Internal Control Program Guidelines
October 10, 2023
This procedure item applies to:
Pursuant to the New York State Government Accountability, Audit and Internal Control Act (Act), these guidelines provide for the implementation and administration of the State University of New York’s (University) formalized program of internal control. The internal control program is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in achieving its goals and objectives, and overall mission. This requires that state-operated campuses, statutory colleges, and system administration each establish and maintain their own internal control program and guidelines that support the University’s Internal Control Program.
The New York State Government Accountability, Audit and Internal Control Act (Act) requires that state agencies promote and practice good internal controls and establish and maintain a system of internal controls and a program of internal control review. The Division of Budget (DOB) Budget Policy and Reporting Manual (BPRM) Item B-0350 outlines internal control and internal audit requirements of State Agencies for compliance with the Act. To meet the requirements of the Act, as outlined in the DOB BPRM Item B-0350, each of the University’s state-operated campuses, statutory colleges, and system administration (campuses) should include the following elements within its internal control program. This approach may be modified as necessary to meet the unique characteristics, circumstances, and requirements of a campus.
Internal control guidelines communicate an organization’s management and programmatic objectives to its employees and provide the methods and procedures used to assess the effectiveness of its internal controls in supporting those objectives. Campus internal control guidelines should:
The system of internal controls should be developed using the COSO conceptual framework, adopted in the Standards for Internal Controls in New York State Government, and should incorporate COSO’s five components and seventeen corresponding principles of internal control. Campuses should document the assessment of the presence and functioning of the five components and seventeen principles of COSO and any major deficiencies. (See Appendix B for a detailed outline of the COSO Framework).
The program of internal control review provides for a formal process of evaluating the effectiveness of our major organizational units and systems and their control mechanisms. At a minimum, the campus process should:
Risk assessments should be conducted for each of the assessable units identified across the campus. Risk assessments provide a means of identifying and classifying risks within the unit. Units determined to be of high risk may be considered for an internal control review (See Appendix A).
Internal control reviews are detailed examinations that are performed to determine whether adequate control activities exist, are implemented and effective. This includes evaluating any relevant policies and procedures, testing the effectiveness of controls, and identifying control weaknesses in need of corrective action.
The University has identified functional areas within and/or across units as high-risk that campuses are required to conduct internal control reviews over a three-year recurring cycle. To assist campuses in conducting internal control reviews over these “pre-determined” high-risk areas, evaluation review templates and resource materials are available for campuses to utilize. Additional areas or units determined by the campus to be of high-risk should also be included in this review cycle.
The internal control officer (and/or coordinator) should facilitate the performance of risk assessments and internal control reviews with campus management and staff. All results should be documented and recorded by the internal control officer. Any control weaknesses noted should be communicated in a timely manner by the internal control officer to management. Corrective action plans should be established by management to address these weaknesses. The implementation of corrective actions should be monitored by the internal control officer.
All existing employees and all new hires should be familiar with applicable federal, State, University, and campus policies and procedures. To communicate this effectively to all employees, a memorandum or “tone at the top” letter from the campus President should be issued periodically to the campus community that:
It is not necessary for each employee to have copies of all such policies, procedures, and manuals; however, the employees should be provided with reasonable and convenient access to such material.
The University and each campus are required to designate an internal control officer. Based upon the internal control officer’s other responsibilities, it may be necessary to delegate certain operational aspects of the campus’ internal control program to designated staff (such as an internal control coordinator). The prescribed qualifications and responsibilities as they relate to the internal control efforts are outlined in Appendix C.
Campuses should identify staff requiring internal control training and the depth and content of that training. The education and training efforts should be ongoing and may vary depending upon the degree of responsibilities of the employee. Specific courses may be directed at line staff, middle managers, and executive management. For campuses with internal audit functions, training and education should be offered on the appropriate role of the auditor within the campus’ internal control program.
Pursuant to DOB BPRM Item B-0350, the University is required to maintain an internal audit function. The function is required to be:
The decisions to establish and maintain internal audit functions at the campuses is generally the prerogative of the campus presidents, although consultations with the University Auditor for such a need are encouraged.
On or before April 30th of each year, the University is required by the DOB BPRM Item B-0350 to certify compliance with the provisions of the Act as outlined in the preceding sections of these guidelines, as well as any subsequent directives established by the DOB. The Chancellor signs the annual certification completed by the University ICO on behalf of the University, which is based upon an evaluation of the internal control activities present for the state fiscal year ended March 31st. As part of this annual process, the University requests that each campus must complete and submit an Internal Control Certification signed by the Campus President that represents the justification for a campus¿ level of compliance with the requirements of the Act. Campuses must:
The University ICO, as part of their responsibilities for monitoring the internal control program, will review each campus¿s annual certification submission to note their level of compliance with the requirements of the Act. Implementation of campus corrective action plans regarding any requirements that were deemed not fully compliant and/or weaknesses identified during internal control reviews will be monitored.
In addition to the Act, the Office of the State Comptroller (OSC) requires the head of each state agency (e.g., Commissioner, Chancellor, Executive Director) to submit a certification to the Comptroller annually that the agency has sufficient internal controls in place for various aspects of the payment process. OSC will specify which segments are required to be assessed for the given year. As part of this annual process, the University requests that each campus must perform an assessment and submit an Internal Control Certification signed by the Campus President that represents the justification for a campus¿ level of compliance with the annual requirements.
Internal Control Evaluation Templates and Resource Materials are available on the SUNY Blue Internal Control page.
There are no related procedures relevant to this procedure.
NYS Executive Law - Article 45 (Internal Control Responsibilities of State Agencies)
NYS State Finance Law §8(2-b) and (2-c) (Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies)