Internal Audit & Advisory Services

Internal Controls

There are many definitions of internal control, as it affects the constituencies of an organization in various ways and at different levels of aggregation. Everyone in an organization has responsibility for internal control to some extent. Virtually all employees produce information used in the internal control system or take other actions needed to effect control. Also, all personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 

The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations” 

In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives.

Control Environment

Integrity and Ethical Values
Commitment to Competence
Board of Directors and Audit Committee
Management’s Philosophy and Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Human Resource Policies and Procedures

Risk Assessment

Company-wide Objectives
Process-level Objectives
Risk Identification and Analysis
Managing Change

Control Activities

Policies and Procedures
Security (Application and Network)
Application Change Management
Business Continuity/Backups

Information and Communication

Quality of Information
Effectiveness of Communication


Ongoing Monitoring
Separate Evaluations
Reporting Deficiencies

These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously and problems are addressed timely.

Internal Control Policy

Internal Control Video

Western University of Health Sciences (WesternU) has received authorized permission to share this video, for general informational purposes, from the Association of College & University Auditors (ACUA). Nothing in this video should be construed as an example of and/or reflective of WesternU’s specific policies, procedures or protocols governing Internal Controls or other related aspects mentioned in the video. For information regarding WesternU’s specific policy and procedures on Internal Controls, see Internal Control Policy above.