Skip Navigation main navigation text site map contact us privacy policy web accessibility F.O.I.L. Request The State University of New York
   
Future Students Academics and Research Visit a Campus News and Announcements Philanthropy and Alumni Business and Industry Faculty, Staff and Employment Administration and Governance
Internal Controls

E-mail this article

Understanding Internal Controls

Introduction
All of us share a responsibility ensuring our working environment is safe and effective. One important way we can help achieve this goal is to establish and follow appropriate campus policies on internal control.

The purpose of Understanding Internal Controls is to provide employees with a reference tool that will help identify the methods and measures adopted by System Administration to promote the thoughtful and efficient use of state resources.

Top

Scope
Since internal controls depend on the participation of all employees at every level, all employees should be aware of University goals and their role in attaining those goals. Employee competence and professional integrity are essential components of a sound internal control program. By knowing what our responsibilities are, we can help provide reasonable assurance that our internal control systems are adequate and operating in an efficient manner.

System Administration's Internal Control Program in conjunction with Understanding Internal Controls is designed to provide reasonable assurance that:

  • System Administration's assets are protected and safeguarded against loss,
  • Records are reliable and accurate,
  • Operations are efficient and effective and,
  • Policies and procedures establish what should be done, how it should be done and by whom.

Top


Management's Commitment
A successful internal control environment requires management's commitment and support. Management's goal is not to make each person an expert in internal controls, but to increase awareness and understanding of why we need them and how we use them.

Executive management is committed to System Administration's Internal Control Program and strongly encourages adherence to the program for betterment of the University.

Top


Responsibility
The Office of Finance and Business is assigned the responsibility to oversee and coordinate System Administration's Internal Control Program. The Director of Business Affairs has been designated the Internal Control Officer and is responsible for implementation of this program.

Although management is primarily responsible for implementing internal controls, every employee participates in establishing, properly documenting and maintaining internal controls.

Employees are responsible for complying with internal controls by:

  • Successfully fulfilling the duties and responsibilities established in their job description;
  • Meeting applicable performance standards;
  • Taking all reasonable steps to safeguard assets against waste, loss, unauthorized use and misappropriation; and
  • Reporting breakdowns in internal control systems to their supervisor or manager.

Managers and supervisors are responsible for executing control policies and procedures within their departments by:

  • Maintaining an office environment that encourages internal controls,
  • Documenting policies and procedures that are to be followed in performing office functions,
  • Identifying the control objectives for each function and implementing cost effective controls designed to meet those objectives and,
  • Regularly testing the controls to determine if they are performing as intended.

Top


Internal Control Systems
Internal control systems are basic management practices that usually involve two elements: a policy establishing what should be done and procedures used to support the policy. Internal control systems typically come from top management's interpretation of the University's mission statement, laws and regulations, or industry standards and practices.

University policies and procedures are used to:

  • Ensure management directives are carried out,
  • Set University standards and,
  • Communicate regulations that apply to all personnel.

Each employee is expected to adhere to established internal controls and all applicable management policies and standards issued by the State of New York, the State University and System Administration pertaining to (but not limited to):

  • Policies and Procedures of the University Board of Trustees
  • Bargaining Contracts
  • Employee performance programs and evaluations
  • Property (equipment) Control
  • Electronic data and network security
  • Public safety environmental safety/code compliance practices
  • Time and attendance reporting
  • Human Resource Policies (such as Smoking Policy, Parking Garage Guidelines, Telephone Policies, etc.)
  • State Procurement Guidelines (contracts, travel)

Top


Internal Control Act
In addition to the System Administration's system of internal controls, the Governmental Accountability, Audit and Internal Control Act of 1987 formalizes New York State's commitment to efficient and effective business practices, quality services, and ethics in the operations of state government. The provisions of the Act intend to ensure State funds are spent properly and that state agencies including SUNY, function effectively to meet its objectives.

Under this legislation, System Administration must annually certify to the Chancellor, who in-turn reports to the Division of Budget, that our Internal Control Program is in compliance with the Office of the State Comptroller's Standards for Internal Control *.

Top


Types of Control
Controls can be either preventative or detective. Preventative controls attempt to deter or prevent undesirable events from occurring. Separation of duties, proper authorization, adequate documentation, passwords and physical control over assets and even traffic signs are all examples or preventative controls.

Detective controls attempt to detect errors or irregularities which have already occurred. Reviews, analyses, reconciliations, periodic physical inventories, audits and surveillance cameras are all examples of detective controls.

Both types of controls are essential to an effective internal control system. From a quality standpoint, preventative controls are essential because they are proactive. However, detective controls play a critical role providing evidence that preventative controls are functioning effectively.

Top


Control Activities
The following internal controls can be used to ensure management policies and procedures are adhered to:

  • Implement segregation of duties where duties are divided among different people to reduce the risk or error or inappropriate actions.
  • Make sure transactions are authorized by a person delegated approval authority when the transactions are consistent with university policy and funds are available.
  • Ensure records are routinely reviewed and reconciled to determine that transactions have been properly processed.
  • Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, and are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting improprieties.
  • Make certain equipment is secured physically and routinely compared with control records. Passwords and other restricted or confidential information should be protected against theft, destruction, deterioration or misuse.
  • Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover.

Information related to University policies and procedures.

Information related to State policies and procedures.

Top


Implementing Internal Controls
As you carry out your routine job responsibilities or are thinking about implementing a new procedure or process, consider:

  • What do you worry about going wrong?
  • What steps have been taken to assure something doesn't go wrong?
  • How do you know things are under control?

Top


Limitations
There are always inherent limitations to internal controls and risk can't always be foreseen or eliminated. Each time we make a change to an existing system, we run the risk of weakening the underlying internal controls. No matter how well internal controls are designed, they can only provide reasonable assurance that a positive outcome can be achieved.

Top


Components of Internal Control
Since internal controls are based on management's policies and processes, how do we know whether internal controls are functioning as intended? When we think about internal controls there are five basic concepts to consider:

  1. Environment - defines organizational culture and influences the acceptable behavior of employees. This includes such things as integrity, ethical values, staff competence, management's philosophy and operating style.

  2. Risk - involves identifying the likelihood that something will go wrong in your work area, trying to prevent those risks, and measuring whether objectives are being adequately met. This also involves assessing risks associated with external sources.

  3. Activities - details the policies and procedures that provide direction as to how management expects actions or activities to be performed. Are duties segregated so that one person doesn't control an entire process? Are procurement card reconciliations done on a timely basis? Are proper procedures followed when hiring a new employee? Do managers monitor their department's spending to operate within their office budget?

  4. Information and Communication - explains how necessary information (both internal and external) must be obtained and disseminated at the appropriate time, using the proper means and addressing the right people, so that they may carry out their duties.

  5. Monitoring - assesses the quality of internal controls. What do you do to make sure you are doing your job well? Do you ever review your existing procedures for efficiency? Does your supervisor or manager think there are proper controls in place?

In order for internal controls to be effective, employees should:

  • Read and understand the policies and procedures related to their position,
  • Report any control weaknesses to their supervisor or manager that would prohibit them from successfully fulfilling the responsibilities of their position and,
  • Comply with System Administration's management policies and standards.

Top


Balancing Risks and Controls
In order to achieve a balance between risks and controls, internal controls should be proactive, value-added and cost-effective. Excessive control can be costly and counterproductive while too little control presents undue risk. The cost of implementing a control shouldn't outweigh its benefit. For example, staff size limitations may obstruct efforts to properly segregate duties, but it may be possible to implement compensating controls such as random testing or document review.

Top


Risk Management
The central theme throughout Understanding Internal Controls is to (1) identify risks that may prevent objectives from being achieved and (2) do what is necessary to manage those risks. Thus, setting goals and objectives is a precondition to internal controls. At the University level, goals and objectives are presented in a strategic plan that includes a mission statement and broadly defined strategic initiatives. At the department level, goals and objectives must support the University's strategic plan in terms that allow meaningful performance measurements.

The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage them. Risk can pertain to both internal and external factors such as:

External factors:

  • Economic changes
  • Changing community needs or expectations
  • New or changed legislation or regulations
  • Technological developments
  • Natural catastrophes

Internal factors:

  • New personnel
  • New or revamped information systems
  • Changes in management responsibilities
  • New research programs
  • Unfamiliarity with policies or procedures

Top


Measuring Risk - The Risk Assessment
The framework for the Internal Control Program is based on identifying and testing the programs and administrative functions necessary for System Administration to carry out its mission. Functions can be most easily identified through organizational charts, departmental budgets, policy and procedural manuals, job descriptions, and information systems. These functions are referred to as "assessable units".

To properly assess the current level of risk associated with a function, risk assessments address such factors as:

  • Management's attitude towards maintaining effective internal control systems,
  • Technical or administrative complexity,
  • The existence of adequate organizational charts, lines of communication, and clear designation of work assignments,
  • Demonstrated adherence to prescribed policies and procedures,
  • The fiscal implications of the function including budget management, handling of cash receipts and disbursements, or contract approvals,
  • The sensitive nature of the function and the extent to which decisions can be influenced by external sources, time constraints, or conflicts of interest,
  • The professional training and technical proficiency of staff needed to perform the function,
  • The stability of the operation in terms of changes in functional responsibilities resulting from staff turnover, permanence of the functional unit and reconfigurations of the organizational structure,
  • The frequency of internal or external audits and the significance of the findings, and,
  • The inherent risk associated with the function regardless of the existence of adequate internal controls.

Risk assessments at System Administration are conducted using an online software tool which measures the potential vulnerability (low to high risk) of a functional area/assessable unit based on a multiple-choice rating system.

Top


Internal Control Review
The need for a more in depth internal control review of a function relates to the level of risk determined by the risk assessment. Functions identified as more vulnerable could be candidates for a more formal internal control review regardless of whether the risk assessment identified any internal control weaknesses. The internal control review analyzes procedures and policies to ensure they are functioning as intended.

Top


Summary
Internal controls are already a part of our daily operations. The controls developed and exercised by managers and their staffs are the substance of the Internal Control Program. System Administration's Internal Control Program and related training and testing helps to ensure that the controls are properly documented and functioning as intended.

As available resources decline, the need for adequate internal control is more important than ever. Fewer people are doing more work with less time and less funding. Opportunities for fraud, waste, and abuse increase significantly in a weak internal control environment. The single most important success factor of the Internal Control Program is a high level of individual awareness and understanding. Internal controls are everyone's responsibility; therefore we are all responsible for knowing what internal controls exist and how to evaluate their effectiveness.

A successful Internal Control Program will help streamline our processes and improve the quality of our services. The result will be a better, more enjoyable work place and a quality institution of higher education.

For more information on System Administration's Internal Control Program, contact us.

Top

  *NOTE: You need to have Adobe Acrobat Reader (free software) in order to view and print PDF files.
Last Update - 10/7/08