Internal Control Program Guidelines
January 01, 1999
This procedure item applies to:
Pursuant to the New York State Governmental Accountability, Audit and Internal Control Act (Act), this procedure provides guidelines for the implementation of the State University of New York’s (University) formalized program of internal control. The internal control program is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in obtaining its goals and objectives.
The New York State Governmental Accountability, Audit and Internal Control Act (Act), Chapter 510 of the Laws of 1999, requires that all state agencies institute a formal internal control program. In order to meet the requirements specified in the Act, the University and its campuses should include the following elements within its internal control program. This approach is only a guide and may be modified as necessary to meet the unique characteristics, circumstances and requirements of a campus.
A. Establish and maintain guidelines for a system of internal controls.
Each campus should develop its own internal control program manual and/or guidelines to supplement the policies, procedures and guidelines contained herein. The campus internal control manuals should reflect specific information reflecting the degree of commitment the campus has incorporated into its program, such as the formation of an internal control steering committee, the designation of an internal control officer, inventory of assessable units, and methodologies used to evaluate the vulnerabilities and effectiveness of internal controls.
According to the Division of Budget (DOB) Budget Policy and Reporting Manual Item B-350, internal control guidelines should include:
2. the identification of the agency’s or authority’s primary responsibilities and functions and objectives of those functions;
3. a description of the agency’s or authority’s process for evaluating its internal controls;
4. an explanation of how the internal control process is organized and managed; and
5. a stated recognition that the internal control process adheres to accepted standards.
B. Establish and maintain a system of internal controls and a program of internal control review which is designed to identify internal control weaknesses and actions needed to correct these weaknesses.
According to DOB Budget Policy and Reporting Manual Item B-350, the program of internal control review shall be a structured, continuing, and well documented system designed to identify internal control weaknesses, identify actions that are needed to correct these weaknesses, monitor the implementation of necessary corrective actions, and periodically assess the adequacy of internal controls. The University’s recommended general approach to the evaluation and improvement process includes the following steps:
1. Organize the process
An organized approach is a key ingredient to a successful internal control program. Thoughtful diligence applied to this step will prove to be invaluable in both approaching the more detailed steps and maintaining the controls. The organizational step includes four major components:
a. Assign responsibility
A system of internal control is not a separate and distinct system within an organization, but the embodiment of all of the plans and devices which assure reasonable control over operations. Accordingly, the ultimate responsibility for good internal controls rests with the internal management at each campus and not with any external unit. The same managers who are responsible for day-to-day operations and decision making are also responsible for ensuring the presence and effectiveness of internal controls.
The actual assignment of duties will vary significantly among campuses and subunits depending on such factors as size and organizational structure. However, it is recommended that consideration be given to the following assignments:
- Campus Internal Control Officer
One senior official, having a broad knowledge of the campus operations, personnel and policy objectives, should be designated as the campus internal control officer. This individual should be responsible for coordinating the campus-wide internal control effort and providing visible administrative leadership. This designee should have sufficient authority to act on behalf of the campus president to ensure the successful implementation and review of the campus internal control program. Typical duties of this individual as they relate to the internal control effort may include:
(ii) developing campus-specific objectives;
(iii) chairing a campus steering committee comprised of representatives from key functional areas, i.e., academic, finance and business, and student services;
(iv) evaluating plans for vulnerability assessments and internal control reviews or providing facilitation on such;
(v) coordinating development and presentation of campus-specific training programs for involved staff;
(vi) monitoring progress;
(vii) reviewing results of vulnerability assessments and internal control reviews;
(viii) monitoring the implementation and effectiveness of corrective actions; and
(ix) reporting progress and status to senior campus management.
Certain duties noted above may be delegated on an operational level to a subordinate, designated as an internal control coordinator or staff. The internal control coordinator would act at the direction of the internal control officer and the campus steering committee, responsible for implementing campus policies and procedures related to its internal control program.
- Heads of Major Campus Organizational Units
The head, typically the vice president, dean or director, as appropriate, of each major campus organizational unit (or other component as identified in the segmenting process) should be responsible for internal control within that unit. Typical duties may include:
(ii) ensuring that line managers are motivated and trained to accomplish their assignments;
(iii) participation in the Internal Control Program may appropriately be reflected in the individual performance program and evaluation;
(iv) developing/reviewing event cycle objectives;
(v) arranging and/or conducting vulnerability assessments and internal control reviews;(vi) reviewing and analyzing the results of vulnerability assessments and internal control reviews;
(vii) ensuring that significant weaknesses in controls are corrected; and
(viii) ensuring that all additions and changes to rules, procedures, systems, etc., include proper controls.
- Line Managers
Personnel who are uniquely familiar with individual operations and who are responsible for the management process must take an active role in implementing, reviewing, and improving controls. On some campuses, the heads of organizational units may also perform the duties of line managers. Internal control assignments to line managers may typically include:
(ii) conducting vulnerability assessments and internal control reviews;
(iii) initiating improved controls when a need is identified;
(iv) maintaining documentation of controls, vulnerability assessments, internal control reviews, testing, and improvements;
(v) development of an internal reporting system;(vi) establishing documentation process; and(vii) committing personnel.
An internal reporting and follow-up system should be established to monitor the progress of the various tasks that make up the evaluation and improvement process. At a minimum, areas that should be monitored include:
Documentation should be maintained for activities conducted in connection with vulnerability assessments, internal control reviews, testing and follow-up actions. The kind and quantity of documentation and the method of maintaining it are matters that each campus should define for its own purposes. At a minimum, the documentation should show the personnel involved (in the assessment, review or follow-up), the key factors considered, the evaluation methods used and the conclusions reached.
Documentation should be of sufficient detail to permit effective supervisory review, as well as oversight review. Independent reviewers should be able to examine and understand the documentation and determine how the original campus reviewers reached their conclusions.
Each campus should decide, during the organizational phase, what level of personnel resources will be committed to the evaluation and improvement process.
Orientation should be provided to senior managers to familiarize them with the University and campus program and objectives, and to make them aware of their responsibilities in the evaluation, improvement and reporting processes. In addition, training should be provided to the personnel who are assigned to conduct vulnerability assessments and internal control reviews.
The primary goal of this step of the internal control process is to develop a campus-wide inventory of "assessable units", each of which will be the subject of a vulnerability assessment. A complete coverage of all academic, administrative, finance and business, student life, and program areas should be included in the inventory. Segmenting the campus provides the groundwork necessary to determine a reasonable level of personnel involvement.
There is no best method to follow in the segmentation process. As a practical matter, a segmentation may be decided upon that includes a combination of organizational units, administrative functions, program activities, and discrete systems.
Sources that should prove useful in developing an inventory of assessable units are organization charts, budget and financial plan materials, schedule of positions, monetary certificates of approval, regulations and manuals, and management information systems. Determining factors may include:
Having developed an inventory of assessable units in section b above, the next activity is to establish a time schedule for conducting the vulnerability assessments. The schedule should recognize the prioritization of the vulnerability assessments based on such factors as the relative importance and the potential risks of the assessable units included in the inventory.
A vulnerability assessment is performed by management on each of the assessable units identified in section b above, the segmentation process. It is intended as a quick analysis and should not require an inordinate amount of staff time and effort. A vulnerability assessment is a preliminary judgment concerning the existence and adequacy of safeguards or controls now in place to assure:
Managers who perform vulnerability assessments should guard against any tendency to devise a low vulnerability rating with the main purpose of avoiding a detailed internal control review. Also, they should be aware that if a weakness is observed which is perceived as placing the unit in immediate jeopardy, corrective action should be implemented as soon as possible.
There are various assessment tools and methodologies available to complete this task. The manager of each assessable unit should be responsible for and participate in each of the unit's vulnerability assessments, which consist of the following sub-steps:
The environment in which activities are conducted has a major impact on the effectiveness of internal control. An analysis of the environment is performed to determine the extent to which the work setting supports a system of internal controls. This evaluation may be performed for the entity as a whole, or individually for each assessable unit. Determination should be based upon the size and nature of the entity. The following should be among the factors that are used to analyze the control environment:
Sub-step 2: Identify and analyze inherent risk
The second sub-step in the vulnerability assessment process is an identification and analysis of the risks involved in the assessable unit's activities. Inherent risk may be defined as the potential for non-achievement of the campus's mission, objectives and goals; waste, inefficiency or ineffectiveness; loss, unauthorized use or misappropriation of assets; noncompliance with laws, regulations, policies, procedures and guidelines; or the inaccurate recording, preservation, and reporting of financial and other key data.
- successful achievement of the campus's mission, objectives and goals;
- operational effectiveness, efficiency and economy;
- compliance with laws, regulations, policies, procedures and guidelines;
- safeguarding of assets; and
- accurate recording, preservation and reporting of financial and other key data.
An in-depth review is not appropriate during vulnerability assessments. Rather, the evaluator's judgment should be based on knowledge and experience, and should be made in reference to internal control standards.
The overall vulnerability ranking is derived from consideration of the conclusions reached in the analysis of the general control environment, the inherent risk and the evaluation of the safeguards from sub-steps 1, 2, and 3, respectively.
The vulnerability assessment provides an initial evaluation of risks and safeguards and is used to determine recommended actions to be taken. The next step is to establish a plan and schedule for taking the approved recommended actions for each of the assessable units, or for the areas which are determined to be most susceptible to loss. Four activities should be considered during this step:
Depending upon the outcome of the vulnerability assessment and other appropriate considerations, it may be appropriate to conduct internal control reviews. Internal control reviews are detailed examinations of activities to determine whether adequate control measures exist, are implemented, and are effective. They involve assessing a specific group of activities (event cycle) to ascertain if defined techniques (processes and documents) are functioning as intended, and if they efficiently and effectively meet the established control objectives for the event cycle. During an internal control review, the flow of an event should be tracked from beginning to end: how it is created, how it is processed, and how it is reported. The following five sub-steps comprise one approach to conducting internal control reviews:
Line managers should have the primary responsibility in the internal control review process. This responsibility includes planning and organizing each review, assigning responsibilities to personnel who will conduct the actual review, and monitoring the process.
An internal or external audit may also be an effective and objective method to evaluate internal controls of an event cycle, in lieu of an internal control review by management. There are certain advantages and disadvantages to utilizing an audit rather than an internal control review; however, regardless of the evaluation method used, management is responsible for understanding the controls of areas under its purview.
Testing internal controls can be a component of an internal control review or audit, or performed as a stand alone process. The distinction between an internal control review or audit and internal control testing is that generally testing is limited to a sample of transactions which will enable the reviewer to determine if the specific control is effective. For example, if the control objective for the personnel function is to determine that qualified staff are hired, an internal control review would document that the campus policies and procedures (administrative controls) requires that a search be conducted and that credentials are verified as necessary. Testing would require that a representative sample of new hires over a certain time period would be selected and that the files for these individual or the search files indicated the search committee process was followed and that credentials were indeed verified. See Section 9 which follows for more information regarding internal control testing.
7. Take corrective action
After reviewing the system design and testing the functioning controls, the reviewer should reach conclusions concerning the effectiveness of the controls. When the reviewer concludes that areas remain where controls do not provide reasonable assurance that a control objective is being met, or that unnecessary controls exist, follow-up actions are required.
Reports should be prepared which not only identify the weaknesses, but also recommend how to correct them. The recommendations should correlate with the risks involved; that is, a level of control should be recommended that considers the materiality or degree of the weakness. The recommended change should provide reasonable assurance of control and should be cost effective when weighed against the expected benefit that results from risks avoided or from errors or irregularities detected.
The recommendations should be considered by management, and a decision should be made to institute new controls, improve existing controls, or accept the risk inherent in the weakness. In many instances, the appropriate action will be apparent, but in other instances, further analysis may be necessary. In either case, approved corrective actions should be initiated as promptly as possible.
A formal system should be established to log and track the weaknesses identified, suggested actions, and actions taken. This follow-up system should identify responsible personnel and target dates.
8. Prepare summary reports on internal controls
Management reports should be prepared on a regular basis to apprise senior campus management of the status of the internal control program. These reports should include such topics such as areas with nonexistent or inadequate control techniques, areas with controls that are not functioning properly, and areas where excessive controls exist, as well as the plans and schedules for addressing the identified concerns.
9. Periodically test internal controls of high risk areas
Good internal controls have no impact unless they are followed in practice. A testing program provides the assurance that functions operate as intended. An effective testing program does not have to be onerous, and tests managers will conduct will not have the same level of thoroughness and documented workpapers as those conducted by auditors. However, tests should be adequate enough to inform managers whether procedures are being followed and controls are working as intended. Periodic testing of internal controls should be performed on all areas identified in the vulnerability assessment process as high risks, or as prescribed by directives of the University or DOB. To assist campuses in the testing process, checklists are available (refer to Forms section below). Campuses should also refer to the Manager’s Guide - Testing Compliance with Internal Control Requirements, issued by DOB (refer to Other Related Information section below). An effective testing program consists of the following:
C. Make available to each employee a clear and concise statement of the University’s/campus’s generally applicable management policies and standards with which each employee will be expected to comply.
All existing employees and all new hires should be familiar with applicable State, University, and campus policies and procedures. In order to communicate this effectively to all employees, a memorandum or “tone at the top” letter from the campus president should emphasize the importance of having good internal controls and assigning the responsibility for such upon each officer and employee. The memorandum or letter should refer the campus community to a campus website and/or include an informational brochure. These informational sources should contain references to the applicable policies, procedures, regulations and laws. A preferred practice would include a periodic reminder notice or re-affirmation upon the appointment of a new campus administration. It is not necessary for each employee to have copies of all such policies, procedures, and manuals; however the employees should be provided with reasonable and convenient access to such material.
D. Designate an internal control officer at the University and campus levels to implement and review the University’s/campuses’ Internal Control Programs.
The University and each of its affected campuses are required to designate an internal control officer. The prescribed qualifications and responsibilities for this position are noted above in Section B.1.a. The responsible official’s name and contact information should be included in the communications (letter or memorandum from the president, web-site, and/or brochure) noted in the preceding section. Based upon the internal control officers other responsibilities, it may be necessary to delegate certain operational aspects of the campus’ internal control program to designated staff (such as an internal control coordinator).
E. Implement education and training efforts to ensure employee awareness and understanding of internal control standards and evaluation techniques.
DOB Budget Policy and Reporting Manual Item B-350 states that each agency should identify staff who require internal control training and the depth and content of that training. Campuses should educate its officers and staff on the basics of internal controls, where internal controls exist, and the importance of the employees’ role in the internal control system. The level of training and education may vary depending upon the degree of responsibilities of the employee. The University has provided various training materials to the campuses for their utilization and campuses may design their own training program to fit their practical needs. It is prescribed that training efforts be documented (who attended and when), periodically updated where applicable, and made available to new employees shortly after their appointment. Training may be provided on-line through a web-based application; however, the campus should ensure that the employees have taken advantage of these types of training opportunities. Training should include familiarizing the employees in communicating improvements of internal controls as well as reporting possible waste, fraud, or abuse to appropriate management or in conformance with applicable University procedures. The issuance of an internal control brochure and/or website, while providing important information and communication about the campus system of internal controls, should not be construed exclusively as meeting the education and training requirements.
F. Periodically evaluate the need for an internal audit function.
In 1988, the Division of the Budget issued guidelines and procedures for all State agencies to use in the evaluation of their need for an internal audit function. The University’s internal audit function, including the Office of the University Auditor at System Administration, and those campus internal audit functions located within the University centers and health science centers, pre-existed the requirements of the Act. Upon submission of information pertaining to the University’s operation, DOB issued Budget Bulletin B-1090, which listed the University as one of the original twelve agencies required to have an internal audit function, and affirming the University’s position with respect to allocating resources to this type of activity. In 1988, the Board of Trustees also established an Audit Committee in an effort to strengthen the University’s initiatives for accountability.
Under DOB Budget Policy and Reporting Manual Item B-350, the University is still required to maintain an internal audit function. The function is required to be maintained in conformance with internal audit standards promulgated by the Institute of Internal Auditors in their International Standards for the Professional Practice of Internal Auditing (IIA Standards). The decisions to establish and maintain internal audit functions at the campuses are the prerogative of the campus presidents, although consultations with the University Auditor for such a need are encouraged. Adherence to the auditing standards noted above is also required of campus-based auditors.
On or before March 31, the end of the State’s fiscal year, the University is required by DOB Budget Policy and Reporting Manual Item B-350 to certify compliance with the provisions of the Act as outlined in the preceding sections of these guidelines, as well as any subsequent directives established by DOB. The Chancellor signs the annual certification on behalf of the University, which is based upon an evaluation of the internal control activities present for the fiscal year then ended. As part of this process, the University requests that the presidents of State-operated campuses, chief administrative officers of contract colleges, and System Administration also affirm compliance with provisions of the Act, or where such affirmation is not possible, submit a corrective action plan to achieve compliance as soon as practical. The University is responsible for assisting in the development and monitoring campus corrective action plans for prompt restoration of compliance. A self-assessment survey has been provided to all campuses to assist in the evaluation of compliance (refer to Forms section below). Compliance activities may also be the subject of an internal or external audit.
The University, as part of its responsibilities for monitoring the internal control program, also requires all campuses to report annually subsequent to the end of the University’s fiscal year, the status of specific, significant internal control activities, testing, and resolution of findings contained in pertinent audits of University/campus activities or programs. The University’s internal control officer or coordinator submits the forms provided for the annual status report.
In support of this procedure, the following definitions are included:
(Definitions to be used in connection with Duties of the New York State Comptroller, NYS Finance Law §8(2-b) & (2-c) are found in NYS State Finance Law §2-a and Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies, NYS State Finance Law §8(2-b) and (2-c).)
Control environment - Also referred to as “general control environment,” sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the organization’s people, management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
Detective controls - Designed to detect errors and irregularities that have already occurred and to assure their prompt correction. Detective controls supply the means with which to correct data errors, modify controls or recover assets. Account reconciliations are examples of detective controls.
Event cycle - A series of related activities that are performed which account for an event from start to finish, such as the procurement cycle, which encompasses everything from department requisitioning, purchasing, receiving, accounts payable, and inventorying.
Internal accounting controls - Procedures used to make sure that assets of the organization are protected and that its financial and accounting records are accurate and reliable. Accounting controls should be in place over all identified business areas and functions.
Internal administrative controls - These procedures encourage adherence to policies and promote efficiency in the daily operation and management of an organization. Examples of these types of controls are administrative manuals, organization charts, formal job descriptions and hiring practices.
Internal audit - An independent appraisal activity supported by management to review an organization's operations as a means of assuring conformance with management policies and the effectiveness of internal control systems. An internal audit tests the reliability of the internal control system, identifies material weaknesses, and includes recommendations to improve those controls to promote adherence to prescribed policies and procedures.
Internal controls - The steps taken by an organization to provide reasonable assurance that the organization functions in an efficient and appropriate manner consistent with its policy objectives, applicable laws, regulations, and related policies and procedures. The methods used to successfully organize and manage daily operations. Internal controls are an integral part of the operating procedures management uses to achieve its objectives and prevent undesirable results.
Internal control officer - An individual with sufficient authority to act on behalf of the Chancellor/campus president to ensure implementation and review of the University/campus internal control programs.
Internal control review - A detailed examination of specific activities to evaluate the adequacy of internal controls and to identify internal control weaknesses and the actions needed to correct these weaknesses. It involves analyzing those vulnerable activities identified through a vulnerability assessment process, which expose the organization to some degree of risk to determine if the policy directives and procedures associated with the activity are functioning as intended. An internal control review may include narratives, questionnaires, and flowcharts to document the risks and control activities.
Internal control testing – An examination of a sample of transactions or events to determine if the desired outcomes have occurred. The sample selection should be without bias to determine objectively that the internal controls in place are adequate, effective, and functioning as intended.
Preventative controls - Controls designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. Once in place, these controls do not require significant ongoing investment.
Risks – Significant conditions resulting from a no action being taken, the wrong action being taken, or the right action not taken timely, that could impede an organization/department from achieving its goals and objectives.
Vulnerability assessment - The methodology followed by management to determine the relative susceptibility of programs, functions, or organizational entities to conscious or unintended abuse, or misuse through misappropriation of assets, accounting or reporting errors, or reduced operational efficiency. Risk analysis is another term for this type of activity.
Form A - Test Internal Controls over Cash
Form B - Test Internal Controls over Computer Operations
Form C - Test Internal Controls over Financial Aid
Form D - Test Internal Controls over Payroll
Form E - Test Internal Controls over Procurement
Form F - Test Internal Controls over Property Control
Form G - Test Internal Controls over Revenue
Form H - Test Internal Controls over the General Control Environment
Form I - Test Internal Controls for Disaster Recovery Plan
Form J - Test Internal Controls for Mailroom Security Instructions
Form K - Test Internal Controls for Mailroom Security Checklist
Form L - Test Internal Controls for Check Security Instructions
Form M - Test Internal Controls for Check Security Checklist
Form N - Test Internal Controls for Workforce Succession Planning
Form O - Campus Internal Control Program Self-Assessment Instructions
Form P - Campus Internal Control Program Self-Assessment Checklist
Form Q - Internal Control Review Template: Property Control
There are no related procedures relevant to this procedure.
NYS Internal Control Association (NYSICA)
The following link to FindLaw's New York State Laws is provided for users' convenience; it is not the official site for the State of
NYS Public Officers Law §87(2)(g)(iv) (Access to State Agency Records- External Audits, Freedom of Information Law).
In case of questions, readers are advised to refer to the New York State Legislature site for the menu of New York State Consolidated.
The following links to FindLaw's New York State Laws are provided for users' convenience; it is not the official site for the State of
NYS State Finance Law §8(2-b) and (2-c) (Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies)
In case of questions, readers are advised to refer to the New York State Legislature site for the menu of New York State Consolidated.
• January 16, 1990 – Memorandum to Presidents, State-operated campuses enclosing the Division of the Budget’s Policy and Reporting Manual Item B-350 dated October 30, 1989, requiring a certification of compliance with requirements of the Internal Control Act by affected State agencies on or before March 31 annually
• May 26, 1989 – Memorandum to Presidents, Vol. 89 No. 8 from the Office of the Senior Vice Chancellor to Presidents, State-operated campuses and Deans, Statutory Colleges issuing the State University of New York Internal Control Guidelines
• December 28, 1988 – Division of the Budget, Budget Bulletin B-1090 requiring the State University as one of the State agencies to establish and maintain an internal audit unit in conformance with internal audit standards
Appendix A - Requirements for Internal Control Act Certification