Skip to main content

Internal Control FAQ

  1. What is internal control?
  2. Why are internal controls important?
  3. What are the components of an internal control system?
  4. Who is responsible for internal controls?
  5. What is the Self-Assessment of Internal Control?
  6.  What can my department do to improve its internal controls?
  7. Does having strong internal controls guarantee success?
  8. What is "fraud, waste and abuse"?
  9. How do I report suspected fraud, waste or abuse in Vermont State Government?
  10. What are some of the resources the Department of Finance & Management provides to help departments with their internal control system?

 1. What is internal control?

Internal control is the integration of the activities, plans, attitudes, policies, and efforts of the employees of a department working together to provide reasonable assurance that the department will achieve its mission. More simply, internal control is what a department does to see that the things they want to happen will happen...and the things they don't want to happen won't happen.
               ►  Return to ^ Top of Page  ^  

 2. Why are internal controls important?

The overall purpose of internal control is to help a department achieve its mission and accomplish certain goals and objectives. An effective internal control system helps a department to: 

  • Promote orderly, economical, efficient and effective operations.
  • Produce quality products and services consistent with the department’s mission.
  • Safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud.
  • Promote adherence to statutes, regulations, bulletins, policies and procedures.
  • Develop and maintain reliable financial and management data, and accurately report that data in a timely manner.
         ►  Return to ^ Top of Page  ^  

3. What are the components of an internal control system?

The Committee of Sponsoring Organizations (COSO) internal control framework identifies 5 inter-related components:

  • Control Environment:  The control environment, sometimes referred to as “tone at the top”, is the foundation for all other components of internal control. The control environment is influenced by management’s philosophy, operating style, integrity, ethical values, and commitment to competence. If this foundation is strong, if the control environment is positive, the overall system of internal control will be more effective.
  • Risk Assessment:  Risk assessment is the identification, analysis, and management of risks relevant to the achievement of the department’s goals and objectives. Risks include internal and external events or circumstances that may occur and adversely affect operations. Once risks are identified, management should consider their impact (or significance), the likelihood of their occurrence, and how to manage them.
  • Control Activities:  Internal control activities are tools - policies, procedures, techniques, and mechanisms - that help ensure management’s directives are carried out. Control activities help identify, prevent or reduce the risks that can impede accomplishment of the department's objectives. Control activities occur throughout the department, at all levels and in all functions; they include activities such as approvals, authorizations, verifications, reconciliations, documentation, separation of duties, and safeguarding of assets.
  • Communication and Information:  For a department to run and control its operations, it must have relevant, valid, reliable, and timely communications relating to internal and external events. Managers must be able to obtain reliable information to make informed business decisions, determine their risks, and communicate policies and other important information to those who need it.
  • Monitoring:  The department’s internal control system needs to be monitored to assess whether controls are effective and operating as intended. On-going monitoring occurs through routine managerial activities such as supervision, reconciliations, checklists, comparisons, performance evaluations, and status reports; monitoring may also occur through separate internal evaluations (e.g., internal audits/reviews) or from use of external sources (e.g., comparison to peer groups or industry standards, surveys, etc.). Deficiencies found during monitoring need to be reported to those responsible for the function, with serious deficiencies being reported to top management.
         ►  Return to ^ Top of Page  ^  

4. Who is responsible for internal controls?

Internal controls are the responsibility of all employees of the department; generally, an employee’s position will determine the extent of their involvement. Internal control is people-dependent; it is developed by people, it guides people, it provides people with a means of accountability and people carry it out. While everyone in a department has responsibility for ensuring the system of internal control is effective, the greatest amount of responsibility rests with the managers of the department. Internal controls are the structure, policies, and procedures used to ensure that management accomplishes its objectives and meets its responsibilities.
              ►  Return to ^ Top of Page  ^  

5. What is the Self-Assessment of Internal Control?

It is a questionnaire administered each April by the Department of Finance & Management to all departments in Vermont state government. The questionnaire encourages management and staff to step back from their day-to-day activities to assess the risks and internal controls for the business processes within which they work. It provides departments with a worksheet to document the control activities in place within their operations and can serve as a tool for identifying and making improvements. Self-assessment seeks to raise a department’s internal control consciousness, while emphasizing management and staff’s responsibility for developing, implementing, and monitoring effective internal control systems.
              ►  Return to ^ Top of Page  ^  

6. What can my department do to improve its internal controls?

  • Implement separation of duties among different employees to reduce the risk of error or inappropriate actions; ensure no one person has complete control over all aspects of any financial transaction.
  • Ensure records are routinely reviewed and reconciled by someone other than the preparer to determine that transactions have been processed accurately and appropriately.
  • Ensure that cash, equipment, inventories, and other property are secured physically, counted periodically, and compared to control records; limit access only to authorized persons.
  • Provide employees with the appropriate training, direction, and supervision to ensure they have the necessary knowledge and skills to carry out their duties; inform employees of the proper channels for reporting suspected improprieties.
  • Make sure statewide and department-level policies and procedures are formalized, documented, communicated and readily available to employees; document day-to-day operating procedures and practices to provide staff with guidance to ensure management’s directives are carried out and to help maintain continuity of operations in the event of prolonged employee absences or turnover.
        ►  Return to ^ Top of Page  ^  

7. Does having strong internal control guarantee success?

No.  Due to limitations inherent in all internal control systems, internal controls only provide reasonable assurance that a department will be successful and achieve its objectives. Breakdowns in internal controls can occur due to simple mistakes or faulty judgments, or controls can be circumvented through collusion or management override.
                ►  Return to ^ Top of Page  ^  

8. What is "fraud, waste and abuse"?    [Note: The following descriptions are not legal advice but are provided solely to give some context to these commonly used terms; please consult with your legal counsel for further guidance.]

  • Fraud:  Generally defined in the law as an intentional act to deceive or cheat, ordinarily for the purpose or result of causing a detriment to another and/or bringing about some benefit to oneself or others. Under common law, three elements are required to prove fraud: (1) a material false statement made with intent to deceive, (2) a victim’s reliance on the statement and (3) damages.
  • Waste:  Significant loss or misuse of state resources that results from deficient or negligent practices, controls, or decisions. Waste involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary given the facts and circumstances. Waste does not necessarily involve fraud or other violations of law.
  • Abuse:  Grossly intentional, wrongful, or improper use of resources or misuse of rank, position, or authority. Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary given the facts and circumstances. Abuse does not necessarily involve fraud or other violations of law.
          ►  Return to ^ Top of Page  ^  

9. How do I report suspected fraud, waste or abuse in Vermont State Government?

State employees should report suspected fraud, waste or abuse to their supervisor/manager (or in accordance with their department's policy) or to the State Auditor's Office confidential tip line at 1-877-290-1400 or online at (also provides direct hotline numbers for reporting specific types of fraud).  The Department of Human Resources provides information for employees on the Vermont Whistleblower Protection law at

Non-state employees (including vendors, contractors, grantees, customers, citizens, etc.) can report suspected fraud, waste or abuse in Vermont State Government to the State Auditor's Office using one of the above options.
                  ►  Return to ^ Top of Page  ^  

10. What are some of the resources the Department of Finance & Management provides to help departments with their internal control system?

  • Internal Control Standards: Guide for Managers  - assist managerial employees in meeting their responsibility for developing, implementing and monitoring their department's internal controls.
  • Best Practices  - series of recommended practices for key financial processes to provide departments with proven methodologies for consistently and effectively achieving a business objective.
  • Operational and Data Validation Reviews - provides departments with independent and objective resources to help evaluate the effectiveness and efficiency of their operations.
  • Self-Assessment of Internal Control (annual questionnaire)  - structured process  for departments to review and  document their internal controls, while helping to identify potential areas of risk or non-compliance.
  • Policy research and development - to promote sound and prudent fiscal management of the State’s resources.
  • Internal Control News (quarterly newsletter) - guidance and information for departments on internal control related matters.
          ►  Return to ^ Top of Page  ^