The University's code of ethics clearly expresses our institutional commitment to integrity and ethical values. This commitment is further communicated through the establishment of policies that clearly convey expectations and through the deployment of procedures detailing how to put those policies into action. Individual understanding, commitment, and adherence to the code of ethics, compliance with policies, and adherence to procedures are foundational to internal control.
The annual completion of the Internal Controls Questionnaire (ICQ) by unit leaders responsible for stewardship of University resources serves two purposes: 1) it is an acknowledgment of the individual's (and unit's) understanding of and commitment to internal control; and 2) it provides an opportunity for unit level review and discussion of individual roles and responsibilities for internal control.
The University must annually certify to the State Comptroller regarding the adequacy of our internal controls and the ICQ process is one of the bases upon which that certification is made. Similar requirements are established under Restructuring, by the Commonwealth's Agency Risk Management and Internal Control Standards (ARMICS), and the terms and conditions (e.g., Uniform Guidance at 2 CFR 200) applicable to Federally sponsored programs.
Frequently Asked Questions
- What does the term "Internal Control" mean?
-
University policy FIN-021, Internal Controls, defines internal control as organizational plans and procedures which are designed to:
- safeguard assets;
- verify the accuracy and reliability of accounting data and other management information;
- promote operational efficiency; and
- adhere to prescribed policies and compliance with federal and state regulations.
ARMICS defines internal control to mean the ongoing processes led by an agency head to design and provide reasonable assurance that these types of objectives will be achieved:
- Effective and efficient operations
- Reliable financial reporting
- Compliance with applicable laws and regulations
- Safeguarding of assets
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Controls Framework, referenced in ARMICS and in the Federal Office of Management and Budget's Uniform Guidance (2 CFR 200) which is applicable to grants and cooperative agreements funded by the Federal government, defines internal control as follows: Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding achievement of objectives relating to operations, reporting, and compliance.
- Who is responsible for Internal Controls at UVA?
-
The short answer is that all UVA employees are expected to perform their duties in accordance with proper internal control, including identifying and reporting any observed weaknesses. This expectation is formally expressed in University policy FIN-021, Internal Controls, which identifies the Assistant Vice President for Financial Operations (AVPFO) as being responsible for the promulgation of policies and procedures directed toward the establishment of good internal control. The policy also sets explicit expectations and duties for individuals who are responsible for administering University funds and resources as well as for the University's internal auditors.
Failure to comply with the requirements of FIN-021 may result in disciplinary action up to and including termination and expulsion in accordance with relevant University policies.
- What is the ICQ and what type of questions are asked?
-
The ICQ is delivered via an online tool delivered by UVAFinance that helps us assess the internal controls environment of the University. The ICQ contains questions on the manner in which a unit conducts activities and, when deficiencies are noted, documents any Corrective Action Plan (CAP) the unit has established to address an identified deficiency. The questions asked on the ICQ are updated annually to reflect current University policies and other requirements.
An uncompleted 2019 ICQ is provided here to provide an example of the types of questions that are asked on the ICQ.
- Which University units are required to complete the ICQ?
-
Organizations (as defined in the University's Integrated System) operating within the Academic Division, the University's College at Wise, and the Southwest Virginia Higher Education Center during the subject fiscal year must complete the ICQ. Certification may be done at the Organization-level or by roll-up to a higher level of authority, e.g., major business unit. The University Medical Center conducts a separate review of internal controls.
- Who has to electronically sign and submit the completed ICQ?
-
While support staff may answer the ICQ, the appropriate unit leader (e.g., dean, director, or department head) is responsible for certifying that each Organization (as defined in the University's Integrated System) for which they are responsible is exercising proper internal controls, or has developed a plan for corrective action to address identified deficiencies. For this reason, the unit leader is required to be the one to electronically sign and submit the completed questionnaire.
- How do I request access to the ICQ?
-
The ICQ is located at a secure website requiring access via NetBadge. University staff responsible for completing the ICQ must seek permission to register and access the ICQ by emailing the ICQ Administrator at [email protected].
When making an ICQ access request by email, provide your name, computing ID, the Primary Organization (Org) number, and Primary Org Name.
Example:
- Name: John Doe
- Computing ID: jxd4z
- Primary Org #: 12345
- Primary Org Name: ZZ-Primary Organization
Resources
Questions about the Internal Controls Questionnaire, Corrective Action Plans, ARMICS, or internal controls? Contact us at [email protected]. You may also contact an FOC team member directly, see our Contacts page for individual bios and contact information.