Internal Controls: COSO, the Uniform Guidance, and More!

By Mary Lee Brown posted Fri February 06, 2015 15:45


Within the research administration community the concept of internal controls has garnered increased attention recently especially with the release of the Uniform Guidance (UG)[1] and in particular section §200.303 Internal Controls found in SubPart D-Post Federal Award Requirements, Standards for Financial and Program Management.   So, what are internal controls and why are they so important?  Let’s start with a definition.   COSO2 and the UG use the same definition for internal controls. The UG states in §200.61 Internal Controls means a process implemented by a non-Federal entity [e.g., institution of higher education], designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

             (a) Effectiveness and efficiency of operations;

             (b) Reliability of reporting for internal and external use; and

             (c) Compliance with applicable laws and regulations.

In accordance with the UG §200.303 non-Federal entities must maintain effective internal control over the federal award that provides reasonable assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.  Internal controls should be in compliance with the Standards for Internal Control in the Federal Government (the “Green Book” issued by the Comptroller General of the United States or the Internal Control Integrated Framework issued by COSO.  And in addition, non-Federal entities must:

             comply with Federal statutes, regulations, and the terms and conditions of the Federal awards;

             evaluate and monitor compliance;

             take prompt action when non-compliance is identified;

             take reasonable measures to safeguard personally identifiable information and other information designated as sensitive.

These requirements are not new.  Per the preamble to the UG, the UG moves guidance that previously was only discussed in audit requirements into the administrative requirements to encourage non-Federal entities to better structure their internal controls earlier in the process3.

Why are they important?

Good controls encourage efficiency, compliance with laws, regulations and University policies, and seek to eliminate waste, fraud and abuse.  Good controls are always documented and most often communicated via policy and procedure manuals or guidelines, educational sessions and training programs, websites, regular publications such as newsletters, etc.   All employees of a University have some role in internal controls.  That role depends on an individual’s job responsibilities or association with the University.   At the most senior executive levels the role may involve setting the tone for expected behavior by all staff i.e., through publication and dissemination of a Code of Conduct/Ethics.  At the staff supervisory level the role may involve reviewing transactions for reasonableness and allowability prior to approval or, reconciling accounts to ensure amounts are accurate and proper or to identify instances where follow up may be necessary.  At the management level the role may involve establishing control policies, conducting periodic assessments to confirm systems of control are designed properly and functioning as intended or, ensuring that adequate resources are available to carry out objectives. Whether your role is establishing and maintaining the controls or executing the processes and procedures in compliance with policies, good internal controls signal an institutions’ ability to effectively manage operations in furtherance of its mission, foster confidence in reliability of financial information and confidence that the institution and employees have complied with laws and regulations.  I recommend institutions establish a formal policy on internal control that articulates the institutions’ commitment to sound business practices and describes the responsibilities of those whose roles are referenced above.

Additional concepts related to internal control include:

  • Management, not the internal or external auditors, must establish and maintain the institutions controls.Auditors can assess the adequacy and effectiveness of controls and provide advice or recommendations to strengthen controls.
  • Controls apply to manual as well as electronic systems.Consider for example, controls which govern the rules for granting access to electronic systems and controls that direct how frequently those access privileges are reviewed and confirmed as appropriate for the individual’s job duties and responsibilities.
  • No system of control can be considered completely effective, nor can internal control ensure the success of an entity.Internal control cannot change an inherently poor manager into a good one.
  • The cost vs expected benefit of implementing any control should be taken into consideration when designing controls.
  • Regardless of the commitment to effective internal controls, every institution will experience a breakdown in controls at some time and on some scale. Good internal controls help ensure an entity can avoid damage to its reputation and other consequences.


The COSO Integrated Framework and the Components of Internal Control

The Core Concepts of the Framework state that the objectives of internal control are to promote effective and efficient operations, produce timely and accurate reporting, and help ensure compliance with laws and regulations.  There are five Components of Control which include: a strong control environment (tone at the top), an assessment of risks to achieving your objectives, controls activities (what most people perceive as internal controls – approval signatures, reconciliations, supervisor review, etc.), a steady flow of information and communication, and monitoring of the system of internal control.  These Components of Control must be present, functioning, and operating together for a system of internal control to be effective.

In managing risks associated with the conduct and administration of research at an institution of higher education, let’s view the research portfolio through the components of internal control. 

Control Environment – Does the board of regents/trustees understand the institution’s research portfolio and associated risk, and are they informed of how the institution is managing the numerous and at times complex reporting and compliance obligations?

Risk Assessment – Has the institution and key stakeholders evaluated operations, reporting and compliance objectives and gathered sufficient information in order to understand how research risk could impact such objectives?

Control Activities – Has the institution developed control activities, including general control activities over research administration and the technology used to support those operations, which enable the institution to manage the research risk within a level of tolerance acceptable to the institution?  Have the control activities been documented and disseminated through formalized policies and procedures?

Information and Communication – Has the institution identified information requirements to properly manage internal control over the research risks?  Has the institution defined the internal and external communication channels and protocols that support the functioning of internal control?  How will the institution respond to, manage, and communicate research risk event?

Monitoring Activities – How will the institution select, develop, and perform evaluations to ascertain the design and operating effectiveness of internal controls that address research risk?  When deficiencies are identified how are these communicated and prioritized for corrective action?  What is the institution doing to monitor their research risk profile4?



Management is responsible, in both the central and decentralized operating units, for establishing, maintaining and promoting sound business practices and effective internal controls. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.

While there may be practical limitations to the implementation of some internal controls, each business function throughout the institution must establish and maintain a system of controls which meets the minimum requirements as established by the institution’s Internal Control policy.  A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding assets and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and other diversions of assets.



[1] See 2 CFR Part 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.


2 COSO stands for Committee of Sponsoring Organizations of the Treadway Commission.  It is an independent private-sector initiative formed in 1985 that provides thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.  In May 2013 it revised and reissued “Internal Control – Integrated Framework” originally published in 1992 as a guide to establishing internal control systems.  See:


3 See Federal Register/Vol. 78, No. 248 Thursday, December 26, 2013/Rules and Regulations page 78593.

4 Adapted from Deloitte, COSO in the Cyber Age, page 3. in the Cyber Age_FULL_r11.pdf


Mary Lee Brown is the Associate Vice President for Audit, Compliance and Privacy (OACP) at the University of Pennsylvania and PENN Medicine (Health System) where she has worked for 18 years.  Prior to working at Penn she spent 18 years at the Johns Hopkins University in several leadership roles including administrative computing, internal audit and controller functions. She currently serves as chair of the Governmental Affairs Committee for the Association of College and University Auditors (ACUA) and liaison to the Council on Governmental Relations as a member of the Costing Policies Committee. She can be reached at