Internal Controls


This policy applies to all George Mason University employees and students who have authorized use of University financial resources.


George Mason University is committed to maintaining an effective system of internal control in order to provide accurate and reliable financial reporting and protection of assets, to promote operational efficiency of fiscal resources, and to encourage adherence to prescribed policies and federal and state regulations.

The State Comptroller’s Agency Risk Management and Internal Control Standards (ARMICS) are guidelines for all state agencies to use in evaluating their systems of internal control.  These standards require an annual internal control assessment by the University and a certification from University management that the University’s internal control framework effectively manages risk, ensures fiscal accountability, and safeguards assets.  ARMICS is based on the broadly accepted internal control integrated framework established by the Committee of Sponsoring Organizations of the Treadwell Commission (COSO).


A. Departmental Management 

All department heads overseeing fiscal processes are responsible for assessing risk and establishing and maintaining an adequate internal control structure for their unit.  Controls should be designed to foster the following traditional objectives: safeguard assets; mitigate risk; ensure adherence to regulations; ensure the proper recording of financial transactions; generate accurate and timely financial information; and promote operational efficiency.  The policies and procedures adopted to satisfy these requirements must be documented and kept current.  Financial Managers within the department must monitor the unit’s controls to ensure they are operating effectively.

B. Fiscal Services – Controller’s Office 

The Associate Vice President and Controller is the principal fiscal officer of the University and has authority over financial records and employees with fiscal responsibilities at all locations. The Internal Control team within the Controller’s office conducts the ARMICS assessment. This review evaluates agency level controls across the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring) and examines transactional controls for significant fiscal processes.  These activities support the annual submission to the state certified by the President as Agency Head and the Controller as Fiscal Officer for the University.

C. Office of University Audit 

The Office of University Audit independently conducts risk assessments, develops and implements audit plans to examine and evaluate internal controls, and provides reports to management and the Board of Visitors on the results of such audits.

D. Executive Management 

Executive management holds the ultimate responsibility for the University’s culture and commitment to an ethical and strong internal control environment and structure.

E. Board of Visitors 

The Board of Visitors has an oversight role in the development and performance of the University’s internal control framework.

F. All University Employees 

All employees have a responsibility to conduct University business ethically and with integrity, adhering to established controls, procedures and policies.


The policies herein are effective August 1, 2007.  This Administrative Policy shall be reviewed and revised, if necessary, annually to become effective at the beginning of the University’s fiscal year, unless otherwise noted.


Carol D. Kissal
Senior Vice President, Administration and Finance

Mark R. Ginsberg
Provost and Executive Vice President

Date approved: 08/09/2007
Revised: 01/9/2013
Revised: 06/04/2021
Revised: 10/26/2021