FIN-021: Internal Control

Date: 07/14/2009 Status: Final
Last Revised: 06/11/2018
Policy Type: University
Oversight Executive: Vice President for Finance, Chief Financial Officer of the Health System
Applies To:

Academic Division, the Medical Center, and the College at Wise.

Reason for Policy:

The University of Virginia and the University of Virginia Medical Center are committed to maintaining a strong system of internal control as a business best-practice. This policy assists the University and Medical Center in complying with the Commonwealth of Virginia Agency Risk Management and Internal Control Standards (ARMICS) and is consistent with the internal control integrated framework promulgated by the Committee of Sponsoring Organizations of the Treadwell Commission (COSO).

Definition of Terms in Statement:
  • Internal Control:
    Organizational plans and procedures which are designed to:
    • Safeguard assets;
    • Verify the accuracy and reliability of accounting data and other management information;
    • Promote operational efficiency; and
    • Adhere to prescribed policies and compliance with federal and state regulations. 
Policy Statement:

All employees of the University and Medical Center must perform their duties in accordance with proper internal control as established by prescribed standards and principles or as set by the department or unit head (or designee). Any observed weaknesses in internal control must be brought to the attention of the Assistant Vice President for Financial Operations or the Controller for the Medical Center (as applicable) immediately. Failure to adhere to the University's policies and procedures may be considered misconduct and may be subject to disciplinary action as provided in the applicable personnel policies.

Department and unit heads are responsible for conducting their business activities in a manner consistent with good internal control. Individuals responsible for administering University funds and resources have duties which include but are not limited to:

  • Acting ethically and setting a tone within the organization for ethical conduct and integrity (see University Code of Ethics and Statement of Purpose.
  • Ensuring that University, School, Department, Unit, Sponsor, and Medical Center policies and procedures are available to and understood by those carrying out financial transactions.
  • Complying with University, Federal, State, Sponsor, and Donor terms, conditions and restrictions on the use of funds.
  • Granting or delegating financial authority carefully, with consideration for proper segregation of duties.
  • Ensuring that appropriate reviews and monitoring take place, including a timely review of operating reports and performance indicators.
  • Complying with the University’s policy FIN-023: Reconciling Departmental Accounting Records.
  • Clearly communicating expectations and holding individuals accountable for their actions when viewing institutional records or processing transactions.
  • Communicating institutional information (e.g., financial reporting, performance metrics, etc.) properly and in a timely manner, and granting access to financial information only for appropriate business uses.
  • Protecting assets, including data, equipment, supplies, inventory, and cash from unauthorized access or theft.

The Assistant Vice President for Financial Operations and/or Controller for the Medical Center is responsible for the promulgation of policies and procedures directed toward the establishment of good internal control.

The University's internal auditors, in their periodic reviews of departments and activities, will review the system of internal control and make recommendations for improvements.

Compliance with Policy:
Failure to comply with the requirements of this policy may result in disciplinary action up to and including termination or expulsion in accordance with relevant University and Health Sytstem/Medical Center policies as appropriate.

Questions about this policy should be directed to the Contact Office.


Procedures are currently under revision. Any questions should be addressed to the Contact Office.

Related Information:

FIN-005: Extension and Collection of Credit
FIN-016: Receiving and Depositing Cash & Other Monetary Instruments
FIN-023: Reconciling Departmental Accounting Records
FIN-030: Purchases of Goods and Services
FIN-034: Maintenance of Equipment Inventory
FIN-038: Receiving Goods and Services and Timely Disbursements of University Funds
FIN-040: Managing Petty Cash Funds
FIN-041: Managing Petty Checking Accounts
FIN-042: Managing Change Funds
FIN-049: Revenue Generating Activities
FIN-054: Employee Obligation to Report Potential Conflicts of Interest
GOV-002: Reporting Fraudulent Transactions
IRM-017: Records Management
PRM-016: Surplus Property Disposal
Medical Center Policy 0217, Corporate Compliance Auditing and Monitoring Program
Medical Center Policy 0283, Behavioral Code of Conduct
See also:
the University's Code of Ethics
the Board of Visitors resolution Audit Charter
Employee Policies maintained by Human Resources
State Policy 1.60, Standards of Conduct
Gramm Leach Bliley Act
COSO Internal Control - Integrated Framework
ARMICS Standards issued by the Department of Accounts

Major Category: Finance and Business Operations
Next Scheduled Review: 04/24/2021
Approved by, Date: Policy Review Committee, 07/14/2009
Revision History: Added Med Ctr information 6/11/18; Updated 4/24/18; 9/15/15.
Supersedes (previous policy):
I.A.1, Internal Controls