Risk Management

Risk Management Office at SUNY Cortland

Every employee shares a responsibility to make our working environment safe and effective. One important way we can help achieve this goal is to establish and follow appropriate campus policies on internal control.

Internal controls are methods and measures adopted by the college to promote the thoughtful and efficient use of state resources. For example, internal controls help ensure that all funds and cash receipts are properly accounted for and promptly deposited in bank accounts. Internal controls provide that complete and accurate records are kept of transactions involving students, and that college equipment is properly cared for and used only for its intended purposes. In short, a well-designed system on internal controls safeguards college assets and ensures accuracy and reliability in the use of such assets and in the performance of our respective jobs. All of us are responsible for adhering to the institution’s applicable internal controls.

In addition to the college’s system of internal controls, the Governmental Accountability, Audit and Internal Control Act of 1987 formalizes New York State’s commitment to efficient and effective business practices, quality services, and ethics in the operations of state government.  The Internal Control Act is the basis for the SUNY Cortland’s Internal Control Program. It requires that all state agencies institute a formal internal control program. There are six requirements of the Internal Control Act of 1987 as shown below:

  1. Maintain written internal control guidelines.
  2. Maintain an internal control system for continuous review of operations.
  3. Make a concise statement of policy and standards available to all employees.
  4. Designate an Internal Control Officer.
  5. Educate and train all employees on internal controls.
  6. Evaluate the need for an internal audit function.

To The Top

Internal Control Foundations

Examples of internal control systems include, but are not limited to:

  • External (federal, state, university) laws, regulations, policies, and procedures
  • Policies of the University Board of Trustees
  • College handbook, catalog, and other statements of policy and procedure
  • Academic curricular and course outlines
  • Student registration system
  • Financial and personnel procedures
  • College long-range plan
  • Bargaining contracts
  • Financial and operational audits
  • Employee performance programs and evaluations
  • Accreditations (Middle States, etc.)
  • Time and attendance reporting
  • Property (equipment) control
  • Electronic data and network security
  • Public safety, environmental safety, code compliance practices
  • Faculty Senate governance process
  • Service contracts, revocable permits
  • Building door lock systems and key control
  • Student and employee identification cards, etc.

The foundations of SUNY Cortland’s internal control systems are the various policies and procedures applicable to its daily operations. Below is a sample of basic foundations that affects all employees:

  • Personnel Handbook
  • SUNY Procedures Manual
  • Public Officers Law
  • Campus Purchasing Procedures
  • Time and Attendance Policy
  • Policy Handbook
  • Hiring Practices
  • Transaction Process

To The Top

Risk Assessment and Management

After the campus is segmented into assessable units, each unit's risk is assessed. Risk management is an approach to aligning strategy, process, and knowledge to curtail negative surprises and financial losses. This process may be done through a self - assessment survey or a one-on-one discussion with the unit manager and the risk management officer. By means of this evaluation, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. International Organization for Standardization (ISO) 31000:2009 is applicable and adaptable for public enterprise. ISO 31000:2009 has provided generic guidelines for the design, implementation and maintenance of risk management processes throughout SUNY Cortland’s risk management program.

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

Some of the factors examined in the risk assessment are: inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover.

Upon completing a risk assessment, a rating of low, average or high risk is assigned to the assessable unit. These ratings are considered when scheduling internal control reviews.

Internal Control Review
The internal control review analyzes procedures and policies to insure they are functioning as intended and that they assist the unit in meeting its goals and objectives. Examples of procedures and policies that may be reviewed include, planning activities, program evaluations, the budget cycle, personnel transactions, and information systems, cash activities, contract management and capital programs.
Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting or changing internal controls or procedures for the unit. If recommendations are accepted, a timetable for implementation is agreed upon.

The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.

Preventative and Detective Controls

Internal controls are actions taken to make sure the right things happen and the wrong things don't. There are two types of internal controls: preventative controls and detective controls.

To The Top

Preventative and Detective Controls

Preventative Controls
Internal controls are actions taken to make sure the right things happen and the wrong things don't. There are two types of internal controls: preventative controls and detective controls.
Preventative controls are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages.

Detective Controls
Detective controls are designed to detect errors and irregularities, which have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and can be costly, but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.

To The Top

Internal Control Standards

Internal controls must meet basic standards to ensure that adequate internal control systems are established and maintained. There are two types of internal control standards: general and specific. General internal control standards describe what we want to achieve while specific internal control standards tell us how to achieve those objectives. Below are examples of general and specific internal control standards. Each example is followed by a brief explanation.

General Standards

  • Reasonable Assurance
    Internal control systems should provide reasonable assurance that the objectives of the organization will be accomplished.
  • Supportive Attitude
    Managers and employees should maintain and demonstrate a positive and supportive attitude toward internal controls at all times.
  • Competent Personnel
    Managers and employees should have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.
  • Control Objectives
    Internal control systems should help to assure compliance with laws and that the campus meets its goals and objectives.
  • Control Techniques
    These are the means to accomplishing the objectives of the internal control systems (i.e. Specific Internal Control Standards).

Specific Standards

  • Documentation
    Adequate records of all internal control systems, transactions and events should be maintained.
  • Records
    All transactions and events should be recorded promptly and accurately.
  • Authorization
    All transactions and events should be authorized and executed by persons within the scope of their authority.
  • Structure
    Key duties and responsibilities in authorizing, processing, recording and reviewing transactions should be separated.
  • Supervision
    Adequate supervision must be provided to ensure that internal control objectives are achieved.
  • Security
    Access and accountability to assets and records should be limited to authorized individuals.

    To The Top

Who's Responsible and For What?

Employee responsibilities:

  • Fulfilling the duties and responsibilities established in one's job description. Meeting applicable performance standards.
  • Attending education and training programs as appropriate to increase awareness and
  • Taking all reasonable steps to safeguard assets against waste, loss, unauthorized
    use and misappropriation.
  • Reporting breakdowns in internal control systems to your supervisor.
  • Refraining from the use of your official position to secure unwarranted privileges.

Managers have these additional responsibilities:

  • Maintaining an office environment that encourages the design of internal controls.
  • Documenting policies and procedures that are to be followed in performing office
  • Identifying the control objectives for the functions and implementing cost effective
    controls designed to meet those objectives.
  • Regularly testing the controls to determine if they are performing as intended.

The Risk Management Officer spearheads the campus' internal control, enterprise risk management, and compliance programs. This position is responsible for directing the College’s internal control, enterprise risk management, and compliance programs by developing, implementing, and/or evaluating internal control policies and procedures to ensure a system of accountability and oversight of the College’s operations to effectively and efficiently meet its goals and objectives while minimizing exposure to risk. Other duties of the position include:

  • Monitor and evaluate the organization's overall internal control system.
  • Coordinating the development and implementation of the campus' Internal Control
  • Monitoring identified weaknesses and required corrective actions.
  • Ensuring that employees are informed of applicable policies and receive appropriate
    training in internal control.
  • Report progress and status of internal control program and areas of risk to senior campus management and to the university auditor when appropriate.
  • Complete Central Administration required reporting requirements.
  • Manage required certifications by outside agencies such as the Office of the State Comptroller (OSC)
  • Chair the SUNY Cortland Risk Management Steering Committee.
  • Identify opportunities for increased effectiveness and efficiency in operations such as E-Commerce, opportunities, automation of manual processes, etc.
  • Collaborate with the University Auditor to incorporate mandated compliance directives into Cortland’s existing internal control program.

To The Top

 Additional References:

To The Top

Links to Professional Organizations:

New York State Internal Control Association

The Institute of Internal Auditors

American Institute of Certified Public Accountants

Association of College and University Auditors

National Association of College and University Business Officers

General Accounting Office

To The Top

Risk Management

William G. Veit, MBA
Risk Management Officer
Miller Building, Room 324
Phone: 607-753-4584
Fax: 607-753-5688

Edith T. Pennell
Secretary 2
Miller Building, Room 330
Phone: 607-753-2303
Fax: 607-753-5688