VCU branded angle-motif letterhead

Maintenance of Adequate Internal Controls

  • Responsible Office: University Controller's Office, Senior Vice President and CFO, Finance and Budget
  • Current Approved Version: 06/03/2021
  • Policy Type: Administrative

Policy Statement and Purpose

This policy is intended to ensure that the university has a strong system of accountability for and oversight of its operations. VCU shall establish and maintain an effective system of internal controls. Internal controls are designed to reasonably assure that VCU meets its mission, promotes performance leading to effective accomplishment of objectives and goals, safeguards assets, provides accurate and reliable financial and other key data, promotes operational efficiency and economy, and encourages adherence to applicable laws, regulations and prescribed management policies and practices. Control activities, which occur throughout the organization at all levels and functions, help ensure that necessary actions are taken to address risks while achieving the institution’s objectives. Internal control and risk assessment practices also help ensure:

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting;
  • Compliance with applicable laws and regulations;
  • Safeguarding of assets;
  • Risks facing the university, including, but not limited to, strategic, operational, financial, compliance, and reputational, are routinely identified and assessed, and effectively managed;
  • Control activities and other mechanisms are proactively designed to address and manage significant risks;
  • Information critical to identifying risks and meeting the university’s mission and strategic objectives is communicated through established channels throughout VCU; and
  • Controls are monitored and identified problems are addressed in a timely manner.

The two types of internal controls that this policy addresses are accounting controls and administrative controls. Accounting controls are the controls surrounding the activities concerned with authorizing, processing, recording, and reporting transactions (which operate within the broader control environment of administrative controls). Administrative controls are the broad controls surrounding all activities carried out by officials to accomplish their objectives (e.g., planning, organization, productivity monitoring and improvement, and quality control). When internal controls are identified as not being adequate, appropriate action will be undertaken by the administration to address these deficiencies. The president has the ultimate responsibility of ensuring that internal control deficiencies are addressed. Any observed weaknesses in internal control must be brought to the attention of the university controller immediately.

Noncompliance with this policy may result in disciplinary action up to and including termination. VCU supports an environment free from retaliation. Retaliation against any employee who brings forth a good faith concern, asks a clarifying question, or participates in an investigation is prohibited.

Who Should Know This Policy

This policy applies to all Virginia Commonwealth University employees (including faculty) and students who have authorized use of university financial resources.


Internal Control

A process, effected by the Board, president, leadership, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
  • Safeguarding of assets    


The university controller officially interprets this policy. The university controller is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to the university controller.

Policy Specifics and Procedures

VCU’s financial organization extends beyond the central Finance and Budget unit. Key personnel from colleges, schools and administrative divisions share the responsibility of managing the university’s financial resources. It is the collective and shared responsibility of these areas to work cooperatively in ensuring the financial integrity of the university. All individuals must perform their duties in accordance with proper internal controls as established by management.

The control model for VCU is the Integrated Framework of Internal Control as promulgated by the congressionally established Committee of Sponsoring Organizations (COSO). VCU also complies with the Agency Risk Management and Internal Control Standards (ARMICS), a directive issued by the state comptroller, mandates the use of internal control standards and "best practices" that directly support the Commonwealth's vision and long term objectives. This directive requires the implementation and annual assessment of agency internal control systems in order to provide reasonable assurance of the integrity of fiscal processes related to the submission of the transactions to the Commonwealth's general ledger, submission of financial statement directive materials, compliance with laws and regulations, and stewardship over the Commonwealth's assets. This assessment includes:

  1. Enterprise Risk Management (ERM) process for identifying agency-level risks and mitigation plans
  2. Transaction Level Testing and Control Testing-performed at least annually by each unit in the VCU ARMICS Database
  3. Central Unit & Departmental Certification
  4. VCU Certification to the Virginia Department of Accounts


ARMICS Risk Assessment 

Related Documents

  1. University Controller’s Office ARMICS Information
  2. Department of Accounts Internal Control TOPIC 10305

Revision History

This policy supersedes the following archived policies:

Revision History
Approval/Revision DateTitle
August 01, 1987 Maintenance of Adequate Internal Controls Policy
July 31, 2015 Maintenance of Adequate Internal Controls
June 3, 2021 Minor Revisions


There are no FAQ associated with this policy and procedures.