Policy 1108
Internal Controls

Date of Current Revision: March 2018
Primary Responsible Officer: Assistant Vice President for Finance


This policy provides guidelines for implementation of internal control programs.


The Board of Visitors has been authorized by the Commonwealth of Virginia to govern James Madison University. See Code of Virginia § 23.1-1600; § 23.1-1301. The Board has delegated the authority to manage the university to the president.


The state comptroller mandates the implementation and annual assessment of agency internal control systems in order to provide reasonable assurance of the integrity of fiscal processes related to the submission of transactions to the Commonwealth’s general ledger, submission of financial statement directive materials, compliance with laws and regulations, and stewardship over the Commonwealth’s assets. The comptroller further requires that the documentation and assessment of internal controls be conducted in accordance with the state’s Agency Risk Management and Internal Control Standards (ARMICS).


Internal control:
A process, effected by the Board of Visitors, management or other university personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • effectiveness and efficiency of operations (including financial and operational performance goals and safeguarding assets against loss)
  • reliability of reporting (including internal/external financial and non-financial reporting)
  • compliance with applicable laws and regulations (including university and departmental policies and procedures)

Examples of internal control activities include:

  • proper authorization and approval
  • documented review of information for accuracy, completeness and validity
  • proper supervision
  • physical security of assets
  • written policies and procedures
  • process documentation
  • proper segregation of duties
  • proper assignment and authorization to information systems, electronic applications and data
  • procedures to secure data


This policy applies to critical processes at the university and to all employees of the university.


The university will maintain adequate internal controls. 


6.1  Department heads implement and maintain adequate documentation regarding internal controls for their areas.

6.2  The Finance Office establishes internal control and conducts internal control reviews in accordance with ARMICS to determine whether adequate internal control measures exist to address potential risks in a cost-effective manner.

6.3  The Assistant Vice President for Finance can advise department heads on how to incorporate internal controls into new and revised processes and systems.


Vice presidents are responsible for ensuring that adequate internal controls are maintained in their respective divisions.

Academic unit heads and administrative department heads are primarily responsible for maintaining adequate internal controls in their areas.

The assistant vice president for finance establishes internal control policy, develops and publishes procedures, evaluates internal controls annually to determine operating effectiveness, and issues a statement concerning internal controls to accompany the university's submission of its financial statements to the Department of Accounts. The assistant vice president for finance also documents the agency’s assessment of internal controls, in compliance with ARMICS and the related comptroller’s directive.

All departments, offices and employees that generate, receive or maintain public records under the terms of this policy are also responsible for compliance with Policy 1109 - Records Management.


Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment.




The authority to interpret this policy rests with the president, and is generally delegated to the assistant vice president for finance.

Previous version:   January 2016
Approved by the president: November 2002

Back to Top