Internal Control FAQ

What is Internal Control?

Internal control is the integration of the activities, plans, attitudes, policies, and efforts of the employees of a department working together to provide reasonable assurance that the department will achieve its mission.

More simply, internal control is what a department does to see that the things they want to happen will happen…and the things they don’t want to happen won’t happen.


Why are internal controls important?
The overall purpose of internal control is to help a department achieve its mission and accomplish certain goals and objectives. An effective internal control system helps a department to: 
  • Promote orderly, economical, efficient and effective operations.
  • Produce quality products and services consistent with the department’s mission.
  • Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.
  • Promote adherence to statutes, regulations, bulletins and procedures.
  • Develop and maintain reliable financial and management data, and accurately report that data in a timely manner.
What are the components of an internal control system?

The Committee of Sponsoring Organizations (COSO) internal control framework identifies five inter-related components:

Control Environment: The control environment, sometimes referred to as “tone at the top”, is the foundation for all other components of internal control. The control environment is influenced by management’s philosophy, operating style, integrity, ethical values, and commitment to competence. If this foundation is strong, if the control environment is positive, the overall system of internal control will be more effective.

Risk Assessment: Risk assessment is the identification, analysis, and management of risks relevant to the achievement of the department’s goals and objectives. Risks include internal and external events or circumstances that may occur and adversely affect operations. Once risks are identified, management should consider their impact (or significance), the likelihood of their occurrence, and how to manage them.

Control Activities: Internal control activities are tools - policies, procedures, techniques, and mechanisms - that help ensure management’s directives are carried out. Control activities help identify, prevent or reduce the risks that can impede accomplishment of the department's objectives. Control activities occur throughout the department, at all levels and in all functions; they include activities such as approvals, authorizations, verifications, reconciliations, documentation, separation of duties, and safeguarding of assets.

Communication and Information: For a department to run and control its operations, it must have relevant, valid, reliable, and timely communications relating to internal and external events. Managers must be able to obtain reliable information to make informed business decisions, determine their risks, and communicate policies and other important information to those who need it.

Monitoring: The department’s internal control system needs to be monitored to assess whether controls are effective and operating as intended. On-going monitoring occurs through routine managerial activities such as supervision, reconciliations, checklists, comparisons, performance evaluations, and status reports; monitoring may also occur through separate internal evaluations (e.g., internal audits/reviews) or from use of external sources (e.g., comparison to peer groups or industry standards, surveys, etc.). Deficiencies found during monitoring need to be reported to those responsible for the function, with serious deficiencies being reported to top management.

Who is responsible for internal controls?

Internal controls are the responsibility of all employees of the department; generally an employee’s position will determine the extent of their involvement. Internal control is people-dependent; it is developed by people, it guides people, it provides people with a means of accountability and people carry it out. While everyone in a department has responsibility for ensuring the system of internal control is effective, the greatest amount of responsibility rests with the managers of the department. Internal controls are the structure, policies, and procedures used to ensure that management accomplishes its objectives and meets its responsibilities.


What is the Self-Assessment of Internal Control?

It is a questionnaire administered each April by the Dept of Finance & Management to all departments in Vermont state government. The questionnaire encourages management and staff to step back from their day-to-day activities to assess the risks and internal controls for the business processes within which they work. It provides departments with a worksheet to document the control activities in place within their operations and can serve as a tool for identifying and making improvements. Self-assessment seeks to raise a department’s internal control consciousness, while emphasizing management and staff’s responsibility for developing, implementing, and monitoring effective internal control systems.
What can my department do to improve its internal controls?
  • Implement separation of duties among different employees to reduce the risk of error or inappropriate actions; ensure no one person has complete control over all aspects of any financial transaction.
  • Ensure records are routinely reviewed and reconciled by someone other than the preparer to determine that transactions have been processed accurately and appropriately.
  • Ensure that cash, equipment, inventories, and other property are secured physically, counted periodically, and compared to control records; limit access only to authorized persons.
  • Provide employees with the appropriate training, direction, and supervision to ensure they have the necessary knowledge and skills to carry out their duties; inform employees of the proper channels for reporting suspected improprieties.
  • Make sure statewide and department-level policies and procedures are formalized, documented, communicated and readily available to employees; document day-to-day operating procedures and practices to provide staff with guidance to ensure management’s directives are carried out and to help maintain continuity of operations in the event of prolonged employee absences or turnover.
Does having strong internal controls guarantee success?

No. Due to limitations inherent in all internal control systems, internal controls only provide reasonable assurance that a department will be successful and achieve its objectives. Breakdowns in internal controls can occur due to simple mistakes or faulty judgments, or controls can be circumvented through collusion or management override.


What is meant by the terms “fraud”, “waste” and “abuse”?

Note: The following descriptions do not represent legal advice and are provided solely to give some context to these commonly used terms; please consult with your legal counsel for further guidance:

Fraud: Generally defined in the law as an intentional act to deceive or cheat, ordinarily for the purpose or result of causing a detriment to another and/or bringing about some benefit to oneself or others. Under common law, three elements are required to prove fraud: (1) a material false statement made with intent to deceive, (2) a victim’s reliance on the statement and (3) damages.

Waste: Significant loss or misuse of state resources that results from deficient or negligent practices, controls, or decisions. Waste involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary given the facts and circumstances. Waste does not necessarily involve fraud or other violations of law.

Abuse: Grossly intentional, wrongful, or improper use of resources or misuse of rank, position, or authority. Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary given the facts and circumstances. Abuse does not necessarily involve fraud or other violations of law.

How do I report suspected fraud, waste, or abuse in Vermont State Government?

State employees should report suspected fraud, waste, or abuse to their supervisor/manager (or in accordance with their department’s policy) or to the State Auditor’s Office confidential tip line at 1-877-290-1400 or


The Department of Human Resources provides information on the Employee Whistleblower Protection law at:


Non-state employees (including vendors, customers, contractors, etc.) should report suspected fraud, waste, or abuse in Vermont State Government to the State Auditor’s Office confidential tip line at the above number.

What are some of the resources the Dept of Finance & Management provides to help departments with their internal control system?

To assist departments with developing and maintaining effective internal control systems, the Dept of Finance & Management:

  • Has published Internal Control Standards: A Guide for Managers to assist managerial employees in fulfilling their responsibilities relating to internal controls.
  • Issues “best practices” documents for key financial processes to provide departments with proven methodologies for consistently and effectively achieving a business objective.
  • Performs operational reviews to provide departments with independent and objective resources to help evaluate the effectiveness and efficiency of a process.
  • Administers an annual Self-Assessment of Internal Control questionnaire to provide departments with a tool to verify and document their internal controls.
  • Performs policy research and development to promote sound and prudent fiscal management of the state’s resources.
  • Publishes a quarterly newsletter to provide departments with articles on good business practices, internal controls, and responsibilities.