SUNY Maritime College Internal Control Program

New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls Establish and maintain a system of internal controls and a program of internal control review Make available to all a clear and concise statement emphasizing the importance of internal controls and the related responsibility of each employee Designate an internal control officer Implement training and education efforts to ensure all have adequate awareness and understanding Periodically evaluate need for internal audit function

Internal Controls Are… Internal controls are the safeguards and management oversight designed to prevent, detect, and correct program and operational breakdowns and to ensure that goals are met. Key Elements of Internal Control:  Well defined mission A well defined mission provides direction and stability to an organization.  Accountability (at all levels) Key component at all levels for effective organization.  Communication Clearly stated objectives, communicated through the ranks, point the way forward for all employees.

Components of Internal Control: Internal controls consist of the following five interrelated components : 1. General Control Environment 2. Risk Assessment 3. Control Activities 4. Information and Communication 5. Monitoring and Feedback

COSO’s Internal Control Framework 9 Control Activities  Policies/procedures that ensure management directives are carried out.  Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Monitoring  Assessment of a control system’s performance over time.  Combination of ongoing and separate evaluation.  Management and supervisory activities.  Internal audit activities. Control Environment  Sets tone of organization-influencing control consciousness of its people.  Factors include integrity, ethical values, competence, authority, responsibility.  Foundation for all other components of control. Information and Communication  Pertinent information identified, captured and communicated in a timely manner.  Access to internal and externally generated information.  Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Risk Assessment  Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives, forming the basis for determining control activities.

An Effective Control Environment Is a product of … Management’s philosophy, style and supportive attitude Competence Ethical values Integrity Morale of the organization’s people Organizational structure Accountability relationships

Control Environment …Depends on the people on campus. Your role:  Lead by example to foster ethical values and integrity in the organization.  Communicate its commitment to Internal Controls  Establish training programs to support staff development.  Support controls with positive attitude.  Foster positive employee morale and have a supportive attitude in the organization.  Remember your operating style and philosophy has a pervasive influence in the organization.  Review and update policies and procedures periodically.  Minimize and monitor any overrides to controls.  Select staff capable of carrying out controls.

8 Risk Risks are events that threaten the achievement of the College’s objectives and mission. We must ensure each risk is assessed and handled properly. The cost of internal control should not exceed the benefit derived. Costs Benefits Risk

Risk Assessment The process of identifying, evaluating and determining how to manage these events.  Risk should be assessed at all levels of an organization.  Risk measured in terms of likelihood and impact.  Risks should be appropriately managed (accepted, controlled, or avoided).  Corrective actions are essential to effective risk management.

Control Activities Control activities are tools or processes- both manual and automated - that help prevent or reduce the risks that can impede accomplishment of the College's objectives and mission. Management should establish control activities to effectively and efficiently accomplish the College's objectives and mission.

Examples of Control Activities Admission process Purchase requisition process Accounts payable process Property control process Personnel process Payroll timekeeping process

Types of Control and Examples Documentation – Policies and procedures Records – Recording transactions & events Authorization – Approving transactions Structure – Separation of duties Supervision – Monitoring control objectives Security – Safeguarding resources

13 Real-Life Examples of Control Breaches: 1.A clerical employee copied travel and other receipts, forged a faculty member’s signature, and simultaneously submitted them to both the State and the campus foundation for reimbursement. 2.An employee altered checks received from students and deposited the checks into her own bank account.

14 Communication Ask Yourself- and Your Staff Are we: Doing the right things (performing the right mission, planning strategically)? Doing these things right (achieving the needed results)? Making needed changes in the right order (prioritizing and applying resources correctly)? Operating as efficiently as possible (in applying people and other resources)?

Who Is Responsible For Internal Control? EVERY ONE.  Senior management assures appropriate controls are in place for all operations.  Every employee follows controls and reports problems or improvements.

16 Responsibilities of Managers:  Strengthen the control environment (set the “Tone”).  Document the policies, procedures, and day-to-day processes using narratives, flow-charts etc.  Have an updated Standard Operating Manual for your area.  Identify the control objectives for those processes:  Ensure accurate, reliable, and timely financial and management data;  Ensure adherence to laws, regulations, and management directives;  Safeguard resources against loss due to waste, abuse, and fraud  Implement cost effective controls designed to meet those objectives.  Regularly review/test the controls to determine  if they meet the objectives  if they are performing as intended.

Responsibilities of Managers:  Assess risks that may adversely affect your department’s mission or operations.  Request for and review weekly/monthly/quarterly reports (continuous monitoring)  Identify and classify internal control deficiencies  Recommend:  the retention of effective, efficient, and economical controls  enhancement of controls  elimination of inefficient controls or  implementation of new controls for the department’s processes and procedures.  Develop and document the corrective action plans  Track and document progress of corrective action plans

18 Internal Controls… Improve the likelihood that the right things happen and the wrong things don’t. Are safeguards, but they do not guarantee success. Reflect the qualities of management – good and bad. Require commitment and coordination from managers like you. Will succeed or fail depending on the attention people give to it. Are a process, not just a set of rules. Are built into an organization, not an added feature – part of the culture. Impact every aspect of the organization.

Why Are Internal Controls Important? C ompliance with applicable laws/policies A ccomplishment of the mission R elevant and reliable data E conomical and efficient use of resources S afeguard assets Internal Control CARES!

Summary Management Sets the Tone All Employees Have responsibility for Internal Controls A Part of Everyday Operations It’s the Law

THANK YOU…