I. THE INTERNAL CONTROL ACT
Internal Control Act, more specifically referred to as the New York
State Governmental Accountability, Audit and Internal Control Act (originated
in Chapter 814 of the Laws of 1987, then made permanent in Chapter 510
of the Laws of 1999), is the basis for the Binghamton University Internal
Control Program. The Internal Control Act requires that all state agencies,
including SUNY institute a formal internal control program.
controls are an integral part of each system used to regulate and guide
operations. Internal controls are designed to promote performance leading
to the effective accomplishment of an organization's goals and objectives.
B. Internal Control Systems
Internal controls with a common
purpose are grouped together and referred to as internal control systems.
Basically, internal control systems are the laws, policies and procedures
that affect the daily operations and management of Binghamton University. There are
six requirements of the Internal Control Act of 1987 as shown below:
Maintain written internal control guidelines.
Maintain an internal control system for continuous review
Make a concise statement of policy and standards available
to all employees.
Designate an Internal Control Officer.
Educate and train all employees on internal controls.
Evaluate the need for an internal audit function.
C. Reasonable Assurance
internal control systems must provide reasonable assurance that the
objectives of the campus will be met in a cost effective manner. Reasonable
assurance provides sufficient confidence that internal controls are
functioning to ensure the organization will meet its goals and objectives.
D. The Cost of Internal Controls
control systems should remain cost effective and not exceed the benefit
UNIVERSITY INTERNAL CONTROL OFFICE
Stephen A. Gilje
Internal Control Officer
Office of the Vice President for Administration
Telephone No. 607-777-6137
Fax No. 607-777-4354
Internal Control Coordinator
Telephone No. 607-777-6137
Fax No. 607-777-4354
Office of Internal Control
PO Box 6000
Binghamton, NY 13902-6000
Office Hours: Mon-Fri from 8:30AM - 5:00PM
Summer Hours: Mon-Fri from 8:00AM – 4:00PM
Location: Couper Administration Building, Room 314
III. BINGHAMTON UNIVERSITY'S INTERNAL CONTROL PROGRAM
A. Binghamton Universitys Internal Control
Program provides us with a formal mechanism to help identify existing
controls and evaluate their effectiveness.
There are five specific objectives to Binghamton Universitys
Internal Control Program. CARES stands for these objectives as
Compliance with applicable laws
Accomplishment of the entitys mission
Relevant and reliable data
Economical and efficient use of resources
foundations of Binghamton Universitys internal control systems
are the various policies and procedures applicable to its daily operations.
Below is a sample of basic foundations that affects all employees of
SUNY Procedures Manual
Public Officers Law
Campus Purchasing Procedures
Time and Attendance Policy
The first step in the Internal
Control Process is to segment the organization. Segmentation is the
process of identifying the program and administrative functions necessary
for the campus to carry out its mission. Functions identified through
this process are called "assessable units" and provide the
framework for the Internal Control Program.
D. Risk Assessment
After the campus is segmented into
assessable units, each unit's risk is assessed. This process may be
done through a self-assessment survey or a one-on-one discussion with
the unit manager and the Internal Control Officer. By means of this
evaluation, the campus evaluates its susceptibility to conscious or
unintended abuses and reduced operational efficiencies. Some of the
factors examined in the risk assessment are: inherent risk of the unit,
management's attitude toward internal controls, physical location, frequency
of review, and the rate of personnel turnover.
Upon completing a risk assessment,
a rating of low, average or high risk is assigned to the assessable
unit. These ratings are considered when scheduling internal control
The internal control review analyzes
procedures and policies to insure they are functioning as intended and
that they assist the unit in meeting its goals and objectives. Examples of procedures and policies that may
be reviewed include: planning
activities, program evaluations, the budget cycle, personnel transactions,
information systems, cash activities, contract management and capital
Upon completion of the internal
control review, recommendations may be made. The recommendations may
require adding, deleting or changing internal controls or procedures
for the unit. If recommendations are accepted, a timetable
for implementation is agreed upon.
The final component in the internal
control process is follow-up. This
step is performed to verify that the recommended actions have been properly
implemented and that the unit continues to function as intended.
G. Preventive and Detective Controls
1. Preventive Controls are designed to keep errors or
irregularities from occurring in the first place. They are built
into internal control systems and require a major effort in the
initial design and implementation stages. However, preventive
controls do not require significant ongoing investments.
Detective Controls are designed to detect errors
and irregularities, which have already occurred and to assure
their prompt correction. These controls represent a continuous
operating expense and are often costly, but necessary. Detective
controls supply the means with which to correct data errors, modify
controls or recover missing assets.
General Internal Control Standards describe what we want to achieve, while Specific Internal
Control Standards tell us how to achieve those objectives.
1. General Standards
a. Reasonable Assurance: Internal control systems should provide reasonable
assurance that the objectives of the organization will be accomplished.
b. Supportive Attitude: Managers and employees should maintain and demonstrate
a positive and supportive attitude toward internal controls
at all times.
c. Competent Personnel: Managers and employees should have personal
and professional integrity and maintain a level of competence
that allows them to accomplish their assigned duties, as well
as understand the importance of developing and implementing
good internal controls.
d. Control Objectives: Internal control systems should help to assure
compliance with laws and that the campus meets it goals and
e. Control Techniques: These are the means to accomplishing the objectives
of the internal control systems (i.e. Specific Internal Control
2. Specific Standards
a. Documentation: Adequate records of all internal control systems,
transactions, and events should be maintained.
b. Records: All transactions and events should be recorded promptly and accurately.
Authorization: All transactions and events should be authorized
and executed by persons within the scope of their authority.
Structure: Key duties and responsibilities in authorizing, processing, recording
and reviewing transactions should be separated.
Supervision: Adequate supervision must be provided to ensure that internal control
objectives are achieved.
Security: Access and accountability to assets and records should be limited
to authorized individuals.
IV. WHO IS
RESPONSIBLE AND FOR WHAT?
A. All employees are responsible for the following:
1. Fulfilling the duties and responsibilities established
in their job description and meeting applicable performance standards.
Monitoring their work to ensure it is being done properly.
Correcting errors they identify before work is referred to higher levels for review.
Taking all reasonable steps to safeguard University assets and resources against waste,
loss, damage, unauthorized use, or misappropriation.
Reporting breakdowns in internal control systems or suggesting improvements to their
Refraining from using their position to secure
7. Attending education and training programs as appropriate to increase awareness and understanding.
B. Management, in general, has the following addtional responsibilities:
1. Maintaining an appropriate internal control system in their areas of operation.
2. Educating staff regarding control activities and encouraging them to be alert to and report any irregularties.
3. Documenting policies and procedures that are to be followed in performing unit functions.
4. Maintaining a work environment that encourages employees to understand the purpose of policies and procedures and that supports the maintenance of a positive internal control environment.
5. Identifying the objectives for the unit and implementing cost effective internal controls designed to meet those objectives.
6. Regularly testing the internal controls implemented to determine if they are functioning as intended.
7. Reminding staff to note changes in their immediate internal and external environments, to identify any risks and to report opportunities for improvement.
8. Listening to employee suggestions concerning the internal control systems.
Particular to the management level, responsibilities are further outlined:
- Monitoring all activities and transactions in their unit to ensure that staffs are performing their assigned responsibilities, control activities are functioning properly, the unit is accomplishing its goals, the unit's control environment is appropriate, communication is open and sufficient, and risks and opportunities are identified and properly addressed.
- Assessing how well controls are functioning in multiple units within an organization, and how well supervisors are monitoring their respective units.
- Monitoring activities on the major divisions of the organization.
- Monitoring for the existence of risks and opportunities in either the internal or external environment that might indicate the need for a change in the organization's plans.
V. Additional References