Internal Controls

Policy Number: 
Reason for Policy: 

This policy is intended to ensure that the university has a strong system of accountability for and oversight of its operations.

Entities Affected by this Policy: 

All areas of the University of Oregon

Responsible Office: 

For questions about this policy, please contact the Office of the Vice President for Finance and Administration at (541) 346-3003 or

Enactment & Revision History: 

11 July 2016 - Revisions approved by the university president.

03 August 2015 - Technical revisions enacted by the university secretary.

01 July 2014 - Became a University of Oregon Policy by operation of law.

Former Oregon State Board of Higher Education Policy.


The University of Oregon (UO) shall establish and maintain an effective system of internal controls. Internal controls are designed to reasonably assure that the UO meets its mission, promotes performance leading to effective accomplishment of objectives and goals, safeguards assets, provides accurate and reliable financial and other key data, promotes operational efficiency and economy, and encourages adherence to applicable laws, regulations and prescribed management policies and practices. Control activities, which occur throughout the organization at all levels and functions, help ensure that necessary actions are taken to address risks while achieving the institution’s objectives. The control model for the UO is the Integrated Framework of Internal Control as promulgated by the congressionally established Committee of Sponsoring Organizations (COSO).


The UO’s internal control and risk assessment practices shall help ensure that:

  1. University activities and operations function effectively and efficiently;
  2. University activities and operations comply with laws, regulations, policies, and standards;
  3. University processes result in accurate and reliable financial information and reports;
  4. University resources are adequately protected;
  5. Risks facing the university, including, but not limited to, strategic, operational, financial, compliance, and reputational, are routinely identified and assessed, and effectively managed;
  6. Control activities and other mechanisms are proactively designed to address and manage significant risks;
  7. Information critical to identifying risks and meeting the university’s mission and strategic objectives is communicated through established channels throughout the UO; and,
  8. Controls are monitored and identified problems are addressed in a timely manner.


A process, effected by the Board, president, leadership, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

The components of internal control are:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring

Further information about the control model used by the University, including information on the integrated framework and definitions, is available from the COSO website.


The President, through directed leadership, shared values, and a culture that emphasizes accountability, is ultimately responsible for ensuring that an effective control system is in place. However, the execution and use of that control system is a shared responsibility and obligation. All university employees are expected to maintain the control environment of the university by understanding and following all university policies, processes, and procedures.

  • Volume IV: Finance, Administration and Infrastructure
  • Chapter 2: Audits