STATE UNIVERSITY OF NEW YORK AT BINGHAMTON

OFFICE OF THE VICE PRESIDENT FOR ADMINISTRATION
Policy Type:
Business Affairs

Policy Number:
215

Last Date Revised:
3/24/09 		Policy Title:
Internal Control
The following office is responsible for the accuracy of the information contained in this policy:

Associate Vice President for Administration

I.  THE INTERNAL CONTROL ACT OF 1987

The Internal Control Act, more specifically referred to as the New York State Governmental Accountability, Audit and Internal Control Act (originated in Chapter 814 of the Laws of 1987, then made permanent in Chapter 510 of the Laws of 1999), is the basis for the Binghamton University Internal Control Program. The Internal Control Act requires that all state agencies, including SUNY institute a formal internal control program.

     A. Internal Controls

Internal controls are an integral part of each system used to regulate and guide
operations. Internal controls are designed to promote performance leading to the effective accomplishment of an organization's goals and objectives.

B.  Internal Control Systems

Internal controls with a common purpose are grouped together and referred to as internal control systems. Basically, internal control systems are the laws, policies and procedures that affect the daily operations and management of Binghamton University. There are six requirements of the Internal Control Act of 1987 as shown below:

1.      Maintain written internal control guidelines.

2.      Maintain an internal control system for continuous review of operations.

3.      Make a concise statement of policy and standards available to all employees.

4.      Designate an Internal Control Officer.

5.      Educate and train all employees on internal controls.

6.      Evaluate the need for an internal audit function.

 C.  Reasonable Assurance

All internal control systems must provide reasonable assurance that the objectives of the campus will be met in a cost effective manner. Reasonable assurance provides sufficient confidence that internal controls are functioning to ensure the organization will meet its goals and objectives.

D.  The Cost of Internal Controls

Internal control systems should remain cost effective and not exceed the benefit derived.

II.  BINGHAMTON UNIVERSITY INTERNAL CONTROL OFFICER

CONTACT:

Terry Dylewski
AD-314A
Ext. 7-2653

dylewski@binghamton.edu

http://internalcontrol.binghamton.edu/


III. BINGHAMTON UNIVERSITY'S INTERNAL CONTROL PROGRAM

A.  Binghamton University’s Internal Control Program provides us with a formal mechanism to help identify existing controls and evaluate their effectiveness.  There are five specific objectives to Binghamton University’s Internal Control Program. CARES stands for these objectives as described below:

Compliance with applicable laws and policies
Accomplishment of the entity’s mission
Relevant and reliable data
Economical and efficient use of resources
Safeguard assets

B.      The foundations of Binghamton University’s internal control systems are the various policies and procedures applicable to its daily operations. Below is a sample of basic foundations that affects all employees of Binghamton University:

Personnel Handbook
SUNY Procedures Manual
Public Officers Law
Campus Purchasing Procedures
Time and Attendance Policy
Policy Handbook
Hiring Practices
Transaction Process

 C. Segmentation

The first step in the Internal Control Process is to segment the organization. Segmentation is the process of identifying the program and administrative functions necessary for the campus to carry out its mission. Functions identified through this process are called "assessable units" and provide the framework for the Internal Control Program.

D.  Risk Assessment

After the campus is segmented into assessable units, each unit's risk is assessed. This process may be done through a self-assessment survey or a one-on-one discussion with the unit manager and the Internal Control Officer. By means of this evaluation, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. Some of the factors examined in the risk assessment are: inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover.

Upon completing a risk assessment, a rating of low, average or high risk is assigned to the assessable unit. These ratings are considered when scheduling internal control reviews.

E. Internal Control Review

The internal control review analyzes procedures and policies to insure they are functioning as intended and that they assist the unit in meeting its goals and objectives.  Examples of procedures and policies that may be reviewed include:  planning activities, program evaluations, the budget cycle, personnel transactions, information systems, cash activities, contract management and capital programs.

Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting or changing internal controls or procedures for the unit.  If recommendations are accepted, a timetable for implementation is agreed upon.

F. Follow-up

The final component in the internal control process is follow-up.  This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.

G.  Preventive and Detective Controls

1.  Preventive Controls are designed to keep errors or irregularities from occurring in the first place.  They are built into internal control systems and require a major effort in the initial design and implementation stages. However, preventive controls do not require significant ongoing investments.

2.  Detective Controls are designed to detect errors and irregularities, which have already occurred and to assure their prompt correction.  These controls represent a continuous operating expense and are often costly, but necessary.  Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.

H. Standards

General Internal Control Standards describe what we want to achieve, while Specific Internal Control Standards tell us how to achieve those objectives.

1.  General Standards

a.  Reasonable Assurance:  Internal control systems should provide reasonable assurance that the objectives of the organization will be accomplished.

b.  Supportive Attitude:  Managers and employees should maintain and demonstrate a positive and supportive attitude toward internal controls at all times.

c.  Competent Personnel:  Managers and employees should have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.

d.  Control Objectives:  Internal control systems should help to assure compliance with laws and that the campus meets it goals and objectives.

e.  Control Techniques:  These are the means to accomplishing the objectives of the internal control systems (i.e. Specific Internal Control Standards). 

2.  Specific Standards

a.  Documentation:  Adequate records of all internal control systems, transactions, and events should be maintained.

b.  Records:  All transactions and events should be recorded promptly and accurately.

c.      Authorization:  All transactions and events should be authorized and executed by persons within the scope of their authority.

d.      Structure:  Key duties and responsibilities in authorizing, processing, recording and reviewing transactions should be separated.

e.      Supervision:  Adequate supervision must be provided to ensure that internal control objectives are achieved.

f.       Security:  Access and accountability to assets and records should be limited to authorized individuals.

IV.  WHO IS RESPONSIBLE AND FOR WHAT?

A.  Employee Responsibilities

1.   Fulfilling the duties and responsibilities established in one’s job description.

2.      Meeting applicable performance standards.

3.      Attending education and training programs as appropriate to increase awareness and understanding.

4.      Taking all reasonable steps to safeguard assets against waste, loss, unauthorized use and misappropriation.

5.      Reporting breakdowns in internal control systems to your supervisor.

6.      Refraining from the use of your official position to secure unwarranted privileges.

B.  Managers Responsibilities (in addition to those above)

1.   Maintaining an office environment that encourages the design of internal controls.

2.      Documenting policies and procedures that are to be followed in performing office functions.

3.      Identifying the control objectives for the functions and implementing cost effective controls designed to meet those objectives.

4.      Regularly testing the controls to determine if they are performing as intended.

V.  Additional References

http://internalcontrol.binghamton.edu/

http://www.budget.state.ny.us/guide/bprm/b/b350.html
Management Procedures
100 - Budget and Finance 600 - Personnel and Payroll
200 - Business Affairs 700 - Binghamton University Foundation
300 - Information Technology and Information Security 750 - Research Foundation
400 - Facilities and Property 800 - Security and Safety
500 - Institutional Services 900 - Office of the Provost