Skip to main contentSkip to footer content
 

SUNY ESF
Internal Control

To: ESF Community
From: Joanie M. Mahoney, President
Re: ESF's Internal Control Program
November 16, 2021

The mission of the College of Environmental Science and Forestry is to advance knowledge and skills, while promoting the leadership necessary for the stewardship of both the natural and designed environments.

As an agency of New York State, ESF is obligated to fulfill the requirements of the New York State Governmental Accountability, Audit and Internal Control Act of 1987

An Internal Control Program is the integration of activities, plans, attitudes, policies, procedures, and the efforts of people working together to provide reasonable assurance that an organization will achieve its objectives and mission. An effective internal control system is a high priority and requires cooperation on all levels to help ensure that ESF is successful in realizing our mission. This consists of methods and measures adopted by the College to promote the thoughtful and efficient use of State, and all other, resources. For example, internal controls help ensure that cash receipts are promptly deposited in bank accounts, protect personal information, provide for complete and accurate recordkeeping with respect to financial and student transactions, ensure compliance with the rules that govern us, and that college equipment is properly cared for and used only for its intended purposes. In short, a well-designed system of internal controls safeguards college assets and helps mitigate the various types of risk.

The Division of Budget (DOB) issued the Budget Policy and Reporting Manual Item B-0350, Governmental Internal Control and Internal Audit Requirements, which require certain internal control responsibilities and annual certification to DOB.

The requirements are:

  1. Establish and maintain guidelines for a system of internal control.
  2. Establish and maintain a system of internal controls and a program of internal control review.
  3. Make available to employees a statement of policies and standards with which they are expected to comply.
  4. Designate an Internal Control Officer to implement and review the internal control program.
  5. Implement education and training to ensure employees have adequate awareness and understanding of internal control standards.
  6. Evaluate the need for an Internal Audit function.

A successful internal control program depends on the participation of all employees at every level. Although we are each responsible for establishing internal control in our units, the responsibility for reviewing campus controls has been assigned to the Business Office with Dave Dzwonkowski (x6642) serving in the role of Internal Control Officer. You can expect to hear from them when your unit is selected for a review of your internal control systems. In addition, they are happy to collaborate with you in assessing the effectiveness of your unit's controls.

In closing, I encourage each of you to cooperate fully with our campus internal control team. Thank you for your participation and cooperation in this important and ongoing endeavor.


Internal Controls: What are they and why do we need them?

Internal controls encompass an organization's plan to meet its mission; promote performance leading to effective accomplishment of goals; safeguard assets; ensure accuracy and reliability of data; promote operational efficiency; and encourage adherence to prescribed managerial policies and procedures. Our competence and professional integrity are essential components of a sound internal control program. By knowing what our responsibilities are, we can help to provide reasonable assurance that our internal control systems are adequate and operating in an efficient manner.

The Internal Control Act, more specifically referred to as the New York State Governmental Accountability, Audit and Internal Control Act (originated in Chapter 814 of the Laws of 1987, then made permanent in Chapter 510 of the Laws of 1999), is the basis for the ESF Internal Control Program. The Internal Control Act requires that all state agencies, including SUNY institute a formal internal control program. There are six requirements of the Internal Control Act of 1987 as shown below:

  1. Maintain written internal control guidelines.
  2. Maintain an internal control system for continuous review of operations.
  3. Make a concise statement of policy and standards available to all employees.
  4. Designate an Internal Control Officer.
  5. Educate and train all employees on internal controls.
  6. Evaluate the need for an internal audit function.

The Basics of Internal Controls

Internal Controls

Internal Controls are an integral part of each system used to regulate and guide operations. Internal controls are designed to promote performance leading to the effective accomplishment of an organization's goals and objectives.

Internal Control Systems

Internal controls with a common purpose are grouped together and referred to as internal control systems. Basically, internal control systems are the laws, policies and procedures that affect the daily operations and management of ESF.

Examples of internal control systems include, but are not limited to:

  • External (federal, state, university) laws, regulations, policies, and procedures
  • Policies of the University Board of Trustees
  • College handbook, catalog, and other statements of policy and procedure
  • Academic curricular and course outlines
  • Student registration system
  • Financial and personnel procedures
  • College long-range plan
  • Collective bargaining unit contracts
  • Financial and operational audits
  • Employee performance programs and evaluations
  • Accreditations (Middle States, etc.)
  • Time and attendance reporting
  • Property (equipment) control
  • Electronic data and network security
  • Public safety, environmental safety, code compliance practices
  • Faculty Senate governance process
  • Service contracts, revocable permits
  • Building door lock systems and key control
  • Student and employee identification cards, etc.

Reasonable Assurance

Internal control systems must provide reasonable assurance that the objectives of the campus will be met in a cost effective manner. Reasonable assurance provides sufficient confidence that internal controls are functioning to ensure the organization will meet its goals and objectives.

The Cost of Internal Controls

Internal control systems should remain cost effective and not exceed the benefit derived.

Internal Control Objectives

The specific objectives of ESF's Internal Control Program are:

  • Compliance with laws, regulations, policies, procedures and guidelines;
  • Successful achievement of the campus mission, objectives, and goals;
  • Operational effectiveness, efficiency, and economy;
  • Safeguarding assets by preventing/minimizing waste, loss, and unauthorized use, or the misappropriation of funds;
  • Maintaining complete inventory of equipment items and verify the accuracy by periodic physical counts;
  • Accurate recording, preservation, and reporting of financial and other key data.

Internal Control Foundations

The foundations of ESF's internal control systems are the various policies and procedures applicable to its daily operations. Below are samples of basic foundations that affect all employees of ESF:

  • SUNY Procedures Manual
  • Public Officers Law
  • Campus Purchasing Procedures
  • Time and Attendance Policy
  • Policy Handbook
  • Hiring Practices
  • Transaction Processes

The Internal Control Process

The first step in the internal Control Process is to segment the organization by identifying the program and administrative functions necessary for the campus to carry out its mission. Functions identified through this process are called "assessable units" and provide the framework for the Internal Control Program. After the campus is segmented into assessable units, each unit's risk is assessed. This may be done through a self-assessment survey or a one-on-one discussion with the unit manager and the Internal Control Officer.

Through this process, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. Some of the factors examined in the risk assessment are: inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover. Upon completing a risk assessment, each assessable unit is given a rating of low, medium or high risk. These ratings are considered when scheduling area internal control reviews to analyze procedures and policies and ensure that areas are functioning as intended and assist the campus in meeting its goals and objectives.

Examples of procedures and policies that may be evaluated during an area review are planning activities, program evaluations, the budget cycle, personnel transactions, information systems, cash activities, contract management and capital programs. Upon completion of the area review, recommendations may be made to add, delete, or change internal controls or procedures for the assessable unit. The final component in the process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.

Preventative and Detective Controls

Internal controls are actions taken to make sure that the right things happen and the wrong things do not. There are two types of internal controls: preventative controls and detective controls.

Preventative Controls

Preventative controls are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. However, preventative controls do not require significant ongoing investments.

Detective Controls

Detective controls are designed to detect errors and irregularities, which have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and are often costly, but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.

Internal Control Standards

Internal controls must meet basic standards to ensure that adequate internal control systems are established and maintained. There are two types of internal control standards: general and specific. General internal control standards describe what we want to achieve while specific internal control standards tell us how to achieve those objectives. Below are examples of general and specific internal control standards. Each example is followed by a brief explanation.

General Standards

Reasonable Assurance
Internal control systems should provide reasonable assurance that the objectives of the organization will be accomplished.

Supportive Attitude
Managers and employees should maintain and demonstrate a positive and supportive attitude toward internal controls at all times.

Competent Personnel
Managers and employees should have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.

Control Objectives
Internal control systems should help to assure compliance with laws and that the campus meets its goals and objectives.

Control Techniques
These are the means to accomplishing the objectives of the internal control systems (i.e. Specific Internal Control Standards).

Specific Standards

Documentation
Adequate records of all internal control systems, transactions and events should be maintained.

Records
All transactions and events should be recorded promptly and accurately.

Authorization
All transactions and events should be authorized and executed by persons within the scope of their authority.

Structure
Key duties and responsibilities in authorizing, processing, recording and reviewing transactions should be separated.

Supervision
Adequate supervision must be provided to ensure that internal control objectives are achieved.

Security
Access to and accountability for assets and records should be limited to authorized individuals.

Who's Responsible and For What?

Our competence and professional integrity are essential components of a sound internal control program. By knowing what our responsibilities are, we can help to provide reasonable assurance that our internal control systems are adequate and operating in an efficient manner. This section will identify the relationship between the theories and definitions presented thus far and your responsibilities as an employee.

Employee responsibilities:

  • Fulfilling the duties and responsibilities established in your job description.
  • Meeting applicable performance standards.
  • Participating in education and training programs to increase awareness and understanding of internal control standards.
  • Taking all reasonable steps to safeguard assets against waste, loss, unauthorized use and misappropriation.
  • Prohibiting the use of your official position to secure unwarranted privileges. When in doubt, ask your administrative supervisor to review the matter.
  • Reporting breakdowns in internal control systems to your supervisor.

Managers have these additional responsibilities:

  • Maintaining an office environment that encourages the design of internal controls.
  • Documenting policies and procedures that are to be followed in performing office functions.
  • Identifying the control objectives for the functions and implementing cost effective controls designed to meet those objectives.
  • Regularly testing the controls to determine if they are performing as intended.

The Internal Control Officer spearheads the campus' Internal Control Program and is responsible for the following:

  • Monitor and evaluate the organization's overall internal control system.
  • Coordinating the development and implementation of the campus' Internal Control Program.
  • Monitoring identified weaknesses and required corrective actions.
  • Ensuring that employees are informed of applicable policies and receive appropriate training in internal control.
  • Complete Central Administration required reporting requirements.

Positive Attitude

Commitment of Top Management
Employee attitude affects the quality of job performance and, as a result, the quality of internal controls. A positive attitude is initiated and fostered when internal controls are a consistent priority. Members of top management must demonstrate commitment to the campus' Internal Control Program.

Statements of policies and standards were developed at each campus and made available to all employees. These statements identify the basic policies common to all employees and encourage adherence to these for the benefit of the campus. These statements demonstrate the commitment of top management to the campus' Internal Control Program.

Training

Another factor essential to the success of ESF's Internal Control Program is adequate training in the area of internal controls. Training should familiarize employees with the objectives of the internal control program, how it operates, and the benefits it provides. A video slide presentation "Internal Controls Essentials" was implemented in early 2015 and all employees are required to view this each year (a link is provided on this webpage or you can contact Jim Fletcher at extension 4894 if you would like to see this presentation again).

Adequate training helps all employees understand the importance of their role in the campus' system of internal controls. In addition, management should be open to employee suggestions concerning the campus' internal control systems. Users are the best source of improvements to a system.

Reporting Fraud

Another factor essential to the success of ESF's Internal Control Program is adequate training in the area of internal controls. Training should familiarize employees with the objectives of the internal control program, how it operates, and the benefits it provides. A video slide presentation "Internal Controls Essentials" was implemented in early 2015 and all employees are required to view this each year (a link is provided on this webpage or you can contact Jim Fletcher at extension 4894 if you would like to see this presentation again).

Summary

Internal controls are already part of our daily operations. The controls developed and exercised by managers and their staffs are the substance of the internal control program. ESF's Internal Control Program helps to ensure that the controls are properly documented and that they are functioning as intended.

The goal is not to make each person an expert in internal controls, but to increase our awareness and understanding of internal controls. In fact, the single most important success factor of the Internal Control Program is a high level of individual awareness and understanding. Internal controls are everyone's responsibility; therefore, it is critical that each person is able to identify the internal controls that exist in their unit. We are all responsible to know what internal controls exist and how to evaluate their effectiveness.

A successful Internal Control Program will help to streamline our processes and improve the level and quality of our services. The result of ESF's Internal Control Program will be a better, more enjoyable work place and a quality institution of higher education.

For more information on internal controls or the status of ESF's internal control program, please contact ESF's internal control officer.

Additional References:

Links to Professional Organizations