Internal Controls

Internal control, as defined by Comptroller of Maryland, is “the organization, policies, and procedures which are tools to help program and financial managers achieve results and safeguard the integrity of their programs.”

Internal control affects every aspect of operations at Towson University. Effective internal control ensures that TU follows all laws, regulations, and policies. It also ensures that TU operates in a fiscally responsible manner and functions efficiently.

All faculty and staff at the university have a role in establishing and adhering to our internal controls. Management is responsible for maintaining an adequate system of internal control and ensuring employees follow all policies and procedures. Employees are responsible for notifying and reporting operational problems and/or violations of policy or law immediately. Internal controls act as additional reference tools to identify, assess and improve operating controls, financial reporting, and legal or regulatory compliance processes. The cost of a control should not exceed the benefit.

The internal controls guide below should be used in conjunction with existing policies and procedures.

Types of Internal Controls

Preventive Controls

Preventive controls are designed to avoid fraud, loss or error before they occur. These controls include, but are not limited to: segregation of duties, authorization practices, adequate documentation, and physical control over assets.


Approvals involve written policies and procedures, limits to authority, and supporting documentation. This process also involves questioning unusual items and avoiding “rubber stamps” and blank signatures on forms.

Before signing an approval, approvers must thoroughly review supporting documentation to ensure necessary information is present to justify a transaction. Signing blank forms is never allowed.

Approvers are the only authorities allowed to sign-off on approvals. Under no circumstance should an approver share their password with another person for electronic approval authority.

Detective Controls

Detective controls identify fraud, loss or error after they occur. These controls include, but are not limited to: reconciliations, inventory counts, reviews, analyses, and audits.


Reconciliations are comparisons of different data sets to identify and investigate differences. A critical element is to resolve differences. This process involves taking corrective action when necessary.

To ensure proper segregation of duties, the person who approves transactions or handles cash receipts should not be the person who performs the reconciliation.


Reviews involve comparisons of budgeted to actual amounts, current to prior period amounts, performance indicators, and follow-up on unexpected results or unusual items.

Preventive and Detective Controls

segregation of duties (Sod)

SOD requires at least two individuals to initiate, approve and record a transaction, reconcile balances, handle assets, and review reports. It is critical to effective internal control and reduces the risk of both erroneous and inappropriate actions.

asset security

Asset security consists of securing physical and intellectual assets as well as implementing physical safeguards and periodic counts. It also involves maintaining perpetual records, comparing counts to perpetual records and investigating or correcting differences.

controls over information systems

General controls are controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance. Application controls are computer matching and edit checks.

Compensating Controls

Compensating controls are often established to compensate for an increased risk when that risk is too challenging and/or impractical to implement. These controls are an alternative used to provide a reasonable level of assurance, but are usually less desirable since they often occur after a transaction is complete. Compensating controls are usually established when there is an insufficient separation of duties. Examples of compensating controls include secondary review and signature and system exception reports.