SUNY PP Home Page   Print Page   Close Page   Convert current file into a PDF document   Convert current file into a DOC document



Category:
Financial


Responsible Office:

Procedure Title:
Internal Control Program Guidelines

Document Number:
7501

Effective Date:
January 01, 1999


This procedure item applies to:
State-Operated Campuses
Statutory Colleges

Table of Contents
Summary

Process
Forms
Related Procedures
Other Related Information
Authority
History
Appendices

Summary

Pursuant to the New York State Governmental Accountability, Audit and Internal Control Act (Act), this procedure provides guidelines for the implementation of the State University of New York’s (University) formalized program of internal control. The internal control program is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in obtaining its goals and objectives.


Process

The New York State Governmental Accountability, Audit and Internal Control Act (Act), Chapter 510 of the Laws of 1999, requires that all state agencies institute a formal internal control program. In order to meet the requirements specified in the Act, the University and its campuses should include the following elements within its internal control program. This approach is only a guide and may be modified as necessary to meet the unique characteristics, circumstances and requirements of a campus.

A.    Establish and maintain guidelines for a system of internal controls.

Each campus should develop its own internal control program manual and/or guidelines to supplement the policies, procedures and guidelines contained herein. The campus internal control manuals should reflect specific information reflecting the degree of commitment the campus has incorporated into its program, such as the formation of an internal control steering committee, the designation of an internal control officer, inventory of assessable units, and methodologies used to evaluate the vulnerabilities and effectiveness of internal controls.

According to the Division of Budget (DOB) Budget Policy and Reporting Manual Item B-350, internal control guidelines should include:

Incorporation of the guidance provided herein will assist the campuses to adhere to the DOB directive.

B.    Establish and maintain a system of internal controls and a program of internal control review which is designed to identify internal control weaknesses and actions needed to correct these weaknesses.

According to DOB Budget Policy and Reporting Manual Item B-350, the program of internal control review shall be a structured, continuing, and well documented system designed to identify internal control weaknesses, identify actions that are needed to correct these weaknesses, monitor the implementation of necessary corrective actions, and periodically assess the adequacy of internal controls. The University’s recommended general approach to the evaluation and improvement process includes the following steps:

In addition, the reporting system should include summary information regarding the results of vulnerability assessments, internal control reviews or audits, testing, and corrective actions.

Managers who perform vulnerability assessments should guard against any tendency to devise a low vulnerability rating with the main purpose of avoiding a detailed internal control review. Also, they should be aware that if a weakness is observed which is perceived as placing the unit in immediate jeopardy, corrective action should be implemented as soon as possible.

       Line managers should have the primary responsibility in the internal control review process. This responsibility includes planning and organizing each review, assigning responsibilities to personnel who will conduct the actual review, and monitoring the process.

An internal or external audit may also be an effective and objective method to evaluate internal controls of an event cycle, in lieu of an internal control review by management. There are certain advantages and disadvantages to utilizing an audit rather than an internal control review; however, regardless of the evaluation method used, management is responsible for understanding the controls of areas under its purview.

Testing internal controls can be a component of an internal control review or audit, or performed as a stand alone process. The distinction between an internal control review or audit and internal control testing is that generally testing is limited to a sample of transactions which will enable the reviewer to determine if the specific control is effective. For example, if the control objective for the personnel function is to determine that qualified staff are hired, an internal control review would document that the campus policies and procedures (administrative controls) requires that a search be conducted and that credentials are verified as necessary. Testing would require that a representative sample of new hires over a certain time period would be selected and that the files for these individual or the search files indicated the search committee process was followed and that credentials were indeed verified. See Section 9 which follows for more information regarding internal control testing.

C.   Make available to each employee a clear and concise statement of the University’s/campus’s generally applicable management policies and standards with which each employee will be expected to comply.

All existing employees and all new hires should be familiar with applicable State, University, and campus policies and procedures. In order to communicate this effectively to all employees, a memorandum or “tone at the top” letter from the campus president should emphasize the importance of having good internal controls and assigning the responsibility for such upon each officer and employee. The memorandum or letter should refer the campus community to a campus website and/or include an informational brochure. These informational sources should contain references to the applicable policies, procedures, regulations and laws. A preferred practice would include a periodic reminder notice or re-affirmation upon the appointment of a new campus administration. It is not necessary for each employee to have copies of all such policies, procedures, and manuals; however the employees should be provided with reasonable and convenient access to such material.

D.    Designate an internal control officer at the University and campus levels to implement and review the University’s/campuses’ Internal Control Programs.

The University and each of its affected campuses are required to designate an internal control officer. The prescribed qualifications and responsibilities for this position are noted above in Section B.1.a. The responsible official’s name and contact information should be included in the communications (letter or memorandum from the president, web-site, and/or brochure) noted in the preceding section. Based upon the internal control officers other responsibilities, it may be necessary to delegate certain operational aspects of the campus’ internal control program to designated staff (such as an internal control coordinator).

E.   Implement education and training efforts to ensure employee awareness and understanding of internal control standards and evaluation techniques.

DOB Budget Policy and Reporting Manual Item B-350 states that each agency should identify staff who require internal control training and the depth and content of that training. Campuses should educate its officers and staff on the basics of internal controls, where internal controls exist, and the importance of the employees’ role in the internal control system. The level of training and education may vary depending upon the degree of responsibilities of the employee. The University has provided various training materials to the campuses for their utilization and campuses may design their own training program to fit their practical needs. It is prescribed that training efforts be documented (who attended and when), periodically updated where applicable, and made available to new employees shortly after their appointment. Training may be provided on-line through a web-based application; however, the campus should ensure that the employees have taken advantage of these types of training opportunities. Training should include familiarizing the employees in communicating improvements of internal controls as well as reporting possible waste, fraud, or abuse to appropriate management or in conformance with applicable University procedures. The issuance of an internal control brochure and/or website, while providing important information and communication about the campus system of internal controls, should not be construed exclusively as meeting the education and training requirements.

F.   Periodically evaluate the need for an internal audit function.

In 1988, the Division of the Budget issued guidelines and procedures for all State agencies to use in the evaluation of their need for an internal audit function. The University’s internal audit function, including the Office of the University Auditor at System Administration, and those campus internal audit functions located within the University centers and health science centers, pre-existed the requirements of the Act. Upon submission of information pertaining to the University’s operation, DOB issued Budget Bulletin B-1090, which listed the University as one of the original twelve agencies required to have an internal audit function, and affirming the University’s position with respect to allocating resources to this type of activity. In 1988, the Board of Trustees also established an Audit Committee in an effort to strengthen the University’s initiatives for accountability.

Under DOB Budget Policy and Reporting Manual Item B-350, the University is still required to maintain an internal audit function. The function is required to be maintained in conformance with internal audit standards promulgated by the Institute of Internal Auditors in their International Standards for the Professional Practice of Internal Auditing (IIA Standards). The decisions to establish and maintain internal audit functions at the campuses are the prerogative of the campus presidents, although consultations with the University Auditor for such a need are encouraged. Adherence to the auditing standards noted above is also required of campus-based auditors.

G.   Reporting

On or before March 31, the end of the State’s fiscal year, the University is required by DOB Budget Policy and Reporting Manual Item B-350 to certify compliance with the provisions of the Act as outlined in the preceding sections of these guidelines, as well as any subsequent directives established by DOB. The Chancellor signs the annual certification on behalf of the University, which is based upon an evaluation of the internal control activities present for the fiscal year then ended. As part of this process, the University requests that the presidents of State-operated campuses, chief administrative officers of contract colleges, and System Administration also affirm compliance with provisions of the Act, or where such affirmation is not possible, submit a corrective action plan to achieve compliance as soon as practical. The University is responsible for assisting in the development and monitoring campus corrective action plans for prompt restoration of compliance. A self-assessment survey has been provided to all campuses to assist in the evaluation of compliance (refer to Forms section below). Compliance activities may also be the subject of an internal or external audit.

The University, as part of its responsibilities for monitoring the internal control program, also requires all campuses to report annually subsequent to the end of the University’s fiscal year, the status of specific, significant internal control activities, testing, and resolution of findings contained in pertinent audits of University/campus activities or programs. The University’s internal control officer or coordinator submits the forms provided for the annual status report.

In support of this procedure, the following definitions are included:

(Definitions to be used in connection with Duties of the New York State Comptroller, NYS Finance Law §8(2-b) & (2-c) are found in NYS State Finance Law §2-a and
Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies, NYS State Finance Law §8(2-b) and (2-c).)

Control environment - Also referred to as “general control environment,” sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the organization’s people, management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.

Detective controls - Designed to detect errors and irregularities that have already occurred and to assure their prompt correction. Detective controls supply the means with which to correct data errors, modify controls or recover assets. Account reconciliations are examples of detective controls.

Event cycle - A series of related activities that are performed which account for an event from start to finish, such as the procurement cycle, which encompasses everything from department requisitioning, purchasing, receiving, accounts payable, and inventorying.

Internal accounting controls - Procedures used to make sure that assets of the organization are protected and that its financial and accounting records are accurate and reliable. Accounting controls should be in place over all identified business areas and functions.

Internal administrative controls - These procedures encourage adherence to policies and promote efficiency in the daily operation and management of an organization. Examples of these types of controls are administrative manuals, organization charts, formal job descriptions and hiring practices.

Internal audit - An independent appraisal activity supported by management to review an organization's operations as a means of assuring conformance with management policies and the effectiveness of internal control systems. An internal audit tests the reliability of the internal control system, identifies material weaknesses, and includes recommendations to improve those controls to promote adherence to prescribed policies and procedures.

Internal controls - The steps taken by an organization to provide reasonable assurance that the organization functions in an efficient and appropriate manner consistent with its policy objectives, applicable laws, regulations, and related policies and procedures. The methods used to successfully organize and manage daily operations. Internal controls are an integral part of the operating procedures management uses to achieve its objectives and prevent undesirable results.

Internal control officer - An individual with sufficient authority to act on behalf of the Chancellor/campus president to ensure implementation and review of the University/campus internal control programs.

Internal control review - A detailed examination of specific activities to evaluate the adequacy of internal controls and to identify internal control weaknesses and the actions needed to correct these weaknesses. It involves analyzing those vulnerable activities identified through a vulnerability assessment process, which expose the organization to some degree of risk to determine if the policy directives and procedures associated with the activity are functioning as intended. An internal control review may include narratives, questionnaires, and flowcharts to document the risks and control activities.

Internal control testing – An examination of a sample of transactions or events to determine if the desired outcomes have occurred. The sample selection should be without bias to determine objectively that the internal controls in place are adequate, effective, and functioning as intended.

Preventative controls - Controls designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. Once in place, these controls do not require significant ongoing investment.

Risks – Significant conditions resulting from a no action being taken, the wrong action being taken, or the right action not taken timely, that could impede an organization/department from achieving its goals and objectives.

Risk management – A program or process designed to accept, avoid, control, diverse, share or transfer risks in order to achieve an organization’s objectives.

Vulnerability assessment - The methodology followed by management to determine the relative susceptibility of programs, functions, or organizational entities to conscious or unintended abuse, or misuse through misappropriation of assets, accounting or reporting errors, or reduced operational efficiency. Risk analysis is another term for this type of activity.


Forms

Form A - Test Internal Controls over Cash

Form B - Test Internal Controls over Computer Operations

Form C - Test Internal Controls over Financial Aid

Form D - Test Internal Controls over Payroll

Form E - Test Internal Controls over Procurement

Form F - Test Internal Controls over Property Control

Form G - Test Internal Controls over Revenue

Form H - Test Internal Controls over the General Control Environment

Form I - Test Internal Controls for Disaster Recovery Plan

Form J - Test Internal Controls for Mailroom Security Instructions

Form K - Test Internal Controls for Mailroom Security Checklist

Form L - Test Internal Controls for Check Security Instructions

Form M - Test Internal Controls for Check Security Checklist

Form N - Test Internal Controls for Workforce Succession Planning

Form O - Campus Internal Control Program Self-Assessment Instructions

Form P - Campus Internal Control Program Self-Assessment Checklist

Form Q - Internal Control Review Template: Property Control


Related Procedures

There are no related procedures relevant to this procedure.


Other Related Information

Audit Committee of the Board of Trustees, Establishment of

Internal Control Program

Internal Audit Function: NYS AAIC Act 1987

NYS Division of the Budget, Budget Policy and Reporting Manual Item B350

Standards for Internal Controls in New York State Government, Office of the State Comptroller

NYS Internal Control Task Force

NYS Division of the Budget, Manager’s Guide - Testing Compliance with Internal Control Requirements

Standards for Internal Controls in Federal Government, United States General Accounting Office (GAO)

Internal Control Management Evaluation Tool, United States General Accounting Office (GAO)

International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors

NYS Internal Control Association (NYSICA)

The following link to FindLaw's New York State Laws is provided for users' convenience; it is not the official site for the State of New York laws. 

NYS Public Officers Law §87(2)(g)(iv) (Access to State Agency Records- External Audits, Freedom of Information Law).

In case of questions, readers are advised to refer to the New York State Legislature site for the menu of 
New York State Consolidated.


Authority

The following links to FindLaw's New York State Laws are provided for users' convenience; it is not the official site for the State of New York laws. 

 

NYS Executive Law §950 (Internal Control Responsibilities of State Agencies)

 

NYS State Finance Law §8(2-b) and (2-c) (Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies)

 

In case of questions, readers are advised to refer to the New York State Legislature site for the menu of New York State Consolidated.

 

State University of New York Board of Trustee Resolutions, 96-45. adopted March 25, 1996.


History

April 20, 1999 – Chapter 510, Laws of 1999, effective January 1, 1999 amending the provisions of the New York State Governmental Accountability, Audit and Internal Control Act of 1987

• March 25 and 26, 1996 - Board of Trustee Resolution No. 96-45, Approval of Revisions to State University of New York Internal Control Program

• August 4, 1993 – Chapter 597, Laws of 1993 amending and extending provisions of the New York State Governmental Accountability, Audit and Internal Control Act of 1987 until January 1, 1999

• January 16, 1990 – Memorandum to Presidents, State-operated campuses enclosing the Division of the Budget’s Policy and Reporting Manual Item B-350 dated October 30, 1989, requiring a certification of compliance with requirements of the Internal Control Act by affected State agencies on or before March 31 annually

• May 26, 1989 – Memorandum to Presidents, Vol. 89 No. 8 from the Office of the Senior Vice Chancellor to Presidents, State-operated campuses and Deans, Statutory Colleges issuing the State University of New York Internal Control Guidelines

• March 22, 1989 – Board of Trustee Resolution No. 89-48, Implementation of the New York State Governmental Accountability, Audit and Internal Control Act of 1987 as it relates to Internal Audit

• December 28, 1988 – Division of the Budget, Budget Bulletin B-1090 requiring the State University as one of the State agencies to establish and maintain an internal audit unit in conformance with internal audit standards

• November 10, 1988 – Division of the Budget, Budget Bulletin B-1089 providing a schedule of State agencies covered by the Internal Control Act, including the State University

• May 24, 1988 – Board of Trustee Resolution No. 88-80, Establishment of the Audit Committee of the Board of Trustees

• June 15, 1988 – Letter from Acting Chancellor to the Director of the Budget providing DOB with the University’s response to Budget Bulletin B-1084

• May 18, 1988 - Division of the Budget, Budget Bulletin B-1084 directing all State agencies to complete an internal audit evaluation and attached questionnaire

• July 2, 1987 – New York State Governmental Accountability, Audit and Internal Control Act, Chapter 814, Laws of 1987


Appendices

Appendix A - Requirements for Internal Control Act Certification