide ideas on how to improve your organization.

  How do I use the checklist?

The checklist is simply a tool similar to what most auditors might use if they were performing a review of your department’s internal controls. The checklist should be completed by management accountable for the particular business process. While “no” responses would normally indicate a potential weakness, this could be off-set by “compensating” controls within the unit. It is difficult to make a statement regarding a particular control based on the response to just one question. Most internal control procedures are simply based on “common sense”, i.e., the person having custody of the asset, such as cash, should not be solely responsible for accounting for it; no one person should be able to complete a requisition/payment transaction or personnel/payroll transaction from beginning to end without an appropriate monitoring or oversight. Incompatible duties should be segregated for a check and balance; laws and University policies and directives are expected to be followed. Despite the fact that many internal controls are a simple matter of common sense, taking the time to periodically use this checklist to review the control processes can be a valuable tool in the process and help document your due diligence.

See the Office of Internal Control Checklist.

What should we do if there isn’t enough staff to segregate incompatible duties?

Some areas, by virtue of their size, are not able to implement basic controls such as segregation of duties without an unreasonable expenditure of funds e.g. costs of the control exceed the benefit of separating the duties. In these cases, it is important that management institute compensating controls to cover for the lack of a basic control. This protects the employees and the university.

Compensating controls are less desirable than the separation of duties internal control because they generally occur after the transaction is complete. Also, it takes more resources to investigate and correct errors and to recover losses than it does to prevent them in the first place.

Some examples of compensating controls include:

  • A manager may perform a high level review of detailed report of transactions completed by an employee that performs incompatible duties.
  • A manager may periodically select a sample of transactions, request and review the supporting documents to ensure that they are complete, appropriate, and accurately processed. This monitoring procedure should be documented.
  • Increase supervisory oversight: Other forms of activities a manager may perform as compensating control are observation and inquiry. Where appropriate, increasing supervisory reviews through the observation of processes performed in certain functions and making inquiries of employees.
  • Have someone from outside the area perform an external review of activities. For instance, if two separate areas don’t have enough employees to separate duties, the two different areas may be able to share responsibilities or “check” each other.

  What do we do if we identify potential control deficiencies or we have questions?

Risks associated with potential control deficiencies may differ from unit to unit. The unit management is the first channel to address the implications of the deficiencies. Other resources may include the Controller’s Office ( and the Office of Internal Audit (

Remember, we all play a part in the University’s internal control system!