SUNY PP Home Page   Print Page   Close Page   Convert current file into a PDF document


Responsible Office:

Procedure Title:
Internal Control Program Guidelines

Document Number:

Effective Date:
October 10, 2023

This procedure item applies to:
State-Operated Campuses
Statutory Colleges

Table of Contents

Related Procedures
Other Related Information


Pursuant to the New York State Government Accountability, Audit and Internal Control Act (Act), these guidelines provide for the implementation and administration of the State University of New York’s (University) formalized program of internal control. The internal control program is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in achieving its goals and objectives, and overall mission. This requires that state-operated campuses, statutory colleges, and system administration each establish and maintain their own internal control program and guidelines that support the University’s Internal Control Program.


The New York State Government Accountability, Audit and Internal Control Act (Act) requires that state agencies promote and practice good internal controls and establish and maintain a system of internal controls and a program of internal control review.  The Division of Budget (DOB) Budget Policy and Reporting Manual (BPRM) Item B-0350 outlines internal control and internal audit requirements of State Agencies for compliance with the Act. To meet the requirements of the Act, as outlined in the DOB BPRM Item B-0350, each of the University’s state-operated campuses, statutory colleges, and system administration (campuses) should include the following elements within its internal control program. This approach may be modified as necessary to meet the unique characteristics, circumstances, and requirements of a campus.

  1. Requirements

    Internal control guidelines communicate an organization’s management and programmatic objectives to its employees and provide the methods and procedures used to assess the effectiveness of its internal controls in supporting those objectives. Campus internal control guidelines should:

    1. Establish and maintain guidelines for a system of internal controls.
      • Provide for the incorporation of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) conceptual framework adopted in the Standards for Internal Controls in New York State Government;
      • Describe the campus process for evaluating internal controls (See #2 for specifics);
      • Define the roles and responsibilities of campus leadership, unit directors/heads, functional area managers/supervisors, staff, and the internal control officer (See Appendix C);
      • State the Campus President’s support of internal controls to provide employees with an understanding of the benefits of effective controls (See #3 for specifics); and
      • Communicate the designation of an Internal Control Officer (See #4 for specifics).
    2. Establish and maintain a system of internal controls and a program of internal control review.

      The system of internal controls should be developed using the COSO conceptual framework, adopted in the Standards for Internal Controls in New York State Government, and should incorporate COSO’s five components and seventeen corresponding principles of internal control. Campuses should document the assessment of the presence and functioning of the five components and seventeen principles of COSO and any major deficiencies. (See Appendix B for a detailed outline of the COSO Framework).

      The program of internal control review provides for a formal process of evaluating the effectiveness of our major organizational units and systems and their control mechanisms. At a minimum, the campus process should:

      1. Commit personnel and assign responsibility (See Appendix C).
      2. Segment the campus into organizational “assessable” units to provide an organizational structure for the program, assignment of responsibilities and meaningful review of each unit’s major functions.
      3. Conduct risk assessments of the campus’ assessable units.

        Risk assessments should be conducted for each of the assessable units identified across the campus. Risk assessments provide a means of identifying and classifying risks within the unit. Units determined to be of high risk may be considered for an internal control review (See Appendix A).

      4. Conduct Internal Control Reviews

        Internal control reviews are detailed examinations that are performed to determine whether adequate control activities exist, are implemented and effective. This includes evaluating any relevant policies and procedures, testing the effectiveness of controls, and identifying control weaknesses in need of corrective action.

        The University has identified functional areas within and/or across units as high-risk that campuses are required to conduct internal control reviews over a three-year recurring cycle. To assist campuses in conducting internal control reviews over these “pre-determined” high-risk areas, evaluation review templates and resource materials are available for campuses to utilize. Additional areas or units determined by the campus to be of high-risk should also be included in this review cycle.

      5. Institute a process to document and report control weaknesses identified, and for the monitoring of the corrective actions to be implemented.

        The internal control officer (and/or coordinator) should facilitate the performance of risk assessments and internal control reviews with campus management and staff. All results should be documented and recorded by the internal control officer. Any control weaknesses noted should be communicated in a timely manner by the internal control officer to management. Corrective action plans should be established by management to address these weaknesses. The implementation of corrective actions should be monitored by the internal control officer.

    3. Make available to each employee a clear and concise statement of the University’s/campus’s generally applicable management policies and standards with which each employee will be expected to comply, along with detailed policies and procedures the employees are expected to adhere to in completing their work.

      All existing employees and all new hires should be familiar with applicable federal, State, University, and campus policies and procedures. To communicate this effectively to all employees, a memorandum or “tone at the top” letter from the campus President should be issued periodically to the campus community that:

      • Set’s clear expectations for employee adherence to applicable policies and procedures;
      • Emphasizes the importance of having effective internal controls and the responsibility for such upon each employee; and
      • Refers to the campus website and/or includes an informational brochure that contains references to the applicable laws, regulations, policies, and procedures, as well as standards of conduct expressing the expected behaviors of employees.

      It is not necessary for each employee to have copies of all such policies, procedures, and manuals; however, the employees should be provided with reasonable and convenient access to such material.

    4. Designate an Internal Control Officer (ICO) at the University-level and at each campus to implement and review the internal control responsibilities established pursuant to BPRM Item B-0350 and this guideline.  The designation of the ICO should be communicated to all employees.

      The University and each campus are required to designate an internal control officer. Based upon the internal control officer’s other responsibilities, it may be necessary to delegate certain operational aspects of the campus’ internal control program to designated staff (such as an internal control coordinator). The prescribed qualifications and responsibilities as they relate to the internal control efforts are outlined in Appendix C.

    5. Implement education and training efforts to ensure that employees have achieved adequate awareness and understanding of internal control standards and, as appropriate, evaluation techniques.

      Campuses should identify staff requiring internal control training and the depth and content of that training. The education and training efforts should be ongoing and may vary depending upon the degree of responsibilities of the employee. Specific courses may be directed at line staff, middle managers, and executive management. For campuses with internal audit functions, training and education should be offered on the appropriate role of the auditor within the campus’ internal control program.

    6. Periodically evaluate the need to establish, maintain or modify an internal audit function. If an internal audit function exists, it should operate in accordance with generally professional standards for internal auditing.

      Pursuant to DOB BPRM Item B-0350, the University is required to maintain an internal audit function. The function is required to be:

      • Managed by a Director of Internal Audit (DIA). The DIA position must always remain separate and apart from the ICO position, and
      • Organized and operated in accordance with the Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors.

      The decisions to establish and maintain internal audit functions at the campuses is generally the prerogative of the campus presidents, although consultations with the University Auditor for such a need are encouraged.

  2. Reporting

    On or before April 30th of each year, the University is required by the DOB BPRM Item B-0350 to certify compliance with the provisions of the Act as outlined in the preceding sections of these guidelines, as well as any subsequent directives established by the DOB. The Chancellor signs the annual certification completed by the University ICO on behalf of the University, which is based upon an evaluation of the internal control activities present for the state fiscal year ended March 31st. As part of this annual process, the University requests that each campus must complete and submit an Internal Control Certification signed by the Campus President that represents the justification for a campus¿ level of compliance with the requirements of the Act. Campuses must:

    • Provide a thorough explanation of the specific actions the campus has taken to comply with each requirement and use as much space as needed to respond;
    • Indicate the campus’ level of compliance with each requirement and include justification for this assertion; and
    • For each requirement that is not fully compliant, include an action plan and estimated date/time of completion.

    The University ICO, as part of their responsibilities for monitoring the internal control program, will review each campus¿s annual certification submission to note their level of compliance with the requirements of the Act. Implementation of campus corrective action plans regarding any requirements that were deemed not fully compliant and/or weaknesses identified during internal control reviews will be monitored.

    In addition to the Act, the Office of the State Comptroller (OSC) requires the head of each state agency (e.g., Commissioner, Chancellor, Executive Director) to submit a certification to the Comptroller annually that the agency has sufficient internal controls in place for various aspects of the payment process. OSC will specify which segments are required to be assessed for the given year. As part of this annual process, the University requests that each campus must perform an assessment and submit an Internal Control Certification signed by the Campus President that represents the justification for a campus¿ level of compliance with the annual requirements.


Internal Control Evaluation Templates and Resource Materials are available on the SUNY Blue Internal Control page.

Related Procedures

There are no related procedures relevant to this procedure.

Other Related Information

Internal Control Program

Internal Audit Function: NYS AAIC Act 1987

NYS Division of Budget, Budget Policy and Reporting Manual Item B-0350

Standards for Internal Control in New York State Government, NYS Office of the State Comptroller

Committee of Sponsoring Organizations (COSO) Internal Control - Integrated Framework

Standards for Internal Control in the Federal Government, United States Government Accountability Office (GAO)

New York State Internal Control Association (NYSICA)

International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors (IIA)


NYS Executive Law - Article 45  (Internal Control Responsibilities of State Agencies)

NYS State Finance Law §8(2-b) and (2-c) (Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies)

State University Board of Trustee Resolution, adopted June 17, 2014, Approval of Revisions to the State University of New York Internal Control Program



Appendix A - Risk Assessment Process

Appendix B - COSO Framework

Appendix C - Internal Control Responsibilities