UVA Logo
FIN-021: Internal Control

Date: 07/14/2009 Status: Final
Last Revised: 06/22/2022
Policy Type: University
Oversight Executive: Vice President and Chief Financial Officer, Chief Financial Officer of the Health System, Vice Chancellor for Finance and Operations (College at Wise)
Applies To:

Academic Division, the Medical Center, and the College at Wise.

Reason for Policy:

The University of Virginia, the University of Virginia Medical Center, and the College at Wise are committed to maintaining a strong system of internal control as a business best-practice. This policy assists the University, the Medical Center, and the College at Wise in complying with the Commonwealth of Virginia Agency Risk Management and Internal Control Standards (ARMICS) and is consistent with the internal control integrated framework promulgated by the Committee of Sponsoring Organizations of the Treadwell Commission (COSO).

Definition of Terms in Statement:
  • Internal Control:
    Organizational plans and procedures which are designed to:
    • Safeguard assets;
    • Verify the accuracy and reliability of accounting data and other management information;
    • Promote operational efficiency; and
    • Adhere to prescribed policies and compliance with federal and state regulations. 
Policy Statement:

As affirmed by the Board of Visitors of the University of Virginia and expressed in the Code of Ethics, all employees must perform their duties ethically and honestly, in compliance with all University policies and applicable federal, state, and local laws; and further sets forth an expectation of responsible stewardship of University resources which requires the implementation of and adherence to a well-functioning system of internal controls. Any observed weaknesses in internal control must immediately be brought to the attention of the Assistant Vice President for Financial Operations for the University, the Controller for the Medical Center, or the Controller at the College at Wise (as applicable).

  1. Responsibilities:
    University, Medical Center, and College at Wise executives and leaders of major business units (e.g., vice presidents and deans) are responsible for:

    • Establishing, maintaining, and supporting a system of internal controls within their areas of responsibility.
    • Making policies, procedures, and business processes easily accessible to all employees and, as appropriate, other members of the University community.
    • Creating a control environment that encourages and promotes the principles set forth in the University’s Code of Ethics and holds all employees accountable for compliance with applicable policies and federal, state, and local laws.
    • Providing an annual attestation in connection with the University’s financial statements.

    Department and unit heads are responsible for conducting the business activities of their areas in a manner consistent with good internal control. This includes but is not limited to:

    • Segregation of Duties. Dividing responsibilities among individuals so that no one individual controls all aspects of a transaction or activity.
    • Responsible Delegation. Granting or delegating financial authority carefully to prevent provisioning conflicting roles/responsibilities, with due consideration for segregation of duties and considering potential conflicts of interest or commitment.
    • Safeguarding of Assets. Maintaining assets and records securely as required by applicable University standards to prevent unauthorized access, loss, or damage.
    • Employee Competence and Integrity. Setting clear expectations for competence (knowledge, skills, and abilities) and integrity; monitoring employee performance; and holding individuals accountable.
    • Ongoing Monitoring. Assessing business operations periodically, including employee job duties and assignments, to prevent and detect problems; and taking prompt corrective action, when needed.
    • Annual Attestation. Providing an annual attestation regarding compliance with internal controls for their areas(s) if required.
    • Other. All other associated reconciliations, account certifications, financial attestations, and monitoring required to promote a strong culture of compliance and fiscal stewardship.

    All employees responsible for administering University, Medical Center, and College at Wise funds and resources have duties which include but are not limited to:

    • Adhering to the University Code of Ethics and Statement of Purpose.
    • Communicating institutional information (e.g., financial reporting, performance metrics, etc.) properly and in a timely manner, and granting access to financial information only for appropriate business uses.
    • Safeguarding assets, including data, equipment, supplies, systems, inventory, and cash from unauthorized access, damage, or theft.
    • Reporting breakdowns in internal control systems to their manager.
    • Reporting known or suspected violations of University policy, law, or regulations. (See applicable University policy(ies), area website(s), or the Report a Concern webpage for reporting mechanisms.)

    The Associate Vice President for Financial Operations, the Controller for the Medical Center, and the Controller for the College at Wise are responsible for the promulgation of policies and procedures directed toward the establishment of good internal control.

    The University's internal auditors, in their periodic reviews of departments and activities, will review the system of internal control and make recommendations for improvements.

  2. Compliance with Policy:
    Failure to comply with the requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University, Health System/Medical Center, and Wise policies as appropriate.

    Questions about this policy should be directed to Financial Reporting and Operations (University), Office of the Chief Accounting Officer (Medical Center), or Financial Administration (College at Wise), as appropriate.


Procedures are currently under revision. Any questions should be addressed to the applicable Contact Office noted above.

Major Category:
Finance and Business Operations
Next Scheduled Review:
Approved By, Date:
Policy Review Committee, 07/14/2009
Revision History:

Revised 6/22/22; Added Med Ctr information 6/11/18; Updated 4/24/18; 9/15/15.

Supersedes (previous policy):

I.A.1, Internal Controls