Every employee shares a responsibility to make our working environment safe and effective. One important way we can help achieve this goal is to establish and follow appropriate campus policies on internal control.
Internal controls are methods and measures adopted by the college to promote the thoughtful and efficient use of state resources. For example, internal controls help ensure that all funds and cash receipts are properly accounted for and promptly deposited in bank accounts. Internal controls provide that complete and accurate records are kept of transactions involving students, and that college equipment is properly cared for and used only for its intended purposes. In short, a well-designed system on internal controls safeguards college assets and ensures accuracy and reliability in the use of such assets and in the performance of our respective jobs. All of us are responsible for adhering to the institution’s applicable internal controls.
In addition to the college’s system of internal controls, the Governmental Accountability, Audit and Internal Control Act of 1987 formalizes New York State’s commitment to efficient and effective business practices, quality services, and ethics in the operations of state government. The Internal Control Act is the basis for the SUNY Cortland’s Internal Control Program. It requires that all state agencies institute a formal internal control program. There are six requirements of the Internal Control Act of 1987 as shown below:
Examples of internal control systems include, but are not limited to:
The foundations of SUNY Cortland’s internal control systems are the various policies and procedures applicable to its daily operations. Below is a sample of basic foundations that affects all employees:
After the campus is segmented into assessable units, each unit's risk is assessed. This process may be done through a self assessment survey or a one-on-one discussion with the unit manager and the Internal Control Officer. By means of this evaluation, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. Some of the factors examined in the risk assessment are: inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover.
Upon completing a risk assessment, a rating of low, average or high risk is assigned to the assessable unit. These ratings are considered when scheduling internal control reviews.
Internal Control Review
The internal control review analyzes procedures and policies to insure they are functioning as intended and that they assist the unit in meeting its goals and objectives. Examples of procedures and policies that may be reviewed include, planning activities, program evaluations, the budget cycle, personnel transactions, and information systems, cash activities, contract management and capital programs.
Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting or changing internal controls or procedures for the unit. If recommendations are accepted, a timetable for implementation is agreed upon.
The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.
Internal controls are actions taken to make sure the right things happen and the wrong things don't. There are two types of internal controls: preventative controls and detective controls.
Preventative controls are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. However, preventative controls do not require significant ongoing investments.
Detective controls are designed to detect errors and irregularities, which have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and are often costly, but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.
Internal controls must meet basic standards to ensure that adequate internal control systems are established and maintained. There are two types of internal control standards: general and specific. General internal control standards describe what we want to achieve while specific internal control standards tell us how to achieve those objectives. Below are examples of general and specific internal control standards. Each example is followed by a brief explanation.
Managers have these additional responsibilities:
The Internal Control Officer spearheads the campus' Internal Control Program and
is responsible for the following:
New York State Internal Control Association
The Institute of Internal Auditors
American Institute of Certified Public Accountants
Association of College and University Auditors
National Association of College and University Business Officers
General Accounting Office