Resources & Guidance

Audit Resources

The Office of Internal Audits (OIA) welcomes questions or requests for assistance from the campus community. Some of the OIA internal and external resources are listed below.




Regulations & Standards

Professional Organizations

Internal Control

Internal Control is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a process, effected by an entity’s governing board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operation, reporting, and compliance.

Internal control objectives are:

  • Operations objectives - pertain to effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss.
  • Reporting Objectives – pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency or other terms as set forth by regulators, recognized standard setters, or the entity’s policies.
  • Compliance Objectives – pertain to adherence to laws and regulations to which the entity is subject.

Internal control fundamental concepts are:

  • A process consisting of ongoing tasks and activities, a means to an end, not an end in itself.
  • Effected by people, not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control.
  • Able to provide reasonable assurance, but not absolute assurance, to an entity’s senior management and governing board.
  • Adaptable to the entity structure, flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process.

Five integrated components of internal control are the:

  1. Control environment – set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. Including the elements of integrity and ethical values, management philosophy and operating style, organizational structure, assignment of authority and responsibility, human resource policies and practices, and competence of personnel.
  2. Risk Assessment – a dynamic and iterative process for identifying and assessing risks to the achievement of objectives, forming the basis for determining how risks will be managed.
  3. Control activities – are the actions established through policies and procedures that help ensure management’s directives are carried out to mitigate risks. They may be preventive or detective in nature and may encompass a range of manual and automated activities.
  4. Information and communication – Information is necessary for the entity to carry out internal control responsibilities and to support the achievement of its objectives. Communication is the continual iterative process of providing, sharing, and obtaining necessary information. It may be internal by which information is disseminated throughout the organization or external enabling inbound communication of the external information.
  5. Monitoring Activities – are ongoing evaluations, separate evaluations or a combination of the two, to ascertain whether each of the five components of internal control are present and functioning.

Limitations of Internal Control:
Internal control provides reasonable assurance of achieving the entity’s objectives. Even an effective system of internal control can experience a failure. Limitations of internal control may result from the:

  • Reality that human judgment in decision making can be faulty and subject to bias.
  • Breakdowns that can occur because of human failures such as simple errors.
  • Suitability of objectives established as a precondition to the control.
  • Ability of management to override internal control.
  • Ability of management, other personnel, and /or third parties to circumvent controls through collusion.
  • External events beyond the organization’s control.

The definition, objectives, concepts, components, and limitations of internal control are taken from Internal Control- Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission.