What are internal controls?

The Institute of Internal Auditors defines internal controls as the methods or procedures used by an organization to:

          ensure reliability and integrity of information;
          ensure compliance with policies, laws, regulations, etc.;
          safeguard assets;
          promote economical and efficient use of resources; and
          accomplish goals and objectives.

Generally, there are two types of controls: 1) Preventive and 2) Detective. Preventative Controls are designed to discourage errors or irregularities from occurring. (Example: Processing vouchers only after signatures have been obtained from appropriate personnel.) Detective Controls are designed to find errors or irregularities after they have occurred. (Example: Reconciling FIS Monthly Detail Reports to departmental records.)

 Who is responsible for internal controls?

The auditors, right? Wrong. Everyone plays a part in James Madison University’s internal control system. Ultimately management is responsible for ensuring that controls are in place. That responsibility is delegated to each area of operation. Every employee has some responsibility for making this internal control system function. Therefore, all JMU employees need to be aware of the concept and purpose of internal controls. Audit and Management Services is here to help you achieve that goal.


In 1992, the Committee of Sponsoring Organizations (COSO) published a report defining internal controls and the criteria for determining the effectiveness of an internal controls system. The committee included members of the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the Financial Executives Institute, the American Accounting Association; and the Institute of Management Accountants. Like the IIA, COSO established a broad definition of internal controls as:

     A process, effected by an entity’s board of directors, management and other personnel, designed to provide
     reasonable assurance regarding the achievement of objectives in the following categories:

          effectiveness and efficiency of operations;
          reliability of financial reporting;
          compliance with applicable laws and regulations.

The COSO report also states that management is primarily responsible for internal control, but everyone in the organization shares responsibility. The internal auditor’s role is to help higher management monitor the system, making it aware of the strengths and weaknesses of internal control.

 How does my department rate?

Now that you've had a brief introduction to internal controls, you may use the JMU Control Self-Assessment to evaluate controls for specific functions.

Return to Audit and Management Services home page.