Internal Control Program Guidelines
December 12, 2014
This procedure item applies to:
Pursuant to the New York State Government Accountability, Audit and Internal Control Act (Act), this procedure provides guidelines for the implementation of the State University of New York’s (University) formalized program of internal control. The internal control program is designed to ensure that the University has a system of accountability for and oversight of its operations and to assist the University in achieving its goals and objectives.
The New York State Government Accountability, Audit and Internal Control Act (Act) requires that all state agencies institute a formal internal control program. In order to meet the requirements specified in the Act, the University and its campuses should include the following elements within its internal control program. This approach is only a guide and may be modified as necessary to meet the unique characteristics, circumstances and requirements of a campus.
Internal control guidelines communicate an organization’s management and programmatic objectives to its employees and provide the methods and procedures used to assess the effectiveness of its internal controls in supporting those objectives.
According to the Division of Budget (DOB) Budget Policy and Reporting Manual Item B-350, internal control guidelines should:
Incorporation of the guidance provided herein will assist the campuses to adhere to the DOB directive.
The system of internal control should be developed using the COSO (Committee of Sponsoring Organizations of the Treadway Commission) conceptual framework adopted in the Standards for Internal Controls in New York State Government, and should incorporate COSO’s five components of internal control (See Appendix B for a detailed outline of these five elements). At minimum, the University’s recommended general approach to the evaluation and improvement process should:
These responsibilities will be prescribed by the University (See Appendix C), and should be reinforced by senior management at the campus level.
Managers should ensure that these objectives are documented for their respective function. The functional objectives should be used in developing the job responsibilities for each staff member within the functional unit.
The policies and procedures should be formalized, documented, and available to all appropriate staff members. Management should periodically review these policies and procedures, and update them as necessary to reflect current operations.
These assessable units will be the basis for conducting risk assessments and internal control reviews.
See Appendix A for the recommended risk assessment process. As a result of the risk assessment, each assessable unit should be categorized as high, medium or low risk. While some deficiencies may be noted and corrected during the risk assessment process, those areas deemed to be high risk should be the subject of an internal control review. An internal control review is a detailed examination of activities to determine whether adequate control activities exist, are implemented, and are effective. Testing internal controls provide assurance that functions operate as intended. Tests should be adequate enough to inform managers whether procedures are being followed and controls are working.
Internal control reviews must be conducted on all areas pre-determined by System Administration to be high risk over a three-year recurring cycle. Additional areas determined by the campus to be high risk should also be included in this review cycle. To assist campuses in conducting internal control reviews, checklists and tools are available on the SUNY website. Management should conduct these reviews for their respective areas in conjunction with the internal control officer/coordinator.
Management, in conjunction with the internal control officer/coordinator, should determine the significance level assigned to each risk identified and how it relates in calculating the overall risk level of the unit/function.
In-depth internal control reviews are designed to test the control activities in place to help mitigate risks. The tools and checklists available to campuses have been developed using the COSO internal control framework, as well as the Manager’s Testing Guide published by the New York State Division of Budget.
The internal control officer/coordinator should facilitate and oversee all risk assessments and internal control reviews. All results should be documented and recorded by the internal control officer. Any control deficiencies noted should be communicated in a timely manner by the internal control officer to management. Corrective action plans should be established by management to address these deficiencies. The implementation of corrective actions should be monitored by the internal control officer.
All existing employees and all new hires should be familiar with applicable Federal, State, University, and campus policies and procedures. In order to communicate this effectively to all employees, a memorandum or “tone at the top” letter from the campus president should emphasize the importance of having good internal controls and assigning the responsibility for such upon each officer and employee. The memorandum or letter should refer the campus community to a campus website and/or include an informational brochure. These informational sources should contain references to the applicable laws, regulations, policies, and procedures, as well as standards of conduct expressing the expected behaviors of employees. It is not necessary for each employee to have copies of all such policies, procedures, and manuals; however, the employees should be provided with reasonable and convenient access to such material.
The University and each of its affected campuses are required to designate an internal control officer. Based upon the internal control officer’s other responsibilities, it may be necessary to delegate certain operational aspects of the campus’ internal control program to designated staff (such as an internal control coordinator). The prescribed qualifications and responsibilities as they relate to the internal control efforts are outlined in Appendix C.
Campuses should identify staff requiring internal control training and the depth and content of that training. The education and training efforts should be ongoing, and may vary depending upon the degree of responsibilities of the employee. Specific courses should be directed at line staff, middle managers and executive management. For campuses with internal audit functions, training and education should be offered on the appropriate role of the auditor within the campus’ internal control program.
Under DOB Budget Policy and Reporting Manual Item B-350, the University is required to maintain an internal audit function. The function is required to be maintained in conformance with internal audit standards promulgated by the Institute of Internal Auditors in their International Standards for the Professional Practice of Internal Auditing (IIA Standards). The decisions to establish and maintain internal audit functions at the campuses are the prerogative of the campus presidents, although consultations with the University Auditor for such a need are encouraged. Adherence to the auditing standards noted above is also required of campus-based auditors.
On or before April 30th the University is required by DOB Budget Policy and Reporting Manual Item B-350 to certify compliance with the provisions of the Act as outlined in the preceding sections of these guidelines, as well as any subsequent directives established by DOB. The Chancellor signs the annual certification on behalf of the University, which is based upon an evaluation of the internal control activities present for the state fiscal year ended March 31st. As part of this process, the University requests that the presidents of State-operated campuses, chief administrative officers of contract colleges, and System Administration also affirm compliance with provisions of the Act, or where such affirmation is not possible, submit a corrective action plan to achieve compliance as soon as practical. Self-assessment tools have been made available to all campuses to assist in the evaluation of compliance. Compliance activities may also be the subject of an internal or external audit.
The University, as part of its responsibilities for monitoring the internal control program, also requires all campuses to report annually in conjunction with their certification the status of specific, significant internal control activities, testing, and resolution of findings contained in pertinent audits of University/campus activities or programs. Significant deficiencies identified during internal control reviews should be noted, as well as actions taken (or planned) to address these deficiencies. The University is responsible for monitoring each campus’ noted deficiencies and will assess whether significant weaknesses are adequately addressed in subsequent reporting periods. The University’s internal control officer or coordinator submits the forms provided for the annual status report.
In addition to the Act, the Office of the State Comptroller (OSC) requires the head of each state agency (e.g. Commissioner, Chancellor, Executive Director), or their designee, to submit a certification to the Comptroller annually that the agency has sufficient internal controls in place for various aspects of the procurement process. OSC will specify which segments will require certification for the given year.
Internal Control and Risk Management Templates and Forms available on the SUNY Blue Internal Control and Risk Management page.
There are no related procedures relevant to this procedure.
Internal Audit Function: NYS AAIC Act 1987
NYS Division of the Budget, Budget Policy and Reporting Manual Item B350
Standards for Internal Controls in New York State Government, Office of the State Comptroller
NYS Internal Control Task Force
NYS Division of the Budget, Manager’s Guide - Testing Compliance with Internal Control Requirements
Standards for Internal Controls in Federal Government, United States General Accounting Office (GAO)
Internal Control Management Evaluation Tool, United States General Accounting Office (GAO)
International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors
NYS Internal Control Association (NYSICA)
The following link to FindLaw's New York State Laws is provided for users' convenience; it is not the official site for the State of
NYS Public Officers Law §87(2)(g)(iv) (Access to State Agency Records- External Audits, Freedom of Information Law).
In case of questions, readers are advised to refer to the New York State Legislature site for the menu of New York State Consolidated.
The following links to FindLaw's New York State Laws are provided for users' convenience; it is not the official site for the State of
NYS Executive Law §950 (Internal Control Responsibilities of State Agencies)
NYS State Finance Law §8(2-b) and (2-c) (Duties of the New York State Comptroller relating to New York State Governmental Accountability, Audit and Internal Control Act and State agencies)
In case of questions, readers are advised to refer to the New York State Legislature site for the menu of New York State Consolidated.
• April 20, 1999 – Chapter 510, Laws of 1999, effective January 1, 1999 amending the provisions of the New York State Governmental Accountability, Audit and Internal Control Act of 1987
• March 25 and 26, 1996 - Board of Trustee Resolution No. 96-45, Approval of Revisions to State University of New York Internal Control Program
• August 4, 1993 – Chapter 597, Laws of 1993 amending and extending provisions of the New York State Governmental Accountability, Audit and Internal Control Act of 1987 until January 1, 1999
• January 16, 1990 – Memorandum to Presidents, State-operated campuses enclosing the Division of the Budget’s Policy and Reporting Manual Item B-350 dated October 30, 1989, requiring a certification of compliance with requirements of the Internal Control Act by affected State agencies on or before March 31 annually
• May 26, 1989 – Memorandum to Presidents, Vol. 89 No. 8 from the Office of the Senior Vice Chancellor to Presidents, State-operated campuses and Deans, Statutory Colleges issuing the State University of New York Internal Control Guidelines
• March 22, 1989 – Board of Trustee Resolution No. 89-48, Implementation of the New York State Governmental Accountability, Audit and Internal Control Act of 1987 as it relates to Internal Audit
• December 28, 1988 – Division of the Budget, Budget Bulletin B-1090 requiring the State University as one of the State agencies to establish and maintain an internal audit unit in conformance with internal audit standards
• November 10, 1988 – Division of the Budget, Budget Bulletin B-1089 providing a schedule of State agencies covered by the Internal Control Act, including the State University
• May 24, 1988 – Board of Trustee Resolution No. 88-80, Establishment of the Audit Committee of the Board of Trustees
• June 15, 1988 – Letter from Acting Chancellor to the Director of the Budget providing DOB with the University’s response to Budget Bulletin B-1084
• May 18, 1988 - Division of the Budget, Budget Bulletin B-1084 directing all State agencies to complete an internal audit evaluation and attached questionnaire
• July 2, 1987 – New York State Governmental Accountability, Audit and Internal Control Act, Chapter 814, Laws of 1987
Appendix A - Risk Assessment Process
Appendix B - COSO Framework
Appendix C - Internal Control Responsibilities