Back to Top
Understanding Internal Controls

Understanding Internal Controls


Internal control, as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), is “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.”

All of us share the responsibility of ensuring our working environment is safe and effective. One important way we can help achieve this goal is to establish and follow appropriate policies and procedures on internal control.

The purpose of Understanding Internal Controls is to provide employees with internal control guidelines that will help identify the methods and measures adopted by System Administration to promote the thoughtful and efficient use of state resources.

> Back To Top


Given that internal controls depend on the participation of all employees at every level, every employee should be aware of the University’s goals and their role in attaining these goals. Employee competence and professional integrity are essential components of a sound internal control program. By knowing what our responsibilities are, we can help provide reasonable assurance that our internal control systems are adequate and operating in an efficient manner.

System Administration's Internal Control Program, in conjunction with Understanding Internal Controls, is designed to provide reasonable assurance that:

  • System Administration's assets are protected and safeguarded against loss,
  • Records are reliable and accurate,
  • Operations are efficient and effective, and
  • Policies and procedures establish what should be done, how it should be done and by whom.

> Back To Top

Management's Commitment

A successful internal control environment requires management's commitment and support. Management's goal is not to make each person an expert in internal controls, but to increase awareness and understanding of why we need them and how we use them.

Executive management is committed to System Administration's Internal Control Program and strongly encourages adherence to the program for the betterment of the University.

> Back To Top


The Office of the University Controller is assigned the responsibility to oversee and coordinate System Administration's Internal Control Program. The University Controller has been designated the Internal Control Officer and is responsible for implementation of this program.

Although management is primarily responsible for implementing internal controls, every employee participates in establishing, properly documenting and maintaining internal controls.

Employees are responsible for complying with internal controls by:

  • Successfully fulfilling the duties and responsibilities established in their job description;
  • Monitoring work to ensure it is done properly and that errors are corrected promptly;
  • Meeting applicable performance standards;
  • Taking all reasonable steps to safeguard assets against waste, loss, unauthorized use and misappropriation;
  • Adhering to all applicable policies and procedures;
  • Attending education and training programs to increase awareness and understanding; and
  • Reporting breakdowns in internal control systems to their supervisor or manager.

Managers and supervisors are responsible for executing control policies and procedures within their departments by:

  • Maintaining a positive office environment that encourages internal controls,
  • Documenting policies and procedures that are to be followed in performing office functions,
  • Identifying the control objectives for each function and implementing cost effective controls designed to meet those objectives, and
  • Regularly testing the controls to verify they are performing as intended.

> Back To Top

Internal Control Systems

Internal control systems are basic management practices that usually involve two elements: a policy establishing what should be done and procedures used to support the policy. Internal control systems typically come from senior management's interpretation of the University's strategic initiatives, laws and regulations, or industry standards and practices.

University policies and procedures are used to:

  • Ensure management directives are carried out,
  • Set University standards, and
  • Communicate regulations that apply to all personnel.

Each employee is expected to adhere to established internal controls and all applicable management policies and standards issued by the State of New York, the State University and System Administration pertaining to (but not limited to):

  • Policies and Procedures of the University Board of Trustees
  • Bargaining contracts
  • Employee performance programs and evaluations
  • Property (equipment) control
  • Electronic data and network security
  • Public safety environmental safety/code compliance practices
  • Time and attendance reporting
  • Human Resource Policies (such as Smoking Policy, Parking Garage Guidelines, Telephone Policies, etc.)
  • State Procurement Guidelines (contracts, travel)

> Back To Top

Internal Control Act

In addition to System Administration's system of internal controls, the Governmental Accountability, Audit and Internal Control Act of 1987 (Act) formalizes New York State's commitment to efficient and effective business practices, quality services, and ethics in the operations of state government. The provisions of the Act intend to ensure State funds are spent properly and that state agencies including SUNY, function effectively to meet its objectives.

Under this legislation, System Administration must annually certify to the Chancellor, who in-turn reports to the Division of Budget, that the University’s Internal Control Program is in compliance with each of the Act’s requirements

> Back To Top

Types of Control

Controls can be either preventative or detective. Preventative controls attempt to deter or prevent undesirable events from occurring. Separation of duties, proper authorization, adequate documentation, passwords and physical control over assets and even traffic signs are all examples or preventative controls.

Detective controls attempt to detect errors or irregularities which have already occurred. Reviews, analyses, reconciliations, periodic physical inventories, audits and surveillance cameras are all examples of detective controls.

Both types of controls are essential to an effective internal control system. From a quality standpoint, preventative controls are essential because they are proactive. However, detective controls play a critical role providing evidence that preventative controls are functioning effectively.

> Back To Top

Control Activities

The following internal controls can be used to ensure management policies and procedures are adhered to:

  • Implement segregation of duties that divide responsibilities among different employees to reduce the risk or error or inappropriate actions.
  • Ensure transactions are properly authorized, consistent with university policy, and adequately funded.
  • Ensure records are routinely reviewed and reconciled to verify that transactions have been properly processed.
  • Provide employees with appropriate training and guidance to ensure they have the knowledge necessary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting improprieties.
  • Make certain equipment is secured physically and regularly reconciled to inventory records. Passwords and other restricted or confidential information should be protected against theft, destruction, deterioration or misuse.
  • Make sure University and departmental level policies and operating procedures are formalized and communicated to employees. Documenting policies and procedures and making them accessible to employees helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover.

Information related to University policies and procedures.

Information related to State policies and procedures.

> Back To Top

Implementing Internal Controls

As you carry out your routine job responsibilities or are thinking about implementing a new procedure or process, ask yourself the following questions:

  • What could go wrong?
  • What steps have been taken to assure something doesn't go wrong?
  • How do you know things are under control?

> Back To Top


There are always inherent limitations to internal controls and risk can't always be foreseen or eliminated. Each time we make a change to an existing system, we run the risk of weakening the underlying internal controls. No matter how well internal controls are designed, they can only provide reasonable assurance that a positive outcome can be achieved.

> Back To Top

Components of Internal Control

There are five basic components of internal controls, as defined in the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control Framework:

  1. Control Environment - The control environment sets the foundation for all other components of internal control, and is a product of management’s governance. Senior management establishes a tone at the top by expressing their support in implementing and maintaining effective internal controls. This tone should successfully integrate ethical values and integrity, sound reporting structures, appropriate levels of authority and responsibility, the independence of senior management, and a commitment to attract and retain competent individuals. Internal controls are most effective in a positive control environment. Management helps foster a positive control environment by practicing the most effective philosophy, style and supportive attitude and maintaining high levels of morale.
  2. Risk Assessment - The risk assessment process is conducted to identify and analyze the risks to achieving objectives, and helps form a basis for how risks should be managed. Objectives must be clearly defined for a risk assessment to be most effective. When assessing risks, management should consider changes in the external business environment, internal business model, and the potential for fraudulent activities.
  3. Control Activities - Management should establish appropriate control activities, as well as employee expectations in performing these activities, in all policies and relevant procedures to help ensure management’s directives to mitigate risks are carried out. Control activities are performed at all levels, at various stages of business processes, and over technology. These activities include, but are not limited to, segregation of duties, timely reconciliations, and supervisory review.
  4. Information and Communication - Communication of relevant, reliable, and quality information is essential in carrying out internal control responsibilities. Objectives and responsibilities for internal control are communicated internally, allowing employees to understand the importance of, as well as their role in, maintaining effective internal controls. Matters affecting the functioning of other components of internal control are communicated externally. Use of effective communication provides the information necessary to carry out the day-to-day internal control activities.
  5. Monitoring Activities - Management should establish a monitoring system to evaluate the internal controls in place to ensure they are adequate and functioning correctly. Monitoring internal controls should be ongoing, with identified weaknesses or deficiencies communicated in a timely manner. Deficiencies that are more serious in nature must be reported to senior management and the board. Corrective actions must also be regularly monitored to ensure they are implemented timely and effectively.

In order for internal controls to be effective, employees should:

  • Read and understand the policies and procedures related to their position,
  • Report any control weaknesses to their supervisor or manager that would prohibit them from successfully fulfilling the responsibilities of their position, and,
  • Adhere to System Administration's management policies and standards.

> Back To Top

Balancing Risks and Controls

In order to achieve a balance between risks and controls, internal controls should be proactive, value-added and cost-effective. Excessive control can be costly and counterproductive while too little control presents undue risk. The cost of implementing a control shouldn't outweigh its benefit. For example, staff size limitations may obstruct efforts to properly segregate duties, but it may be possible to implement compensating controls such as random testing or document review.

> Back To Top

Risk Management

The underlying theme throughout Understanding Internal Controls is to (1) identify risks that may prevent objectives from being achieved and (2) do what is necessary to manage those risks. Thus, setting goals and objectives is a precondition to internal controls. The SUNY Strategic Plan for 2010 and Beyond “The Power of SUNY” outlines the University’s main goals and objectives that SUNY will commit its efforts and resources to. SUNY’s “Six Big Ideas” involve a number of University-wide goals that include collaborating with local entrepreneurs and businesses, fast-tracking the research process by aligning SUNY researchers with private organizations across the state, expanding distance learning and international education, and increasing funding through venture capital and grants.

Each department within System Administration must align their objectives to support SUNY’s strategy. As such, these departments must assess and monitor the risks associated with these goals, and implement adequate controls to help achieve these objectives. Such controls may include conducting background checks to ensure the organizations that SUNY partners with conduct business with a high level of integrity, utilizing contract agreements with private research partners to protect SUNY’s ownership of end products, enhancing IT infrastructure and security to mitigate the inherent risks of expanding the online learning environment, establishing an effective monitoring system to provide additional safety for students in countries with turmoil, and reconciling statements regularly to ensure funds invested in support of these goals are received and disbursed appropriately.

The process of identifying and analyzing risk is ongoing, and is a critical component of an effective internal control system. Attention must be focused on risks at all levels, as well as the necessary actions that must be taken to effectively manage them. Risk can pertain to both internal and external factors, such as:

External factors:

  • Economic changes
  • Changing customer needs or expectations
  • New or changed legislation or regulations
  • Technological developments
  • Natural catastrophes

Internal factors:

  • New personnel
  • New or revamped information systems
  • Changes in management responsibilities
  • Unfamiliarity with policies or procedures

> Back To Top

Measuring Risk - The Risk Assessment

The framework for the Internal Control Program is based on identifying and testing the programs and administrative functions necessary for System Administration to carry out its mission. Functions can be identified through organizational charts, departmental budgets, policy and procedural manuals, job descriptions, and information systems. The identified functions are referred to as "assessable units".

To properly assess the current level of risk associated with a function, risk assessments address such factors as:

  • Management's attitude towards maintaining effective internal control systems,
  • Technical or administrative complexity,
  • The existence of adequate organizational charts, lines of communication, and clear designation of work assignments,
  • Demonstrated adherence to prescribed policies and procedures,
  • The fiscal implications of the function including budget management, handling of cash receipts and disbursements, or contract approvals,
  • The sensitive nature of the function and the extent to which decisions can be influenced by external sources, time constraints, or conflicts of interest,
  • The professional training and technical proficiency of staff needed to perform the function,
  • The stability of the operation in terms of changes in functional responsibilities resulting from staff turnover, permanence of the functional unit and reconfigurations of the organizational structure,
  • The frequency of internal or external audits and the significance of the findings, and,
  • The inherent risk associated with the function regardless of the existence of adequate internal controls.

SUNY has established eight pre-defined areas considered to be of high risk and, as such, should be reviewed regularly as part of the internal control program. These areas include revenue and cash management, procurement, personnel and payroll, computer operations, financial aid, disaster planning and recovery, and the general control environment. System Administration periodically reviews these areas (excluding financial aid) over a three-year cycle. Areas identified as having moderate to high risk are considered for review in future cycles, as necessary.

> Back To Top

Internal Control Review

The need for a more in depth internal control review of a function relates to the level of risk determined by the risk assessment. Functions identified as more vulnerable could be candidates for a more formal internal control review regardless of whether the risk assessment identified any internal control weaknesses. System Administration’s internal control review process includes the completion of internal control questionnaires, staff interviews, analysis of policies and procedures, observations of functions and operations, and testing of controls currently in place to determine adequacy and effectiveness. For any material weaknesses identified during the review process, the respective department manager is notified and must submit a corrective action plan to the Internal Control Officer along with a timeframe for resolution. Follow-up measures are utilized to ensure corrective actions are implemented. Implementation of these actions is monitored using tools such as Excel spreadsheets, Outlook calendar reminders, and email.

> Back To Top

Reporting Compliance Concerns and Fraud

We are all responsible for creating and maintaining a compliance-conscious environment. This includes asking questions if you’re not sure what to do and raising concerns if you see something you don’t think is right. Early recognition of a problem can prevent something small from becoming big. Please report your concerns to one of the following:

> Back To Top


Internal controls are a part of our daily operations. The controls developed and exercised by managers and their staff are the substance of the Internal Control Program. System Administration's Internal Control Program and related training and testing helps to ensure that the controls are properly documented and functioning as intended.

As available resources decline, the need for adequate internal control is more important than ever. Fewer people are doing more work with less time and less funding. Opportunities for fraud, waste, and abuse increase significantly in a weak internal control environment. The single most important success factor of the Internal Control Program is a high level of individual awareness and understanding. Internal controls are everyone's responsibility; therefore we are all responsible for knowing what internal controls exist and how to evaluate their effectiveness.

A successful Internal Control Program will help streamline our processes and improve the quality of our services. The result will be a better, more enjoyable work place and a quality institution of higher education.

Please feel free to contact us for more information regarding System Administration’s Internal Control Program

> Back To Top

Internal Controls