This article will explain why training is so important to the success of internal audit.

Several
new initiatives will be outlined covering the IIA’s new internal audit competencies, the NVQ
scheme, learning and the so called “expert”, along with a newly developed three circles
model. The material is intended to allow audit management to assess where its audit shop
stands in terms of its current strategy. The next step is to carry out a formal assessment of
the staff development strategy by using the enclosed checklist. Keeping up to date is
essential since no audit shop can afford to be left behind. We are concerned with
developing your staff. The top and bottom line revolves around this all‐important concept.
The next step is to establish whether you are in a position to live up to your contention.
Test your position – if you mean to do more than merely pay lip service to staff
development, you might consider the material in this article and work out how much you are
already doing and how much further you may need to go.

Understanding Internal Controls

INTRODUCTION
Internal control, as defined by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO), is “a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories: effectiveness and efficiency of
operations, reliability of financial reporting, and compliance with applicable laws and
regulations.”

All of us share the responsibility of ensuring our working environment is safe and
effective. One important way we can help achieve this goal is to establish and follow
appropriate policies and procedures on internal control.

The purpose of Understanding Internal Controls is to provide employees with internal

control guidelines that will help identify the methods and measures adopted by System
Administration to promote the thoughtful and efficient use of state resources.

> Back To Top

SCOPE
Given that internal controls depend on the participation of all employees at every level,
every employee should be aware of the University’s goals and their role in attaining these
goals. Employee competence and professional integrity are essential components of a
sound internal control program. By knowing what our responsibilities are, we can help
provide reasonable assurance that our internal control systems are adequate and operating
in an efficient manner.
System Administration's Internal Control Program, in conjunction with Understanding
Internal Controls, is designed to provide reasonable assurance that:

 System Administration's assets are protected and safeguarded against loss,

 Records are reliable and accurate,
 Operations are efficient and effective, and
 Policies and procedures establish what should be done, how it should be done and by
whom.
> Back To Top

MANAGEMENT'S COMMITMENT
A successful internal control environment requires management's commitment and
support. Management's goal is not to make each person an expert in internal controls, but
to increase awareness and understanding of why we need them and how we use them.

Executive management is committed to System Administration's Internal Control

Program and strongly encourages adherence to the program for the betterment of the
University.

> Back To Top

RESPONSIBILITY
The Office of the University Controller is assigned the responsibility to oversee and
coordinate System Administration's Internal Control Program. The University Controller
has been designated the Internal Control Officer and is responsible for implementation of
this program.

Although management is primarily responsible for implementing internal controls, every

employee participates in establishing, properly documenting and maintaining internal
controls.

Employees are responsible for complying with internal controls by:

 Successfully fulfilling the duties and responsibilities established in their job

description;
 Monitoring work to ensure it is done properly and that errors are corrected promptly;
 Meeting applicable performance standards;
  Taking all reasonable steps to safeguard assets against waste, loss, unauthorized use
and misappropriation;
 Adhering to all applicable policies and procedures;
 Attending education and training programs to increase awareness and understanding;
and
 Reporting breakdowns in internal control systems to their supervisor or manager.
Managers and supervisors are responsible for executing control policies and
procedures within their departments by:

 Maintaining a positive office environment that encourages internal controls,

 Documenting policies and procedures that are to be followed in performing office
functions,
 Identifying the control objectives for each function and implementing cost effective
controls designed to meet those objectives, and
 Regularly testing the controls to verify they are performing as intended.
> Back To Top

INTERNAL CONTROL SYSTEMS

Internal control systems are basic management practices that usually involve two
elements: a policy establishing what should be done and procedures used to support the
policy. Internal control systems typically come from senior management's interpretation
of the University's strategic initiatives, laws and regulations, or industry standards and
practices.

University policies and procedures are used to:

 Ensure management directives are carried out,

 Set University standards, and
 Communicate regulations that apply to all personnel.
Each employee is expected to adhere to established internal controls and all applicable
management policies and standards issued by the State of New York, the State University
and System Administration pertaining to (but not limited to):

 Policies and Procedures of the University Board of Trustees

 Bargaining contracts
 Employee performance programs and evaluations
 Property (equipment) control
 Electronic data and network security
 Public safety environmental safety/code compliance practices
 Time and attendance reporting
  Human Resource Policies (such as Smoking Policy, Parking Garage Guidelines,
Telephone Policies, etc.)
 State Procurement Guidelines (contracts, travel)

> Back To Top

INTERNAL CONTROL ACT

In addition to System Administration's system of internal controls, the Governmental
Accountability, Audit and Internal Control Act of 1987 (Act) formalizes New York
State's commitment to efficient and effective business practices, quality services, and
ethics in the operations of state government. The provisions of the Act intend to ensure
State funds are spent properly and that state agencies including SUNY, function
effectively to meet its objectives.

Under this legislation, System Administration must annually certify to the Chancellor,
who in-turn reports to the Division of Budget, that the University’s Internal Control
Program is in compliance with each of the Act’s requirements

> Back To Top

TYPES OF CONTROL
Controls can be either preventative or detective. Preventative controls attempt to deter or
prevent undesirable events from occurring. Separation of duties, proper authorization,
adequate documentation, passwords and physical control over assets and even traffic
signs are all examples or preventative controls.

Detective controls attempt to detect errors or irregularities which have already occurred.
Reviews, analyses, reconciliations, periodic physical inventories, audits and surveillance
cameras are all examples of detective controls.

Both types of controls are essential to an effective internal control system. From a quality
standpoint, preventative controls are essential because they are proactive. However,
detective controls play a critical role providing evidence that preventative controls are
functioning effectively.

> Back To Top

CONTROL ACTIVITIES
The following internal controls can be used to ensure management policies and
procedures are adhered to:

 Implement segregation of duties that divide responsibilities among different

employees to reduce the risk or error or inappropriate actions.
 Ensure transactions are properly authorized, consistent with university policy, and
adequately funded.
 Ensure records are routinely reviewed and reconciled to verify that transactions have
been properly processed.
 Provide employees with appropriate training and guidance to ensure they have the
knowledge necessary to carry out their job duties, are provided with an appropriate
level of direction and supervision, and are aware of the proper channels for reporting
improprieties.
 Make certain equipment is secured physically and regularly reconciled to inventory
records. Passwords and other restricted or confidential information should be
protected against theft, destruction, deterioration or misuse.
 Make sure University and departmental level policies and operating procedures are
formalized and communicated to employees. Documenting policies and procedures
and making them accessible to employees helps provide day-to-day guidance to staff
and will promote continuity of activities in the event of prolonged employee
absences or turnover.
Information related to University policies and procedures.

Information related to State policies and procedures.

> Back To Top

IMPLEMENTING INTERNAL CONTROLS

As you carry out your routine job responsibilities or are thinking about implementing a
new procedure or process, ask yourself the following questions:

 What could go wrong?

 What steps have been taken to assure something doesn't go wrong?
 How do you know things are under control?
> Back To Top
LIMITATIONS
There are always inherent limitations to internal controls and risk can't always be
foreseen or eliminated. Each time we make a change to an existing system, we run the
risk of weakening the underlying internal controls. No matter how well internal controls
are designed, they can only provide reasonable assurance that a positive outcome can be
achieved.

> Back To Top

COMPONENTS OF INTERNAL CONTROL

There are five basic components of internal controls, as defined in the Committee of
Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control
Framework:

1. Control Environment - The control environment sets the foundation for all other
components of internal control, and is a product of management’s governance.
Senior management establishes a tone at the top by expressing their support in
implementing and maintaining effective internal controls. This tone should
successfully integrate ethical values and integrity, sound reporting structures,
appropriate levels of authority and responsibility, the independence of senior
management, and a commitment to attract and retain competent individuals. Internal
controls are most effective in a positive control environment. Management helps
foster a positive control environment by practicing the most effective philosophy,
style and supportive attitude and maintaining high levels of morale.
2. Risk Assessment - The risk assessment process is conducted to identify and analyze
the risks to achieving objectives, and helps form a basis for how risks should be
managed. Objectives must be clearly defined for a risk assessment to be most
effective. When assessing risks, management should consider changes in the external
business environment, internal business model, and the potential for fraudulent
activities.
3. Control Activities - Management should establish appropriate control activities, as
well as employee expectations in performing these activities, in all policies and
relevant procedures to help ensure management’s directives to mitigate risks are
carried out. Control activities are performed at all levels, at various stages of
business processes, and over technology. These activities include, but are not limited
to, segregation of duties, timely reconciliations, and supervisory review.
4. Information and Communication - Communication of relevant, reliable, and quality
information is essential in carrying out internal control responsibilities. Objectives
 and responsibilities for internal control are communicated internally, allowing
employees to understand the importance of, as well as their role in, maintaining
effective internal controls. Matters affecting the functioning of other components of
internal control are communicated externally. Use of effective communication
provides the information necessary to carry out the day-to-day internal control
activities.
5. Monitoring Activities - Management should establish a monitoring system to
evaluate the internal controls in place to ensure they are adequate and functioning
correctly. Monitoring internal controls should be ongoing, with identified
weaknesses or deficiencies communicated in a timely manner. Deficiencies that are
more serious in nature must be reported to senior management and the board.
Corrective actions must also be regularly monitored to ensure they are implemented
timely and effectively.
In order for internal controls to be effective, employees should:

 Read and understand the policies and procedures related to their position,
 Report any control weaknesses to their supervisor or manager that would prohibit
them from successfully fulfilling the responsibilities of their position, and,
 Adhere to System Administration's management policies and standards.
> Back To Top

BALANCING RISKS AND CONTROLS

In order to achieve a balance between risks and controls, internal controls should be
proactive, value-added and cost-effective. Excessive control can be costly and
counterproductive while too little control presents undue risk. The cost of implementing a
control shouldn't outweigh its benefit. For example, staff size limitations may obstruct
efforts to properly segregate duties, but it may be possible to implement compensating
controls such as random testing or document review.

> Back To Top

RISK MANAGEMENT
The underlying theme throughout Understanding Internal Controls is to (1) identify risks
that may prevent objectives from being achieved and (2) do what is necessary to manage
those risks. Thus, setting goals and objectives is a precondition to internal controls. The
SUNY Strategic Plan for 2010 and Beyond “The Power of SUNY” outlines the
University’s main goals and objectives that SUNY will commit its efforts and resources
to. SUNY’s “Six Big Ideas” involve a number of University-wide goals that include
collaborating with local entrepreneurs and businesses, fast-tracking the research process
by aligning SUNY researchers with private organizations across the state, expanding
distance learning and international education, and increasing funding through venture
capital and grants.

Each department within System Administration must align their objectives to support
SUNY’s strategy. As such, these departments must assess and monitor the risks
associated with these goals, and implement adequate controls to help achieve these
objectives. Such controls may include conducting background checks to ensure the
organizations that SUNY partners with conduct business with a high level of integrity,
utilizing contract agreements with private research partners to protect SUNY’s ownership
of end products, enhancing IT infrastructure and security to mitigate the inherent risks of
expanding the online learning environment, establishing an effective monitoring system
to provide additional safety for students in countries with turmoil, and reconciling
statements regularly to ensure funds invested in support of these goals are received and
disbursed appropriately.

The process of identifying and analyzing risk is ongoing, and is a critical component of
an effective internal control system. Attention must be focused on risks at all levels, as
well as the necessary actions that must be taken to effectively manage them. Risk can
pertain to both internal and external factors, such as:

External factors:

 Economic changes
 Changing customer needs or expectations
 New or changed legislation or regulations
 Technological developments
 Natural catastrophes
Internal factors:

 New personnel
 New or revamped information systems
 Changes in management responsibilities
 Unfamiliarity with policies or procedures
> Back To Top

MEASURING RISK - THE RISK ASSESSMENT

The framework for the Internal Control Program is based on identifying and testing the
programs and administrative functions necessary for System Administration to carry out
its mission. Functions can be identified through organizational charts, departmental
budgets, policy and procedural manuals, job descriptions, and information systems. The
identified functions are referred to as "assessable units".

To properly assess the current level of risk associated with a function, risk assessments
address such factors as:

 Management's attitude towards maintaining effective internal control systems,

 Technical or administrative complexity,
 The existence of adequate organizational charts, lines of communication, and clear
designation of work assignments,
 Demonstrated adherence to prescribed policies and procedures,
 The fiscal implications of the function including budget management, handling of
cash receipts and disbursements, or contract approvals,
 The sensitive nature of the function and the extent to which decisions can be
influenced by external sources, time constraints, or conflicts of interest,
 The professional training and technical proficiency of staff needed to perform the
function,
 The stability of the operation in terms of changes in functional responsibilities
resulting from staff turnover, permanence of the functional unit and reconfigurations
of the organizational structure,
 The frequency of internal or external audits and the significance of the findings, and,
 The inherent risk associated with the function regardless of the existence of adequate
internal controls.
SUNY has established eight pre-defined areas considered to be of high risk and, as such,
should be reviewed regularly as part of the internal control program. These areas include
revenue and cash management, procurement, personnel and payroll, computer operations,
financial aid, disaster planning and recovery, and the general control environment.
System Administration periodically reviews these areas (excluding financial aid) over a
three-year cycle. Areas identified as having moderate to high risk are considered for
review in future cycles, as necessary.

> Back To Top

INTERNAL CONTROL REVIEW

The need for a more in depth internal control review of a function relates to the level of
risk determined by the risk assessment. Functions identified as more vulnerable could be
candidates for a more formal internal control review regardless of whether the risk
assessment identified any internal control weaknesses. System Administration’s internal
control review process includes the completion of internal control questionnaires, staff
interviews, analysis of policies and procedures, observations of functions and operations,
and testing of controls currently in place to determine adequacy and effectiveness. For
any material weaknesses identified during the review process, the respective department
manager is notified and must submit a corrective action plan to the Internal Control
Officer along with a timeframe for resolution. Follow-up measures are utilized to ensure
corrective actions are implemented. Implementation of these actions is monitored using
tools such as Excel spreadsheets, Outlook calendar reminders, and email.

> Back To Top

REPORTING COMPLIANCE CONCERNS AND FRAUD

We are all responsible for creating and maintaining a compliance-conscious environment.
This includes asking questions if you’re not sure what to do and raising concerns if you
see something you don’t think is right. Early recognition of a problem can prevent
something small from becoming big. Please report your concerns to one of the following:

 Your supervisor
 University Police
(518) 320-1600
 SUNY Fraud Hotline
(518) 320-1593
> Back To Top

SUMMARY
Internal controls are a part of our daily operations. The controls developed and exercised
by managers and their staff are the substance of the Internal Control Program. System
Administration's Internal Control Program and related training and testing helps to ensure
that the controls are properly documented and functioning as intended.

As available resources decline, the need for adequate internal control is more important
than ever. Fewer people are doing more work with less time and less funding.
Opportunities for fraud, waste, and abuse increase significantly in a weak internal control
environment. The single most important success factor of the Internal Control Program is
a high level of individual awareness and understanding. Internal controls are everyone's
responsibility; therefore we are all responsible for knowing what internal controls exist
and how to evaluate their effectiveness.
 A successful Internal Control Program will help streamline our processes and improve
the quality of our services. The result will be a better, more enjoyable work place and a
quality institution of higher education.

Please feel free to contact us for more information regarding System Administration’s
Internal Control Program

The Internal Control System

There are five components of an organization's internal control system.

 CONTROL ENVIRONMENT: - This is the attitude of the organization's executive management and staff
regarding internal controls. A sound control environment is the foundation for all other components of
internal control, providing discipline and structure. The basic elements of the control environment include
-
1. Integrity and ethical values
2. Leadership philosophy and operating cycle
3. The commitment to competence
4. The manner in which management assigns authority and responsibility, organization and
development of its employees
 RISK ASSESSMENT: - This involves management's identification of areas at most risk and implementation
of controls to detect errors or fraud that potentially result in material misstatements. Examples include -
1. Unrecorded revenue or expense transactions
2. Ghost employees on payroll
3. Payments to fictitious vendors
4. Confirmation of inventory
 CONTROL ACTIVITIES: - Control activities occur within the internal control system. Internal controls are
developed and implemented to prevent or to mitigate any risks identified. These are actually the specific
policies, procedures and processes that are designed to meet the business objectives. There are a range
of controls, which include -
1. Segregation of duties
2. Reconciliation
3. Physical security of assets
4. Electronic data security
 INFORMATION AND COMMUNICATION: - This area focuses on the systems and reports that help ensure
that management directives to employees are carried out effectively.
 MONITORING: - This involves assessing the quality and effectiveness of the organization's internal control
over time. Monitoring can be an internal or external activity by management, employees or outside
parties. Monitoring can involve the following -
1. Assessing the design and operation of controls
2. Assessing the compliance with policies and procedures
3. Providing for implementation of corrective action plans