Audit and Management Services

Internal controls guidance

Operational Internal Controls

Documentation of significant processes — Identify all significant department-specific activities or processes for which your department is responsible. Document each process, step by step, including the job titles responsible for steps. Having such processes documented is an excellent starting point for determining and evaluating where risks or internal control weaknesses may exist.

Segregation of duties — No one person should have control over all aspects of any financial transaction or process. Divide duties among staff members to reduce risk of error or inappropriate actions. Segregation of duties also counts as a deterrent to fraud by making it more difficult for an individual to commit fraud without detection.

General categories of functions to be separated:

  • Authorization of transactions
  • Recording of transactions
  • Custody of assets (receiving checks in mail for example)
  • Reconciliations — Reconciliation and audit functions should not be performed by the same employee who performs the task being reconciled or audited.


If a single person has duties in two or more of these categories for a single type of transaction, additional segregation of duties should be considered, or there should be other internal controls built around the process, such as more stringent supervisory review, to mitigate the weakness.


  • A single individual should not be able to authorize a purchase and also record that purchase in the accounting records.
  • A single individual should not authorize his own time off and/or his own timesheets.
  • A single individual should not authorize himself/herself to work overtime, or approve his/her own overtime pay.
  • A single individual should not authorize a purchase order and receive the goods or services ordered.
  • A single individual should not generate invoices for services rendered and also receive payments on those invoices.


Authorization of expenditures and travel — Expenditures and travel should be properly authorized. If a payment is to an employee, that payment should be approved by someone other than the payee.

Reconciliations of records — Reconciliations of records, such as monthly general ledger or purchasing card expenditures, should be reviewed by someone other than the preparer of either record. The reconciliation should be signed and dated by both the preparer and reviewer.

Employee training — Employees should have appropriate training to carry out their job duties and should have an appropriate level of supervision.

Delegation of authority — In today’s busy and dynamic environment it is impossible for one individual to perform all the duties and tasks that are required to achieve the university’s objectives. To meet the needs of their customers, managers delegate authority to staff so that decisions and related actions can occur in a timely manner. Delegation of Authority (DOA) is the formal process in which one person delegates the authority and responsibility to another person to carry out specific activities. Typically a manager will delegate to a subordinate a certain authority for a specific transaction (e.g., approve reimbursements up to $500). However, the person who delegated the work remains accountable for the outcome of the delegated work, even if the delegation is through an outsourcing arrangement. If DOA is done properly the university can save time and money while building the skills of its workforce. Managers should develop a framework in which they document the types of transactions and related dollar thresholds in which they delegate their authority to another individual. Managers need to ensure that individuals who received delegated authority have been properly trained and are well versed in university policies that govern the authority delegated.

Purchase card monitoring — The key control to ensuring the effectiveness of your unit’s purchase card program is a strong supervisory review and approval process.

Purchasing card policies by entity can be found as follows:

  • VCU purchasing card policies
  • VCUHS purchasing card policies (this link requires either health system network access or use of the health system’s Virtual Private Network).
  • MCVP has a separate purchasing card program from VCUHS. MCVP policies are available from the MCVP purchasing card program administrator in MCVP’s Finance department.

Compliance with these guidelines may be achieved through a monthly supervisory review of cardholders’ Statement of Account and supporting documentation and evidenced by the reviewer’s signature. Additionally, the business reason or the request to order should be documented, at a minimum, for purchases or from businesses that employees might use outside of work such as a general retailer (e.g., Sams Club, Kroger or Home Depot).

Perform the monthly supervisory review:

  • Ensure that adequate receipts are present and match all purchases shown on the cardholders’ monthly statement.
  • If supporting documentation is not provided, request the cardholder to provide it or obtain a copy from the vendor.
  • Validate the business appropriateness of items purchased.
  • If questionable transactions are identified, contact the cardholder for an explanation of the transaction.
  • Validate the explanation with other departmental personnel, if possible (e.g., the explanation provided was that the item was purchased at the request of Dr. Smith).
  • If the cardholder is not able to appropriately support or explain a questionable transaction, contact the Purchasing Card Administrator.
  • Ensure that Purchasing policies are being followed:
  • Transactions are not split to avoid single transaction limits or card limits.
  • Sales tax is not paid unnecessarily.
  • Sign and date the monthly statement to document that the review has taken place.


Cash controls — Any unit collecting cash, maintaining a cash fund or maintaining gift cards (usually for research subject participation) needs to ensure that cash and gift cards are sufficiently safeguarded and accounted for. The following principles of good cash handling will be discussed in greater detail: Segregation of Duties, Security, Reconciliation, Management Review and Documentation.

Segregation of Duties: Cash handling duties can be divided into four stages: receiving, depositing, recording and reconciling. Ideally, all four stages would be performed by different individuals. The purpose of this segregation of duties is to minimize the opportunity for an employee to misappropriate funds without detection. In a smaller department, it may not be feasible to fully segregate all cash-related duties. In these circumstances, the department may rely on compensating controls (e.g., increased monitoring) to mitigate the risk that cash is lost or misappropriated.

Security: Keep all cash in a safe until it is deposited. For areas with regular cash receipts, a drop safe is recommended with “anti-fishing teeth” to limit access to the contents of the safe. Regardless of the type of safe used, limit access to supervisory and authorized personnel only. Change the combination of the safe on a regular basis (e.g., annually) or when an employee who knows the combination to the safe leaves the department. Finally, cash or checks totaling $100.00 or more must be deposited within 24 hours of receipt.

Reconciliation and Documentation: Cash collections must be reconciled on a daily basis to the applicable system to ensure the completeness of receipts.

Health System only — Each Patient Access Representative collecting funds must complete an FDPP User Reconciliation Form. Each Patient Access Supervisor must complete a daily Front Desk Department Reconciliation form. Reconciliation procedures are available at (this link requires either health system network access or use of the health system’s Virtual Private Network)

Management Review: On a monthly basis, an employee who does not collect funds should reconcile deposit receipts to the general ledger accounts to ensure cash receipts were properly deposited and credited to the general ledger account. Also, the remaining cash and gift cards should be counted and added to the receipts to make sure the authorized cash fund balance is fully accounted for.

Documentation: Records of deposits made must be documented and retained to assist in the performance of reconciliations. Reconciliations between local records (e.g., receipts) and the general ledger revenue reports must be performed on a monthly basis. Documentation that the reconciliation was performed and that reconciling items were investigated and resolved must be retained.

Policies and procedures — Policies and procedures should be maintained in sufficient detail, should be updated at least once every three years and should be made available to all personnel.

Fixed assets management — Fixed assets should be properly recorded and controlled to provide safety and protection from theft, abuse or misuse. All assets with a dollar value over $2,500 are required to be registered with the Controller’s Office as a university fixed asset. The fixed asset custodian should ensure that the equipment is appropriately identified, tagged and tracked. To ensure appropriate fixed asset controls, a sample of fixed assets registered with the Controller’s Office and a sample of assets identified during a walkthrough of facilities should be reviewed to ensure that all assets are appropriately identified and tracked. The fixed assets custodians are also responsible for ensuring that assets are removed from the fixed asset registry in a timely manner, performing a full reconciliation of assets annually, and certifying that all assets are appropriately accounted for and reflected in the fixed asset registry.

Business purpose documentation — Documentation should be retained supporting the business purpose of each expenditure.

Approval of time records — In order to ensure the propriety of submitted hours, employee time records should be reviewed by their supervisors. If feasible, overtime should be approved in advance.

Performing annual performance evaluations — Performance evaluations are valuable tools that provide staff members with feedback on their performance and accomplishments for the previous year. They also assist staff members in understanding their job responsibilities and supervisor’s performance expectations. Evaluations are expected to be fair, representative of actual performance, written and performed on an annual basis. Failure to provide documented evaluations could complicate later disciplinary processes.

Petty cash accounts — Petty cash accounts should be established at a fixed amount. Access to petty cash funds should be restricted to a designated petty cash custodian. Each time petty cash is expended, the custodian should obtain and maintain a valid receipt for the expenditure, such that the sum of petty cash receipts plus the amount in petty cash always equals the established amount of the fund. Receipts should be turned in along with a request for replenishment of petty cash, to document the business purpose of each expenditure.

Information Technology Internal Controls

Software licensing — Software should only be used if it is properly licensed to ensure that only legally procured systems are used.

Sharing of ID’s and passwords — Each user of an IT system should be assigned their own username and be made to create their own unique password. ID’s and passwords should not be shared among users.

Terminating systems access — A process should be in place to timely remove system access when it is no longer needed, whether due to a change in the user’s job or to termination.

Disaster recovery and business continuity — Departments should develop disaster recovery and business continuity plans to be reviewed and approved by senior management. Implementation of these enhancements can reduce downtime and facilitate business continuity in the event of a disaster. Documented disaster recovery procedures, as well as periodic testing and review of these procedures, alert the department to possible recovery obstacles and the accuracy of recovery times.

Data backup and recovery — Backups should be performed daily and the backup process tested on a regular basis to ensure the continuity of data.

IT asset inventory — Information technology assets and their locations should be inventoried in order to secure and track all equipment used. An accurate IT asset inventory will help ensure proper configuration.

Web application security — Web applications and websites should be protected against cross-site scripting, SQL injection, denial-of-service and other attacks through the use of testing, digital signatures and quality coding.

Employee turnover checklist — A checklist that details all the necessary steps to be performed when an employee changes jobs or separates from employment should be maintained. Completion of the checklist at job separation will help eliminate system access that is no longer appropriate.

Patching systems — Systems should be patched automatically on workstations and no less than monthly on servers. For critical systems, patches should also be tested prior to implementation and testing results documented.

Virus, spyware, adware and malware prevention — Antivirus and malware software should be used and maintained at a current version to protect from any potential attacks and users should be trained against social engineering.

Server, operating system and database security, and physical security — Both intrusion prevention and detection software should be used to prevent or identify potential attacks. Logs should be stored on another server and reviewed on a regular basis for abnormalities. Default passwords should be changed; unnecessary factory default services should be disabled and routine patching of the operating system, database and webserver should occur.

Change controls — System changes should be documented, tested and approved before implementation to ensure that changes will not negatively affect systems. All testing should be documented and a back-out plan (restoring to the previous software state) should be prepared in case the change needs to be revoked.

Network security controls — Data networks should be compartmentalized based on use and type of data transmitted. Firewalls or filters should be applied to limit network addresses or services allowed to occur between compartments and the Internet. If physical or wired assess is not relied on to gain access to the network (as in the case of remote network access) then additional factors of authentication are necessary, such as logon identifiers and passwords, tokens or biometrics. Two-factor authentication should be used to authenticate privileged users with access to sensitive systems. Wired and wireless networks should be diagrammed. Network monitoring, network device patching, IT asset inventory and configuration management software processes should exist to protect the network and the devices supported therein.

Reporting lost or stolen computing devices, lost sensitive information or hacking attempts — Management should report missing computing devices to either the health system’s or university’s Information Security Officer (ISO). Theft of computing devices must be reported to the VCU Police. In addition, data breaches or suspected successful hacking attempts should be report to either organizations’ ISO and the Privacy Officer.

Sponsored Programs Related Internal Controls

Pre-award — To ensure compliance with sponsored agreement requirements, individuals involved in sponsored programs must follow university procedures for the solicitation, review, approval and submission of proposals with financial budgets.

Effort reporting and salary — Employees are required to certify effort expended on sponsored program research activity to ensure that salaries are calculated and charged correctly in accordance with sponsored agreements, federal regulations and university policy.

Post-award administration — Issued by the Office of Management and Budget in 2013, the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards — Final Rule, supersedes and streamlines previous OMB Circular requirements. The university as well as financial administration personnel must comply with new guidance in areas such as procurement, indirect Facility and Administrative costs, and performance measurement and reporting.

Award close-out — The closeout process spans several different functions: financial, regulatory and administrative. The financial process is mostly handled through the departments that receive the awards and the Grants and Contracts Accounting Office, and includes ensuring that agreed upon services and work-product have been billed to the sponsor and payments have been received. Regulatory closeout includes filing any required reports with the appropriate agency or sponsor. The administrative closeout includes notification and providing closeout documentation to the Office of Sponsored Programs, who inputs and maintains information in InfoEd, the system of record for all sponsored programs.

Request a Consultation
Audit and Management Services can assist you with internal control self-assessment tools that are relevant to your department or function. Additionally, we can explain control concepts in greater detail and how to implement or improve internal controls in your area. To arrange a consultation, please contact the director of audit or the deputy directors of the following audit functions: health system, IT or university.

View graphic versionView graphic versionView graphic version