Internal Controls

OHSU follows the internal control concepts and framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) that were issued in September 1992.

What are internal controls?
Internal controls are a process, effected by OHSU's Board of Directors, administration, faculty and staff, designed to provide reasonable assurance regarding the achievement of objectives in the following categories.

  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations.

Key Concepts

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It's not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

Components of Internal Control
Internal control consists of five interrelated components. These are derived from the way management runs an operation or function, and are integrated with the management process. Although the components apply to the entire OHSU enterprise, small and mid-size departments may implement them differently than large ones. Its controls may be less formal and less structured, yet a small department can still have effective internal control. The internal controls components are:

  • Control Environment - The control environment sets the tone of an organization, influencing the control consciousness of its people. Control environment factors include the integrity, ethical values and competence of the entity's people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the University.
  • Risk Assessment - Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed.
  • Control Activities - Control activities are OHSU policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
  • Information and Communication - Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that make it possible to run and control the organization. Effective communication also must occur in a broader sense, flowing down, across and up the organization.
  • Monitoring - Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. Internal control deficiencies should be reported upstream, with serious matters reported to OHSU Senior Management and the Board of Directors.


Enterprise Risk Management - Integrated Framework

Expands on the Internal Control - Integrated Framework, and provides a more robust and extensive focus on the broader subject of enterprise risk management. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers to develop a framework that would be readily usable by management to evaluate and improve their organizations' enterprise risk management. The Enterprise Risk Management - Integrated Framework was the result of that project, and was issued in September 2004.

For more detailed information regarding COSO's Internal Control - Integrated Framework, and the new Enterprise Risk Management - Integrated Framework see