Internal Control Program

General Standards

1. Reasonable Assurance. Internal control systems are to provide reasonable assurance that their objectives will be accomplished.
2. Supportive Attitude. Managers and employees must always maintain and demonstrate a positive and supportive attitude toward internal controls.
3. Competent Personnel. Managers and employees must have personal and professional integrity, maintain competence to accomplish their assigned duties and understand the importance of developing and implementing good internal controls.
4. Control Objectives. Internal control objectives are to be identified or developed for each agency activity and are to be logical, applicable, and reasonably complete.
5. Control Techniques. Internal control techniques must be effective and efficient in accomplishing their objectives.
6. Continuous Monitoring. Agency heads are to establish and maintain an internal review program to identify internal control weaknesses and implement changes needed to correct them.

Specific Standards

1. Documentation. Internal control systems, all transactions, and other significant events must be documented, and the documentation will be readily available for examination.
2. Recording of Transactions and Events. Transactions and other significant events are to be promptly recorded and properly classified.
3. Execution of Transactions and Events. Transactions and other significant events are to be authorized and executed only by persons acting within the scope of their authority.
4. Separation of Duties. Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions should be separated among individuals.
5. Supervision. Qualified and continuous supervision will ensure that internal control objectives are achieved.
6. Access to and Accountability for Resources. Access to resources and records is limited to authorized individuals, and accountability for the custody and use of resources is to be assigned and maintained. The resources and recorded accountability shall be periodically compared to determine whether the two agree. The comparison frequency shall be a function of the asset's vulnerability.

Audit Resolution Standard

Prompt Resolution of Audit Findings. Managers are to (1) promptly evaluate findings and recommendations reported by auditors, (2) determine proper actions in response to audit findings and recommendations, and (3) complete, within reasonable time frames, all actions that correct or otherwise resolve matters brought to management’s attention.

The Internal Control Act of the State of New York establishes certain standards defining a minimum quality acceptability level for internal control systems. These internal control standards apply to all operations and administrative functions.

Among these standards is the one for executing transactions and events. Specifically, transactions and other events are to be authorized and executed only by persons acting within the scope of their authority. Another standard provides that all transactions and other significant events must be clearly documented and readily available for examination.

Grading and grades constitute administrative functions subject to internal control standards. The advent of online grading makes explaining and following these standards all the more important.

Therefore:

• The faculty member whose course the student is registered must enter grades for students taking coursework at Buffalo State University or any subsidiary thereof.
• The faculty member is responsible for understanding how to submit grades in Banner. Difficulty in submitting grades in Banner is not an excuse for failure to submit grades.
• The faculty member ensures that grades are submitted by the stated deadline.
• In the event the faculty member is, for any reason, unable to personally enter these grades, a delegate must be named.  The faculty member's department chair and dean must approve this delegation.  The process for this approval is as follows:

The faculty member shall, no later than two weeks before CEP (Critique and Evaluation Period), petition in writing to the dean via the department chair for permission to delegate to a specific individual. The faculty member and the delegate shall be advised in writing if approved. The original request to delegate grading and a proven approval copy shall be retained in the dean’s office for inspection as needed. The two-week deadline may be waived by the dean in emergency situations.

• Under no circumstances may a faculty member delegate grading entry responsibility to a university student employee.

An internal control program is essentially a review program. It helps ensure that daily operating procedures and practices are adequate to minimize the possibility of operations failure, overspending, or other actions that violate the law or are inconsistent with policy. The Program, including program reviews and audits, is designed to review, critique, and strengthen existing systems and procedures.

Laws and policies may be supplemented by guidelines to assist employees in managing their responsibilities. Guidelines, which may be included here, and the Resource Links located at this site, are provided to assist employees in complying with Federal and State laws and protecting themselves when carrying out responsibilities on behalf of the university.

Safeguarding sensitive information is not only a priority at Buffalo State but is also mandated by federal and state statutes governing privacy issues.  The following information and guidelines are provided to assist campus employees in handling records and data that may be considered confidential or sensitive.

Guidelines for Maintaining the Security, Confidentiality, and Integrity of Customer Information

Campus Confidentiality Statement

Campus Privacy Policy

See also:

Training information was presented on HIPAA, FERPA , and Privacy.

Buffalo State's Audit Schedule, or Audit Testing Matrix, reflects planned and completed campus-initiated audits for campus programs. SUNY has identified eight high-risk areas and audited once every three years. Additionally, the university will include other program areas due to the periodic "Vulnerability Assessment" or "Campus Programs Operations" survey and review.

The Buffalo State community should be aware that entities external to the university, notably the NYS Office of the State Comptroller and the SUNY Office of the University Auditor, routinely schedule audits that may be performed at this university and/or other SUNY campuses.  Once specified, these audits typically occur within a narrow timeframe and are not reflected in Buffalo State's annual audit schedule.

2023-24

The university anticipates conducting reviews for the following areas during 2023-24:

The Internal Control Program requires the university to periodically assess campus operations to identify programs considered "high risk" based on certain factors. These programs, known as "Assessable Units," must be regularly reviewed for auditing. SUNY has identified eight such areas for all campuses, and the university is responsible for identifying any additional campus-specific programs deemed high-risk.

Factors contributing to determining high risk include handling a large volume of cash transactions, managing significant institutional resources or assets, administering a large volume of confidential or sensitive data, or having substantial interaction with the public where there is a high risk of institutional exposure.

Some factors that help reduce program risk include accreditation reviews, regular audits conducted by external entities, appropriate segregation of employee duties and responsibilities, documented policies and procedures, and effective communication.

SUNY High-Risk Areas

• Procurement, Travel
• Personnel & Payroll
• Revenue/Cash Management
• Property Control
• Disaster Planning & Recovery
• General Control Environment
• Financial Aid
• Computer Operations

Buffalo State is responsible for periodic program assessments for campus-specific programs.

In May 2008, a Program Operations Survey was administered to primary program managers.  Responses to the survey were designed to assist the review process of determining whether programs warranted inclusion in the annual audit schedule for high-risk programs.  That review continues and will be tailored additionally with the administration of the next survey.