Internal Control Activities & Best Practices

A good internal control system should include the control activities listed below. These activities generally fit into two types of activities.

Preventive: Preventive control activities aim to deter the instance of errors or fraud. Preventive activities include thorough documentation and authorization practices. Preventive control activities prevent undesirable "activities" from happening, thus require well thought out processes and risk identification.

Detective: Detective control activities identify undesirable "occurrences" after the fact. The most obvious detective control activity is reconciliation.Below is a list of typical best business practices in maintaining an effective control environment:

  • Set a strong example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit's personnel.
  • Never sign something you do not understand.
  • Limit signature authority and do not let anyone sign your name (an employee should sign their own name). Never use a signature stamp.
  • If something does not make sense ask questions about it until it does. Pay attention to what your employees are doing.
  • Be familiar with University policies and procedures. Be willing to call and ask questions.
  • Consider unique risks your unit may have (i.e. cash collections, contracts and grants, etc.) and ensure additional oversight is provided.
  • Ensure level reports are reconciled monthly and review this reconciliation for any unusual transactions.
  • Do not let one employee have complete control of any process.
  • Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information.)
  • Ensure University assets are used for University business.