Virginia Tech® home

Internal Controls: The Key to Good Business Practices

  1. Establish the “tone at the top” and promote an ethical business environment by providing structure, feedback, and discipline.
  2. Assess risks specific to your operations and develop a control system to address risks that could prevent achieving established goals.
  3. Establish and maintain control activities such as reconciliations, approvals, and review of operating activities.
  4. Ensure appropriate access to and use of university information and systems.
  5. Monitor control system and activities to identify and correct breakdowns timely.

Internal controls are the methods and procedures designed by management to safeguard assets and to manage resources. It’s the system of checks and balances. A system of internal control serves to minimize errors in the accounting records and to deter fraud, embezzlement and theft by employees, customers and vendors. The system of internal control provides reasonable assurance of the following:

  • Reliable financial and operational reports
  • Efficient and effective operations
  • Compliance with applicable state and federal laws and/or regulations and university policies and procedures

As department head, you are responsible for setting the “tone at the top” of your department’s control environment and ensuring that adequate controls are included in your daily operations. In plain language, a system of internal controls is essentially a system of checks and balances. This system of checks and balances over financial transactions is needed for much the same reasons why such systems are needed for democratic governments: absolute power leads to undesirable results. In government, absolute power can result in despotism; total control by one person over financial transactions can result in theft or fraud.

Types of Internal Controls:

  • Detective controls are designed to detect errors or irregularities that may have occurred.
  • Corrective controls are designed to correct errors or irregularities that have been detected.
  • Preventive controls are designed to keep errors or irregularities from occurring in the first place.

Types of Control Activities:

  • Approvals
  • Authorizations
  • Verifications
  • Reconciliations
  • Review of operating performance
  • Security of assets
  • Segregation of duties

Why are monthly reconciliations and reviews so important?

Monthly reviews of reconciliations prepared by your staff and the concurrent reviews of the detail transactions posted to the funds in your department are some of the most important internal accounting control procedures that you will perform. Reviews and reconciliations are detective controls. They accomplish two primary objectives. First, these reviews are one of the key processes in the system of checks and balances (internal controls) needed in your department to prevent fraud, theft, or inappropriate use of public funds. Second, these monthly reviews can also enable you to assess the effectiveness and efficiency of the business practices in your department.

Obviously, as department head you must delegate responsibility and authority for some of the clerical and administrative functions of your department to the staff and/or faculty you supervise. To build effective working relationships with such employees, you must trust these employees to do the right thing and treat them with respect. On the whole, the university is very fortunate to have honest and dedicated employees, however, as in any company, not all employees are deserving of your trust. Absolute trust is not appropriate: you cannot abdicate your responsibility for oversight and management reviews of the financial and administrative duties of your department. The majority of the frauds and thefts occurring in university departments resulted from inadequate reviews by department heads. Such inadequate reviews have enabled seemingly honest and trustworthy employees (faculty and staff) to steal thousands of dollars per month over a period of years in several departments. These employees didn’t need a gun to steal; they just needed an overly trusting department head. Most department heads don’t think that employees would ever do the following:

  • Create fictitious invoices and forge the department head’s signature to reimburse themselves for fictitious business expenses
  • Use the departmental American Express Purchase Card to buy jewelry, clothes, and other personal items
  • Enter overtime hours into the payroll system to pay themselves overtime (at 1.5 times their normal pay rate) for hours not worked
  • Use university supplies, equipment, subordinate employees or students charged to university funds, or other university resources to benefit a private business in which the faculty or staff have an ownership interest (see Conflict of Interest section of this guide)
  • Issue fictitious customer refunds to conceal funds stolen from daily cash receipts

However, these are just some of the types of thefts and frauds that have occurred within the university in recent years. As department head, you are responsible for ensuring that your review is adequate to provide reasonable assurance that these or similar types of problems are detected on a timely basis.

In addition, your review can serve as a final check on the appropriateness of expenditures. For example, your review of expenditures might reveal alcoholic beverages for a fund raising reception were mistakenly charged to public Education & General funds or office supplies purchased from Boise Cascade (or other such vendors) charged to sponsored projects funded by the federal government – both of which are prohibited by state or federal regulations (See sections of this manual related to Entertainment and Sponsored Programs).

A review of the detail transactions can also provide insight into the pattern of revenues and expenses in your department. These patterns may indicate opportunities to streamline or improve business processes. For example, if the pattern reveals multiple low dollar transactions to certain supply vendors each day, perhaps a new procedure could be implemented in the department where the employees are notified that such supplies orders will be consolidated and only processed once or twice per week. Vendors who do a large volume of business with the university often provide next day delivery so reducing the frequency of orders is now more feasible. If such changes are not practical, then the use of the American Express Purchase card would reduce some of the paperwork associated with such multiple orders. Likewise, if employees frequently have multiple retroactive payroll funding changes, perhaps changes are needed in the way funding distribution are assigned or alternative methods for dealing with sponsored funding delays such as letters of guarantee (contact the Office of Sponsored Programs) could be utilized to eliminate the need for processing funding changes.

What elements compose Internal Controls?

Internal control consists of five interrelated components: the control environmentrisk assessmentcontrol activitiesinformation and communications, and monitoring. Each of these components is an integral part of the management process and plays a specific role in departmental internal control procedures.

Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the organization’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its human resources; and the attention and direction provided by the board of visitors.

Risk Assessment: Every organization faces a variety of business risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks that may prevent the achievement of established objectives.

Control Activities: Control activities are the policies and procedures implemented by management to ensure management directives are carried out to meet organizational objectives. They are designed to address risks that could prevent achieving the organization’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Each department is unique, and only the most basic of control activities are specifically outlined in university policy and procedures. The department head is responsible for identifying other appropriate control activities to address the unique risks to which his or her department may be exposed.

Information and Communication: Pertinent information must be identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Effective communication also must occur in a broader sense, flowing down, across, and up the organizational structure. All personnel must have a means of communicating significant information upstream. The department must also effectively communicate with external parties, such as students, sponsors of research, alumni, and administrative departments. The administrative departments are here to assist you in achieving your operational goals without violating applicable laws, regulations, or policies. If you are unsure of the legal and/or business risks associated with a particular transaction, it is definitely NOT “better to ask forgiveness than request permission.”

Monitoring: Effective monitoring is a process that assesses the quality of the system’s performance over time. It includes the regular management and supervisory activities as well as separate evaluations by central units, Internal Audit, or other independent parties.

No matter how well internal controls are designed, they can only provide reasonable assurance that objectives will be achieved. Segregation of duties decreases the chances of controls being circumvented through collusion, but controls can still break down through human error and judgment, as well as management override. Management override should not be confused with management intervention, which represents management actions to depart from prescribed policies and procedures for legitimate purposes. Internal control deficiencies should be reported to the department head and/or dean, with serious matters reported to executive management. Specifically, upon the discovery of circumstances that suggest a fraudulent transaction or irregularity has occurred, Policy 1040 Reporting and Investigating Suspected Fraudulent Activities, instructs employees to immediately notify one of the following:

A well-designed process with appropriate internal controls should meet most if not all of the system’s control objectives. A system of internal control can be evaluated by assessing its ability to achieve seven commonly accepted control objectives:

Authorization: All transactions are pre-approved by responsible personnel.

Completeness: All valid transactions are included in the accounting records.

Accuracy: All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner.

Validity: All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.

Physical Safeguards and Security: Access to physical assets and information systems are controlled and properly restricted to authorized personnel.

Error Handling: Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.

Segregation of Duties: Duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.

Policy 3010 Internal Controls states, "the University Controller and the ARMICS Coordinator/Internal Controls Manager are assigned the primary responsibility for establishing the internal control structure for the university's financial systems and processes through the creation and ongoing maintenance of university fiscal policies and procedures. At Virginia Tech, this evaluation is performed by reviewing the results of the annual Financial and Business Compliance Survey sent to department heads and their fiscal staff. The survey contains over 100 questions related to business processes and procedures. This review is performed not only because it is required, but also because it provides a mechanism to department heads to assess awareness of detail requirements contained in fiscal policies and proecedures or adequate internal control standards, and evaluate actual business practices relative to these requirements. This is another review process that can enable departments to implement any corrective actions needed. The University Controller uses this survey to identify business processes that may need to be improved or where training and communications need to be provided. 

Below is a link to the most recent Financial and Business Compliance Survey.

Reconciliation of Financial Activity (to be performed monthly)

(Utilizing the Month to Date (MTD) option of the Transaction Detail Report for each fund in the department)

Cash Receipts Reconciliation (if applicable)

Cash receipts are typically for revenues or expenditure refunds. Procedures for the cash receipts/funds handling activities differ for each department depending on the type of activity and frequency of occurrence.  The reconciliation of cash receipts activities varies accordingly and should be completed monthly.   The university’s funds handling guidelines are published at

Accounts Receivable Reconciliation (if applicable)

Accounts Receivable activities are typically associated with revenue generating activities such as the sale of goods or services.  Procedures for accounts receivable activities differ for each department depending on the type of activity and frequency of occurrence. The reconciliation of accounts receivable activities varies accordingly and should be performed monthly. The university’s accounts receivable guidelines are published at

Salary Expenditures

Periodically review rates for all salary employees.

Salary Payroll Report Reconciliation

Includes payments for P14s, salary overtime, GRA, etc. and is provided by the payroll office for transactions occurring in each payroll period.  Departments having no such activity will not receive a report.

  1. Review the salary reports (previously reconciled by a fiscal person) that support the charges on Finance.
  2. Determine that salary payroll expenditures are valid. 
  3. Authorize any corrections. 
  4. Authorize the salary payroll reports.

TIP:    Ensure that hours entered for payment to salary employees have been recorded properly—i.e. hours are recorded, approved and entered timely; salary overtime hours worked are either paid or accrued leave is granted.

Hourly Payroll Report Reconciliation

Includes payments for all wage employees and is provided by the payroll office for transactions reported in each payroll period.

  1. Review the timecard verification web reports printed semi-monthly. 
  2. Ensure that timecards were reconciled to the verification reports.
  3. Ensure that the semi-monthly hourly payroll reports have been reconciled to the timecard verification web report or directly to employee timecards.
  4. Review the wage rates on the payroll reconciliation report.  Consider comparing to prior reports if there are several wage employees to ensure that the rates have not been changed.
  5. Periodically, select a random sample of employees and trace the hours worked to the employee’s timecard verifying accuracy and supervisor’s authorization.
  6. Periodically, determine that only appropriate individuals are authorized to enter wage hours

Monthly Purchasing Credit Card Transactions

  1. Purchase Card reconciliation is performed through ChromeRiver under the oversight of the Controllers Office.
  2. The monthly banking cycle ends on the 15th of each month and reconciliations must be completed by the 10th of the following month.
  3. The entire statement balance must be reconciled each month.  If an incorrect charge appears on your monthly statement, it should be treated like any other charge for reconciliation purposes, and a credit needs to be requested from the supplier.
  4. If a purchase or credit does not appear on the current Purchase Card statement, make a note of the information and maintain it in your records so it can be used when reconciling the subsequent statement.

Below is a training document that provides an overview of the p-card process in Chrome River.

Monthly Telephone Charges

TIP:    Have employees and supervisors review individual toll charges and certify business purpose. University and State guidelines prohibit use of resources for non-university related activities.

  1. Obtain monthly Network Infrastructure & Services (NI&S) invoice.
  2. Compare total amount due to previous bill.
  3. Scan charge summaries for unusual amounts.
  4. Periodically, review the number of telephone, Ethernet, and modem accounts for reasonableness.

Operating Expenditures

TIP:    Ensure that all funds have been reviewed. The SNAP BY ORGN report requested at the 4 digit department number will include all funds assigned to the department. Verify report parameters and the page number continuity.

  1. Verify that all transactions posted were properly initiated and authorized in the department.
  2. Verify that all transactions initiated posted in a reasonable period.
  3. Scan for unusual amounts or vendors.
  4. Certify completion of the reconciliation process.

Budget and Encumbrances

  1. Review changes in the overhead allocations.
  2. Determine that changes in the E&G budget and encumbrances appear reasonable and appropriate.
  3. Ensure percent used is reasonable for the time period