Internal Control

Self-Assessment Checklist
Management throughout the University is responsible to establish internal controls to keep their
operations on course toward financial goals, ensure proper use of resources, to help achieve
defined missions, to minimize surprises and risks, and to allow the organization to successfully
deal with change. Internal controls are defined as activities undertaken to increase the likelihood
of achieving management objectives in three areas:
• Efficiency and effectiveness of operations
• Reliability of financial/timekeeping records
• Compliance with laws and regulations
Some internal controls are established at the institutional level; others are established at the
department level. To achieve success, management needs to (1) be knowledgeable about, and
support, institutional controls, and (2) implement practical and effective internal controls specific
to the department utilizing a cost benefit approach. (unless required by local, state or federal
regulations).
The following checklist is provided as a tool to facilitate a self-assessment of internal controls by
management of individual departments. It is intended to address general aspects of internal
controls. Use of this checklist is voluntary and is not required.
Organization of the checklist is consistent with the five interrelated components of internal
control defined by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO).

COSO INTERNAL CONTROL FRAMEWORK

We encourage department heads, financial managers, business officers and anyone involved in
entering or approving financial transactions and/or time records to use this self-assessment
checklist to evaluate internal controls in their areas of responsibility. This checklist can be
modified and you can add to the checklist other controls that you think apply specifically to your
department. The checklist is not intended to be a “one size fits all” document and some sections
may be N/A for your area.
The Office of Internal Audit and Consulting is available to offer advice upon request. You can
also consult with the “Responsible Office” and “Responsible Official” noted on various
University policies.

University of Memphis Office of Internal Audit and Consulting (March 2016)

 Index
1. Control Environment 3. Control Activities
1. Integrity and Ethical Values 10. Written Policies and Procedures
2. Commitment to Competence 11. Control Procedures
3. Management's Philosophy and Operating Style 12. Controls over Information Systems
4. Organizational Structure 4. Information and Communication
5. Assignment of Authority and Responsibility
6. Human Resource Policies and Practices 13. Access to Information
14. Communication Patterns
2. Risk Assessment
5. Monitoring
7. Organizational Goals and Objectives
8. Risk Identification and Prioritization 15. Management Supervision
9. Managing Change 16. Outside Sources
17. Response Mechanisms
18. Self-Assessment Mechanisms
Links for additional information about internal controls.

COSO INTERNAL CONTROLS FRAMEWORK

CONSIDERATION OF FRAUD IN A FINANCIAL
STATEMENT AUDIT – AU316
ACFE ANNUAL GLOBAL FRAUD REPORT
GAO GREEN BOOK INTERNAL CONTROL
SYSTEMS
UOM POLICIES AND PROCEDURES
GUIDE TO CASH HANDLING

PCARD GUIDELINES

University of Memphis Office of Internal Audit and Consulting (March 2016)

 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5

Section 1 – Control Environment

1 - Integrity and Ethical Values
Department management (faculty and
supervisory staff) understand the University's
1.1 Acceptable business practices. Policies are poorly understood
policies covering matters such as legitimate use
of University resources.
Department management understands the
University's policies governing relationships
1.2 Codes of conduct. Policies are poorly understood.
with sponsors, suppliers, creditors, regulators,
the community, and the public at large.
Department management understands the
1.3 Conflicts of interests. University's policies regarding potential Policies are poorly understood.
conflicts of interest.
Department management sets a good example Management does not set a good example
1.4 Integrity. and regularly communicates high expectations and/or does not communicate high expectations
regarding integrity and ethical values. regarding integrity and ethical values.
2 – Commitment to Competence
Responsibilities are clearly defined in writing Responsibilities are poorly defined or poorly
2.1 Job descriptions.
and communicated as appropriate. communicated.
Department management (faculty and
Management does not adequately consider
2.2 Knowledge and Skills. supervisory staff) understand the knowledge
knowledge and skill requirements.
and skills required to accomplish tasks.

1
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Department management is aware of
competency levels, and is involved in training
and increased supervision when competency is
Management is not adequately aware of
low.
2.3 Employee competence. competency levels, or does not actively address
problems.

3 – Management’s Philosophy and Operating Style

Department management engages in open Management is secretive and reluctant to
3.1 Communication disclosure of financial or business issues with conduct business or deal with issues in an open
appropriate University personnel. manner.
There is active concern and effort to ensure
Management is willing to risk the
3.2 Laws and regulations. compliance with the letter and intent of laws
consequences of noncompliance.
and regulations.
Management is concerned with and exerts Management is willing to get the job done
3.3 Getting the job done.
effort to get the job done right the first time. without adequate regard to quality.
Exceptions to policy are infrequent. When they
Exceptions to policy are the norm and are
3.4 Exceptions to policy. occur they must be approved and well
rarely documented.
documented.
Management’s approach shows concern and
appreciation for accurate and timely reporting.
3.5 Approach to financial accountability. Financial accountability is given low priority.
Budgeting and other financial estimates are
generally conservative.
Realistic budgets are established and results are Management either shows little concern
3.6 Emphasis on meeting budget and other
actively monitored. Corrective action is taken (climate of laxness), or makes unreasonable
financial and operating goals.
as necessary. demands (climate of fear).

2
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Decision-making processes are deliberate and
consistent. Decisions are made after careful Decision making is nearly always informal.
3.7 Approach to decision making. consideration of relevant facts. Policies and Management makes arbitrary decisions with
procedures are in place to ensure appropriate inadequate discussion and analysis of the facts.
levels of management are involved.
4 – Organizational Structure
Complexity of the structure is commensurate Lines of responsibility are unclear or
4.1 Complexity of the organizational
with the organization. Lines of reporting are unnecessarily complicated for the size and
structure.
clear and documentation is up-to-date. activities of the entity.
Documentation does not exist or is out-of-date.
4.2 Organization charts. Documentation exists and is up to date. The documented structure does not correspond
with actual responsibilities.
Size is commensurate with the complexity of Size is not appropriate (e.g., too many levels,
4.3 Size of the management group.
the department and its growth. too dispersed, or too "thin").
4.4 Stability of the management group. Low turnover. High turnover.
5 – Assignment of Authority and Responsibility
5.1 Delegation of authority and assignment Delegation of authority and assignment of Decisions are dominated by one or a few
of responsibility for operating and responsibility is clearly defined. Individuals are individuals. Roles and responsibilities of
financial functions. held accountable for results. middle management are unclear.
Authority limits are clearly defined in writing Policies and procedures covering authority
5.2 Authority limits.
and communicated as appropriate. limits are informal or poorly communicated.
Appropriate limits have been placed on each Signature authority is delegated without
delegation of signature authority. Management adequate consideration. Delegated authority is
5.3 Delegated signature authority.
reviews and updates signature records as not in line with employee knowledge, training,
turnover occurs. or competence.
Key personnel are knowledgeable and Key personnel are inexperienced. Management
5.4 Knowledge and experience. experienced. Management does not delegate delegates authority without regard to
authority to inexperienced individuals. knowledge and experience.

3
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Management provides the resources needed for Management does not provide necessary
5.5 Resources.
employees to carry out their duties. resources.
6 – Human Resource Policies and Practices
A careful hiring process is in place. The
The hiring process is informal, and sometimes
Human Resources Department is involved in
6.1 Selection of personnel. proceeds without adequate involvement by
identifying potential employees based on job
higher-level supervisors.
requirements.
On-the-job and other training programs have
Training programs are inconsistent, ineffective,
6.2 Training. defined objectives. They are effective and
or are given low priority.
important.
Regular supervision does not exist or is
Personnel are adequately supervised. They
6.3 Supervision policies. ineffective. Employees are frustrated and feel
have a regular resource for resolving problems.
they ‘have nowhere to go’ with issues.
Inappropriate behavior is consistently
Reprimands are not timely, direct, or are not
6.4 Inappropriate behavior. reprimanded in a timely and direct manner,
consistently applied (climate of favoritism).
regardless of the individual's position or status.
The evaluation process is ad hoc and
6.5 Evaluation of personnel. An organized evaluation process exists. inconsistent. Performance issues are not
formally addressed.
Compensation decisions are based on a formal
process with meaningful involvement of more Compensation decisions are ad hoc,
6.6 Methods to compensate personnel. than one level of management. The effect of inconsistent, or inadequately reviewed by
performance evaluations on compensation management.
decisions is defined and communicated.
There is inadequate staffing and frequent
Critical functions are adequately staffed, with
6.7 Staffing of critical functions. periods of overwork and "organizational
reasonable workloads.
stress."
6.8 Turnover. Particularly turnover in Low turnover. Management understands root High turnover. Management does not
financially responsible positions. causes of turnover. understand root causes.

4
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5

Section 2 – Risk Assessment

7 – Organizational Goals and Objectives
A formal mission or value statement is
A unit-wide mission or value statement does
7.1 Unit-wide objectives. established and communicated throughout the
not exist.
department.
Factors that are critical to achievement of
department-wide objectives are identified.
7.2 Critical success factors. Resources are appropriately allocated between Success factors are not identified or prioritized.
critical success factors and objectives of lesser
importance.
Realistic objectives are established for all key
7.3 Activity-level objectives. activities including operations, financial Activity-level objectives do not exist.
reporting and compliance considerations.
Department-wide and activity level objectives
Performance regarding objectives is not
7.4 Measurement of objectives. include measurement criteria and are
measured. Targets are not set.
periodically evaluated.
Employees at all levels are represented in Management dictates objectives without
7.5 Employee involvement.
establishing the objectives. adequate employee involvement.
Long and short-range plans are developed and
No organized planning process exists. There
7.6 Long and short-range planning. are written. Changes in direction are made only
are frequent shifts in direction or emphasis.
after sufficient study is performed.
Detailed budgets are developed by area of
responsibility following prescribed procedures
Budgets do not exist or are "backed into"
7.7 Budgeting system. and realistic expectations. Plans and budgets
depending on desired outcome.
support achievement of department-wide
action steps.
Planning for future needs is done well in
7.8 Strategic planning for information The information system lags significantly
advance of expected needs and considers
systems. behind the needs of the business.
various scenarios.
5
 Assessment Factor
8 – Risk Identification and Prioritization
8.1 Identification and consideration of
external risk factors.
8.2 Identification and consideration of
internal risk factors.
8.3 Prioritization of risks.
8.4 Approach to studying risks.
8.5 Process for monitoring risks.
8.6 Consultation with external advisors.
9 – Managing Change
9.1 Commitment to change.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
A process exists to identify and consider the
implications of external risk factors (economic
changes, changing sponsor, student and
Potential or actual external risk factors are not
community needs or expectations, new or
effectively identified or evaluated.
changed legislation or regulations,
technological developments, etc.) on
department-wide objectives and plans.
A process exists to identify and consider the
implications of internal risk factors (new
personnel, new information systems, changes Potential or actual internal risk factors are not
in management responsibilities, new or effectively identified or evaluated.
changed educational or research programs,
etc.) on department-wide objectives and plans.
The likelihood of occurrence and potential
impact (monetary and otherwise) have been
Risks have not been prioritized.
evaluated. Risks have been categorized as
tolerable or requiring action.
In-depth, cost / benefit studies are performed
Risks are accepted with little or no study.
before committing significant unit resources.
Exposure is dealt with on a case by case basis.
A risk management program is in place to
Regular efforts or programs to manage risks do
monitor and help mitigate exposures.
not exist.
Internal expertise regarding risk and control
External advisors are consulted as needed to
issues is inadequate. Assistance is never
supplement internal expertise.
sought from outside sources.
Management promotes continuous Management promotes the status quo, even
improvement and solicits input and feedback when changes are needed to meet important
on the implications of significant change. business needs.

6
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Management is willing to commit resources to Management offers no resources to facilitate
9.2 Support of change.
achieve positive change. change.
Mechanisms exist to identify, prioritize, and
react to routine events (i.e., turnover) that
9.3 Routine change. Procedures are not present or are ineffective.
affect achievement of unit-wide objectives or
action steps.
Mechanisms exist to identify and react to
9.4 Economic change. Procedures are not present or are ineffective.
economic changes.
Mechanisms exist to identify and react to
regulatory changes (maintain membership in
9.5 Regulatory change. Procedures are not present or are ineffective.
associations that monitor laws and regulations,
participate in University forums, etc.).
Mechanisms exist to identify and react to
9.6 Technological change. technological changes and changes in the Procedures are not present or are ineffective.
functional requirements of the unit.

Section 3 – Control Activities

10 – Written Policies and Procedures
10.1 University policies and procedures.
Department employees are aware of University
Knowledge of university policy and procedures
policy and procedures that apply to the
are not well known in the department.
department.

The department has documented its own

Department policies and procedures are not
10.2 Department policies and procedures. policies and procedures if applicable. They are
well known or documented.
well understood by department employees.

11 – Control Procedures
11.1 Senior management (University or Senior management monitors the department's Senior management does not monitor
College) reviews. performance against objectives and budget. department performance.

7
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Reviews are made of actual performance
11.2 Objective performance reviews by
compared to objectives and previous periods Analyses are not performed or management
department management of major
for all major initiatives. Management analyzes does not follow up on significant deviations.
initiatives.
and follows up as needed.
Reviews are made of actual performance
versus budgets, forecasts, and performance in
11.3 Financial performance reviews by Analyses are not performed or management
prior periods for all major initiatives.
department management. does not follow up on significant deviations.
Management analyzes and follows up as
needed.
11.4 Direct functional or activity Performance reviews are made of specific
management by department functions or activities, focusing on compliance, No performance reviews occur.
management. financial or operational issues.
Unexpected operating results or unusual trends
11.5 Performance indicators. Operating results and trends are not monitored.
are investigated.
Financial transactions, timekeeping and
reconciliations are completed timely. The activities are not performed timely or
11.6 Financial transactions, timekeeping
Management performs a diligent review and regularly. Management does not carefully
records and reconciliations.
approval by signature and date or review or formally approve.
electronically.
Sponsored project accounts are reviewed and
reconciled. PIs certify the expenditures timely. Sponsored project accounts are not monitored;
11.7 Sponsored project account management. Department management monitors the reconciliations and certifications are not
portfolio of sponsored accounts for compliance timely.
and fiscal responsibility.
Restrictions on use are well documented, and
Restrictions are not clearly documented.
are understood by employees who administer
11.8 Use of restricted funds (gifts). Restricted fund accounts are not monitored;
the funds. Usage is monitored by management,
usage may not match restrictions.
accounts are reconciled.

8
 Assessment Factor
11.9 Information processing.
11.10 Physical controls.
11.11 Training and guidance for asset
custodians.
11.12 Separation of duties.
11.13 Record retention.
11.14 Disaster response plan.
12 – Controls over Information Systems
12.1 Local information systems and LANs.
9
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Controls exist to monitor the accuracy and
No information processing controls are in
completeness of information as well as
place.
authorization of transactions.
Equipment, supplies, inventory, cash and other
Equipment, supplies, inventory, cash and other
assets are physically secured and periodically
assets are not protected. Control records do not
counted and compared to the amounts shown
exist or are not up to date.
on control records. (if applicable)
Adequate guidance and training are provided to
No training or guidance is provided.
personnel responsible for cash or similar assets.
Financial duties are divided among different
people (responsibilities for authorizing No significant separation of financial duties
transactions, recording them and handling the among different employees.
asset are separated).
Unit employees understand which records they
Unit employees do not understand which
are responsible to maintain and the required
records they are responsible for maintaining.
retention period. Records are appropriately
The filing system is inadequate.
filed.
A disaster response and recovery plan has been
developed and is understood by key personnel.
No disaster response or recovery plan exists.
System operations are documented; software is
appropriately acquired and maintained; access
to the system, programs and data is controlled; Inadequate controls over local information
the system is maintained in a secure systems or LANs.
environment; applications are appropriately
developed and maintained.
 Assessment Factor
12.2 Application controls.
12.3 Back Up.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
The department controls its computer
applications by diligent and timely response to
edit lists, rejected transactions and other
control and balancing reports. Controls ensure Application controls are not used.
a high level of data integrity including
completeness, accuracy, and validity of all
information in the system.
Key data and programs on LANs or desktop
No formal back up procedures exist.
computers are appropriately backed up and
Management has not informed staff of back up
maintained. Off-site storage is adequate
requirements.
considering possible risks of loss.

10
 Assessment Factor
13 – Access to Information
13.1 Relevant external information.
13.2 Management reporting system.
13.3 Management of information security.
14 – Communication Patterns
14.1 Trust.
14.2 Policy enforcement and discipline.
14.3 Recommendations for improvement.
11
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Section 4 – Information and Communication
Department members receive relevant
information regarding legislation, regulatory
Relevant information is not available.
developments, economic changes or other
external factors that affect the department.
An executive information system exists.
Information and reports are provided timely. A formal reporting system does not exist.
Report detail is appropriate for the level of Reports are not timely or are not at appropriate
management. Data is summarized to facilitate levels of detail.
decision making.
Information is evaluated and classified based
on level of integrity, confidentiality and Information used by the unit has not been
availability. Individuals with access to evaluated and classified. Employees are not
information are trained to understand their trained with respect to information security.
responsibilities related to the information.
Management promotes and fosters trust Interactions among faculty, staff and/or with
between employees, supervisors and others other units is characterized by low levels of
within the Department. trust.
Employees who violate an important policy are Violations, while not condoned officially, are
disciplined. Management's communications often overlooked. Management's actions are
and actions are consistent with policies. inconsistent with official policies.
Employees are encouraged to provide
recommendations for improvement. Ideas are Employees' ideas are not welcomed.
recognized and rewarded.
 Assessment Factor
14.4 Formal communications.
14.5 External communications.
14.6 Informal communications.
14.7 Communication with evaluators.
15 – Management Supervision
15.1 Effectiveness of key control activities.
15.2 Management supervision of financial
and timekeeping activities.
15.3 Management supervision of new
systems development.
12
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Formal methods are used to communicate unit
policies and procedures (e.g., manuals, training To the extent that they exist, policies are buried
programs, written codes of conduct, and in unused manuals and documents.
acceptable business practices).
Standards and expectations are communicated
to key outside groups or individuals (e.g., No external communication of standards and
vendors, consultants, donors, sponsors, expectations.
subcontractors, sub-recipients).
Employees are kept informed of important
matters (downward communication) and are
able to communicate problems to persons with Most information is received by the
authority (upward communication). There is "grapevine."
effective functional coordination within the
department (lateral communication).
Information is openly shared with outside Information is kept secret from outside
evaluators. evaluators.
Section 5 – Monitoring
Management routinely spot-checks
transactions, records and reconciliations to Management never performs spot-checks.
ensure expectations are met.
Knowledge of University financial and
timekeeping policies are known by those with Policies are ad hoc or poorly communicated.
those responsibilities in the department.
Policies are defined for developing new
systems or changes to existing systems
Policies and procedures are ad hoc, poorly
(cost/benefit analysis, team composition, user
communicated, or ineffective.
specifications, documentation, acceptance
testing, and user approval).
 Assessment Factor Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Budgets are compared to actual results and
deviations are followed up on a timely basis.
An analysis of actual versus budgeted results is
Adequate consideration is given to
15.4 Budget analysis. not performed, or management does not follow
commitments.
up on deviations.

16 – Outside Sources
16.1 Industry and professional associations.
16.2 Regulatory authorities.
16.3 Sponsors, students, suppliers, creditors,
and other third parties.
16.4 External auditors.
17 – Response Mechanisms
17.1 Management follow-up of violations of
policies.
17.2 External or internal audit reports.
17.3 Changes in conditions (e.g., economic,
regulatory, technological, or
competitive).
18 – Self-Assessment Mechanisms
Data is used to compare the unit’s performance
Comparative data is not regularly monitored.
with peers or industry standards.
Reports from regulatory bodies are considered Response is limited to what is necessary to "get
for their internal control implications. by" the regulators.
Root causes of inquiries or complaints are
Inquiries or complaints are dealt with case-by-
investigated and considered for internal control
case, with little or no follow-up.
implications.
Information provided by external auditors
Findings are referred to lower levels or are
about control-related matters are considered
explained away.
and acted on.
Timely corrective action is taken. Follow-up is sporadic.
Consideration of issues from audit reports are
Audit report issues are considered and
delegated to lower levels or is given low
immediately acted upon at appropriate levels.
priority.
Changes are anticipated and routinely
integrated into ongoing long- and short-range Responses are reactive rather than proactive.
planning.

13
 Assessment Factor
18.1 Monitoring of control environment.
18.2 Evaluation of risk assessment process.
18.3 Assessment of design and effectiveness
of internal controls.
18.4 Evaluation of information and
communication systems.
Indication of Stronger Controls Indication of Weaker Controls Assessment
Strong - Weak
1 2 3 4 5
Management periodically assesses employee
attitudes, reviews the effectiveness of the
Assessment processes do not exist.
organization structure, and evaluates the
appropriateness of policies and procedures.
Management periodically evaluates the
Assessment processes do not exist.
effectiveness of its risk assessment process.
Internal controls are subject to a formal and
Assessment processes do not exist.
continuous internal assessment process.
Management periodically evaluates the
accuracy, timeliness and relevance of its
information and communication systems.
Assessment process does not exist.
Management questions information on
management reports that appears unusual or
inconsistent.

Department Name: _______________________________________ Date: _______________

Completed By:

____________________________________________________________________________
Name(s)

____________________________________________________________________________
Title(s)

14