Comptroller's Office
 Policies and Procedures Manual

Effective: 01/01/2000
Revised: 07/01/2013 


CMP 603: Internal Controls


The purpose of this policy is to set minimum standards for internal control activities for University transactions.


University policy

Arizona Board of Regents policy for Internal Control Responsibilities, Chapter 6, Section 6-711 Arizona Board of Regents Guidelines for the Implementation of ABOR 6-711 ďInternal Controls ResponsibilitiesĒ  


Internal control activities are those specific policies and procedures that help ensure management directives are properly implemented. They include a wide range of activities that occur throughout the university, by supervisory and front-line personnel. This is not an all-inclusive list, but the following are some examples of common control activities that will be further discussed:


v  Segregation of Duties

v  Approval

v  Management Review

v  Reconciliations

v  Asset Security





Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions.  Segregation of duties is a deterrent to fraud because it prevents collusion with another person to perpetrate a fraudulent act.  Adequate segregation of duties reduces the likelihood that errors, intentional or unintentional, will remain undetected by providing for separate processing by different individuals at various stages of a transaction and for independent reviews of the work performed. 


Specific examples of segregation of duties are as follows. This list is not all inclusive.

         The person who requisitions the purchase of goods or services is not the person who approves the purchase.

         The person who approves the purchase of goods or services is not able to obtain custody of the check that pays for the transaction.

         The person who maintains and reconciles the accounting records is not able to obtain custody of the check that pays for the transaction.

         The person who opens the mail and prepares a listing of checks received is not the person who makes the deposit.

         The person who opens the mail and prepares a listing of checks received is not the person who maintains the accounts receivable records.





It is required that the approval function, the accounting/reconciling function, and the asset custody function be separated among employees. 


When these functions cannot be separated, generally due to small department size, the Compliance, Controls and Business Services Office must be contacted for consultation and development of compensating control activities.


At least two people must be involved in a transaction stream.

         Initiate the transaction

         Approve the transaction

         Record the transaction

         Reconcile balances

         Handle assets

         Review reports






Approval of a transaction means that the approver has reviewed the supporting documentation and is satisfied that the transaction is appropriate, accurate and complies with applicable laws, regulations, policies, and procedures.


Approval may be written and evidenced via a signature on a document which indicates that the transaction has been reviewed and approved. Approval may also be electronic as evidenced by a click to approve a transaction in a system. Regardless of the mode, approval must be done by someone who has approval authority. Approval authority can be inherent in a personís role within the organization if they are responsible for the unitís activities. It may also be that they have been granted approval authority in a transactional system.




Approvers must review supporting documentation, question unusual items, and make sure that necessary information is present to justify the transaction before they approve the transaction. 


Signing blank forms is not allowed. Use of a signature stamp is not allowed.


Under no circumstance may an approver tell someone that they could sign the approver's name on behalf of the approver. Similarly, under no circumstance may an approver with electronic approval authority share his/her password with another person.


To ensure proper segregation of duties, the person initiating a transaction must not be the person who approves the transaction.

System privileges must be modified or deleted, as appropriate, immediately upon the transfer or termination of employees in order to protect the integrity of the internal control system. Examples of actions to take upon transfer or termination of an employee are return of keys to buildings/offices, return procurement card, notification to the Comptrollerís Office of change in signature authority, deletion of computer access privileges.






Reviewing reports, statements, reconciliations, and other information by management is an important control activity; management must review such information for consistency and reasonableness. Reviews provide a basis for detecting problems.


Management is defined as a Dean, Director, Chair, Provost, or other appropriate NAU employee who has responsibility for a unitís activities.





Management will compare information about current performance to budgets, forecasts, prior periods or other benchmarks to measure the extent to which goals and objectives are being achieved and to identify unexpected results or unusual conditions which require follow-up.  Managementís review of reports, statements, reconciliations, and other information must be documented as well as the resolution of items noted for follow-up.  The simplest evidence of this review is signed initials and date of review






Broadly defined, a reconciliation is a comparison of different sets of data to one another, identifying and investigating differences, and taking corrective action, when necessary, to resolve differences. Reconciling monthly financial reports (e.g., Transaction Detail/Summary Reports) to file copies of supporting documentation or departmental accounting records is an example of reconciling one set of data to another. This control activity helps to ensure the accuracy and completeness of transactions that have been charged to a department's accounts. To ensure proper segregation of duties, the person who approves transactions or handles cash receipts must not be the person who performs the reconciliation.


A critical element of the reconciliation process is to resolve differences not just to note differences and do nothing about it. 





To ensure proper segregation of duties, the person who approves transactions or handles cash receipts must not be the person who performs the reconciliation.


Differences must be identified, investigated, and explained - corrective action must be taken.  If an expenditure is incorrectly charged to a department's account, then the approver must request a correcting journal entry; the reconciler must ascertain that the correcting journal entry was posted. Reconciliations must be documented and approved by management.






Liquid assets, assets with alternative uses, vital documents, critical systems, and confidential information must be safeguarded against unauthorized acquisition, use, or disposition. Typically, access controls are the best way to safeguard these assets. Examples of access controls are as follows: locked door, key pad system, card key system, locked filing cabinet, terminal lock, computer password, automatic callback for remote access, smart card, data encryption, etc.


An annual inventory where assets are verified against a list provided by Property Administration ensures that all assets that expected to be on hand are still accounted for.





Departments will maintain reasonable access controls, consistent with the type of asset.


Departments will comply with the Physical Count of Fixed Assets policy and procedure that is in place (See PUR 701). Annually, the items must be physically counted by a person who is independent of the purchase, authorization and asset custody functions, and the counts must be compared to balances per the records provided by Property Administration.  Missing items must be investigated, resolved, and analyzed for possible control deficiencies; records will be adjusted to physical counts if missing items are not located.





The department of Compliance, Controls and Business Services is available to assist departments with the interpretation of this policy as well as validation that reasonable controls are in place. Further, this department can be of assistance when considering non-traditional internal controls as well as with the development of compensating controls.


NAU Home Page | Comptroller's Office Home Page | Back to Table of Contents
Email Webmaster


Back to Top