Internal Controls

On this page:

Good internal control practices allow the university to achieve its objectives while maintaining an environment that focuses on ethics and accountability.

UB's Commitment to Internal Controls

Internal controls are measures adopted by the university to promote the thoughtful and efficient use of all resources. UB is fundamentally committed to the principals and practices of internal controls.

“…All university employees are responsible for safeguarding the significant resources with which UB is entrusted. This responsibility is met through thoughtful consideration of the risks presented in our daily operations and through mitigation of those risks with meaningful policies, procedures, and collaborative best practices. Success of the internal control program is dependent on the individual integrity of every employee…

We, as members of our university community, must be committed to adhering to the principles and practices of UB’s system of internal controls. Stewardship of the public trust is integral to our university values and mission.”

-Satish K. Tripathi, President, University at Buffalo

Internal Control Best Practices

Effective internal controls help departments:

  • Identify priorities
  • Achieve department goals
  • Issue reliable reports
  • Meet compliance requirements
  • Safeguard University assets

Departments benefit by:

  • Reducing and preventing errors
  • Ensuring priority issues are identified and addressed
  • Providing appropriate checks and balances
image of COSO poster.

UB uses the Committee of Sponsoring Organizations of the Treadway Commission (COSO) principles as its basis for an internal control program. 

Keys to Good Internal Control Practices

Effectiveness, Efficiency and Consistency

Effective and efficient performance accomplishes goals and objectives in an accurate and timely fashion using minimal resources; consistent performance increases reliability. Operations are considered effective when they get the job done. Best practices eliminate duplicated efforts, streamline processes, increase productivity, and employ a variety of means to achieve consistent, efficient and effective processes.

Inefficiencies occur when processes are performed that provide no additional benefit or value. Inefficiency and ineffectiveness may result in a lack of resource availability and may cause a unit to be unable to meet its objectives. Frequently, this results in added operational costs to the organization. Those costs could be measured in overtime wages, unmet targets, lost productivity or the inability to accept additional responsibility. Ultimately, inefficiencies result in the inability to be effective in attaining objectives.

Best Practices

  • Analyze business processes; identify and eliminate duplicate efforts.
  • Streamline processes by reducing any non-valued added procedures.
  • Identify processes that have been done merely because “that’s the way we’ve always done it." Determine if those processes are still needed. If they are, identify methods that would allow steps to be completed more timely or more effectively.
  • Strive to process documents or transactions in a minimum required time to increase the efficiency and effectiveness of the unit.
  • Employ a cost-benefit methodology when analyzing and developing new processes. If the costs outweigh the benefits, then consider eliminating the procedures or significantly reducing the number of steps needed to complete the process.
  • Think “outside the box.” Look for more innovative ways to accomplish goals and objectives.
  • Automate where possible.

Policies and Procedures

Written policies and procedures:

  • Document business processes, personnel responsibilities and departmental operations
  • Promote uniformity in executing and recording transactions
  • Serve as training tools and resources for employees
  • Facilitate training and provide guidelines when there are changes in personnel (e.g., new employees, promotions)

If written policies and procedures do not exist, are inaccurate, incomplete, or simply not current, the following could result:

  • Inaccurate and unreliable financial records due to inappropriate recording of transactions
  • Inconsistent practices among employees or department
  • Processing errors due to a lack of knowledge
  • Inability to enforce employee accountability

Best practices:

  • Document all significant business practices, processes and policies
  • Ensure that staff are aware of and understand policies and procedures
  • Make policies and procedures available to all personnel
  • Ensure policies and procedures are accurate, complete and current
  • Revise policies and procedures for changes in business processes and policies; this is particularly important when new systems are developed and implemented or other organizational changes occur
  • Communicate significant changes to all affected personnel immediately to ensure they are aware of revisions to their daily duties and responsibilities

Segregation of Duties

Segregation of duties is a primary concept in a system of internal control. Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will be detected. The basic idea underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. One person should not be able to initiate, record, authorize, execute and review a transaction. Reconciliations should be performed by a person independent of the basic process.

If an adequate segregation of duties does not exist, the following could occur:

  • Misappropriation of assets
  • Misstated financial statements
  • Inaccurate financial documentation (e.g., errors, irregularities)
  • Improper use of funds or modification of data could go undetected

Best practices:

  • Design a system of checks and balances to decrease the likelihood of errors and irregularities. The level of risk associated with a transaction should be considered when determining the best method for segregating duties.
  • Document and clearly communicate who will initiate, submit, process, authorize, review or reconcile each activity within a unit.
  • Assess the potential for mistakes or fraudulent transactions. If the segregation of duties is not sufficient to eliminate or adequately reduce the risk of discovering errors, management’s review should be increased.

Safeguarding Assets

Assets are the economic resources of the university that are expected to be of benefit in the future. Assets include cash, office supplies, equipment, furniture, buildings and land. Protective measures must be taken to ensure that assets are maintained in a properly controlled and secured environment and include administrative, physical and technical security. Assets and records should be kept secure at all times to prevent unauthorized access, loss or damage. The security of assets and records is essential for accurate operations. If safeguards are not in place the following could occur:

Unauthorized transactions or processing

  • Lost or misplaced assets or records or information
  • Theft
  • Fraud
  • Loss of revenue or increased expenses
  • Improper disclosure of private information
  • Penalties for violating privacy laws

Best practices:

  • Designate a point person to establish responsibility and accountability for security
  • Store all assets in a secure, locked area
  • Store cash in a locked, preferably fireproof safe
  • Maintain accurate lists of equipment to reduce the risk of misplacement or personal use
  • Restrict access to data and other assets to a limited number of individuals within the department or organization
  • Ensure proper access controls are in place (e.g., user IDs and unique passwords that must be changed frequently)

Safeguarding Confidential Information

Information is one of the university's most valuable resources and requires responsible management and safeguarding by all members of the university community. We collect, retain and use personal information from such sources as hard copy applications, electronic forms, background checks or over the internet. While collecting and handling this information, we must ensure the security and confidentiality of such personal information, protect against any anticipated threats to its security or integrity and guard it against unauthorized access to or use. Improper disclosure of private information can lead to:

  • Fraud
  • Identity theft
  • Using scarce resources to investigate and correct problems
  • Loss of customer trust and damaged reputations
  • Penalties for violation of laws

Best practices:

  • Assess the information stored in files and computers and identify who has access to it
  • Collect only the information needed for legitimate business purposes and keep it only as long as necessary
  • Protect the information you keep, considering physical security, electronic security and employee training
  • Properly dispose of what is no longer needed
  • Create a plan to respond to security incidents

Review and Approval

A good internal control system provides a mechanism to verify that transactions and activity are for the correct purpose and amount and are allowable. When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The reviewer should be able to identify errors and omissions. The approval should be documented to verify that a review was done. Review and approval help to reduce errors, irregularities and inaccurate or incomplete information in accounts and reports.

Inadequate review and approval could result in the following:

  • Overlooking errors resulting in misstatements that could affect financial, as well as operational decisions
  • Inaccurate or incomplete information in accounts or reports
  • The inability to detect irregularities

Best practices:

  • Review processes, transactions, and reports for accuracy, completeness and timeliness
  • Investigate and resolve errors and discrepancies (intentional or unintentional) in a timely manner
  • Ensure that the reviewer is someone who:
    • Is knowledgeable about the items or areas being performed so that they are able to identify errors or omissions
    • Has the authority (e.g., supervisory role) to authorize, provide direction and make decisions about the items under review
    • Does not perform the process
  • Provide evidence of the review and approval (e.g., signed or initialed and dated by the reviewer or approver)
  • Ask yourself whether the expenditure is a wise use of taxpayer money
  • Ask yourself how the transactions would be perceived if it were reported in the newspaper  



In simple terms, timeliness means meeting prescribed deadlines. When deadlines are not met, the following could occur:

  • Inefficiencies
  • Fines or penalties
  • Loss of prospective projects or customers
  • Negative impact on operational processes

The timeliness of processing may not be a major priority on an individual’s “to do” list, but if you don’t have the time to do it right, when will you have to the time to do it over? As organizations continue to push to do more with less and create increased operational efficiencies and profits, timeliness has become important to the overall success of the organization. It’s the one area where all employees can analyze their workflows and identify ways to work smarter and save time.

Best practices:

  • Obtain an understanding of all the required deadlines, particularly those that are “not negotiable” such as regulatory due dates
  • Build in adequate lead times to ensure the work product or report is complete, accurate, and has been reviewed before it is submitted. Meeting the deadline is great, but providing a quality product on time is better. If it has to be returned for corrections or omissions, the deadline has not been met
  • Prioritize activities when critical deadlines are imminent
  • Ensure adequate resources are available, and employees are trained and able to complete the tasks to meet deadlines
  • Notify the appropriate parties in advance if deadlines cannot be met. Determine if the deadline is negotiable. Commit to the new date and be willing to do whatever it takes to meet it
  • Create an expectation within the organization that continuous process improvement means that a product is quality if it’s great and on time


In the context of internal controls, paper or electronic communication which supports the completion of the lifecycle of a transaction meets the criteria for documentation. Anything that provides evidence for a transaction, who has performed each action pertaining to a transaction, and the authority to perform such activities are all considered within the realm of documentation. Documents provide a record of each event or activity to support the accuracy and completeness of transactions. Proper documentation provides evidence of what has transpired as well as provides information for researching discrepancies. Decision makers rely on facts provided in reports, therefore, it is imperative that the information be accurate, complete and current; fully disclosed; concise, objective and provided on a timely basis.

Inaccurate or incomplete reporting could result in the following:

  • Loss of research funding or state appropriation
  • Reduced credibility
  • Incorrect decision-making based on faulty information

Best practices:

  • Consistently use standard forms to properly record transactions
  • Create templates for email approvals, departmentally created supporting documentation and reimbursement logs
  • Use attachments or notes to document corrections or adjustments to records. Ensure the date and approval are evident
  • Establish a method to prevent duplicate processing, especially for transactions that result in payments to individuals such as payroll, petty cash and travel reimbursement
  • Establish a process for purging documents that have reached the end of their retention period
  • Ask yourself, “What would an auditor want to see?”


Accounting is a system that measures business activities, processes information into reports, and communicates findings to decision makers. Two major controls of an accounting system are accurate posting of transactions and adequate account review and reconciliation.

Inadequate controls over an organization’s accounting system could result in:

  • Misstated financial reports
  • Inaccurate and unreliable financial records

Best practices:

  • Train employees on performing accounting functions
  • Ensure that proper segregation of duties exists within the accounting function
  • Document authority to create an expectation of responsibility and accountability
  • Review transactions, adjusting journal entries, and reports for accuracy, completeness and timeliness
  • Reconcile accounts monthly
  • Document the review and approval of reconciliations
  • Ensure that individuals performing account reconciliations are independent of the cash receipts or cash disbursements process
  • Identify and correct reconciling items, errors and omissions on a timely basis
  • Ensure that automated accounting systems have the proper level of input and processing controls to ensure the integrity of the financial data being reported

Policies and Standards

Notice of Generally Applicable Management Policies and Standards

The New York State Governmental Accountability, Audit and Internal Control Act (Internal Control Act) embodies New York State’s commitment to efficient and effective business practices, quality services and ethics in the operations of State government. The Internal Control Act outlines the requirements for a comprehensive system of internal controls. Internal control is the integration of activities, plans, attitudes, policies and efforts of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.

As such, internal control is people-dependent. Every member of the organization has a role, since every activity of the organization should be directed toward achieving its mission.

The Internal Control Act requires the university to provide each employee a clear and concise statement of the generally applicable management policies and standards with which employees are expected to comply. This includes a position description and performance program, pertinent collective bargaining agreement, policies of the SUNY Board of Trustees and Public Officers Law. Copies of these documents may be obtained by contacting Human Resources, 120 Crofts Hall at 716-645-7777.

In addition, other policies and standards are issued by the President and other officers of the university. 

Watch a Video About Internal Controls at UB

Contact an Expert

Carrie Woodrow.

Carrie A. Woodrow


Policy, Compliance and Internal Controls

420 Crofts Hall

Phone: (716) 645-1786


Webpage Feedback

Didn't Find What You Were Looking For?

(We'd like to respond to you.)