mtp 89-8 - suny system · vulnerability assessment may result in taking immediate corrective action...

STATE UNIVERSITY OF NEW YORK

INTERNAL CONTROL PROGRAM

GUIDELINES

5/l/89

FOREWORD

f-

The New York~State Governmental Accountability, Audit and Internal Control Act, Chapter 814 of the Laws of 1987, requires, among other actions, that the State University of New York establish and maintain guidelines for a system of internal controls. Budget Bulletin B-1089 requires each of the State-operated campuses as well as the statutory colleges at Alfred and Cornell Universities to also establish and maintain such guidelines. The system of internal controls is designed to assure that the University and its State-operated/funded campuses meet their mission, promote performance leading to effective accomplishment of objectives and goals, safeguard assets, check the accuracy and reliability of financial and other key data, promote operational efficiency and economy, and encourage adherence to applicable laws and regulations and prescribed managerial policies and practices.

Internal controls should be viewed as an integral part of each system that management uses to regulate and guide its operations. In this sense, internal controls are management controls. Good internal controls are essential to achieving the proper conduct of University business with full accountability for the resources made available. They also facilitate the achievement of management objectives by serving as checks and balances against undesired actions. In preventing negative consequences from occurring, internal controls help achieve the positive aims of program managers.

The University and each of its State-operated/funded campuses must take the following actions toward implementing the Internal Control Act:

1. Establish and maintain guidelines for a system of internal controls.

2. Establish and maintain a system of internal controls and a program of internal control review which is designed to identify internal control weaknesses and identify actions that are needed to correct these weaknesses.

3. Make a clear and concise statement of the University's/campus's generally applicable management policies and standards with which each employee will be expected to comply available to each employee.

6

4. Designate an internal control officer at both the University and campus levels to implement and review the University's/campus's Internal Control Program.

5. Implement education and training efforts to ensure employee awareness and understanding of internal control standards and evaluation techniques.

5/l/89 - i -'

,P 6. Periodically evaluate the need for an internal audit function. (Note: The University has reaffirmed its need for the continuation of the internal audit function on behalf of the University as a whole and all of its campuses.)

These Guidelines have been developed to assist State-operated/funded campuses to implement the New York State Internal Control Act. The material contained herein responds to specific requirements of the Internal Control Act. These Guidelines are organized into the following six sections:

Section I provides generally applicable background information, concepts, and principles relating to internal controls.

Section II outlines one organized approach to the internal control evaluation and improvement process. The approach outlined should be viewed by the campuses as a guide only. Each campus may modify or refine the outlined process to meet the unique characteristics, circumstances, and requirements of the campus so long as the requirements of the Internal Control Act are met.

Section III identifies some of the major University internal control systems.

Section IV provides instructions and forms for use by the campuses in f- reporting the status and progress of their internal control program.

Section V, comprised of attachments, includes examples of administrative tasks involved in implementing the Internal Control Program, a partial listing of activity areas subject to internal control evaluation and improvement efforts, an illustration of an internal control vulnerability assessment and sample reports.

Section VI, comprised of appendices, provides basic reference materials, including a copy of both Chapter 814 of the Laws of 1987 and the State Comptroller's Internal Control Standards.

Comments and suggestions for improving these Guidelines would be appreciated. Such comments and suggestions should be sent to the Office of the Senior Vice Chancellor, Division of Administrative Affairs, State University of New York, State University Plaza, Albany, New York 12246

5/l/89 - ii -

Section I

Section II

section III

section Iv

Section v

CONTENTS

Foreword i

Generally Applicable Background Information, Concepts and Principles Kelating to Internal Controls

Scope of SUNY's Internal Control Program Objectives of SUNY's Internal Control Program Internal Controls, Some Definitions Some Key Concepts/Basic Principles Management/Employee Responsibilities for Internal Controls

Internal Control Evaluation and Improvement Process

Organize the Process Segment the Campus Develop a Schedule for Vulnerability Assessments Conduct Vulnerability Assessments Establish Plans for Subsequent Actions Conduct Internal Control Reviews Take Corrective Action Prepare Summary Reports on Internal Controls

Major University Internal Control Systems

Status and Progress Beporting on Internal Control Evaluation and Improvement Efforts

Attachments

Recommended Administrative Tasks in Implementing the Internal Control Program

Partial Listing of Suggested Activity Areas Subject to Campus Internal Control Evaluation and Improvement Efforts

Illustration of an Internal Control Vulnerability Assessment

Illustration of a Plan and Schedule for Internal Control Evaluations and Improvements

Illustration of a Plan and Schedule for and Status Report on Internal Control Evaluations and Improvements

Illustration of a Summary on Results of Internal Control Evaluation and Improvement Actions

1.1

1.1 1.1 1.2 1.4 1.5

2.1

2.2 2.6 2.7 2.8 2.11 2.12 2.13 2.14

3.1

4.1

AT1

AT2

AT3

AT4

AT5

AT6

5/l/89

Section VI Appendices

New York State Governmental Accountability, Audit and Internal Control Act (Chapter 814.of the Laws of 1987) APl

Standards for Internal Controls in New York State Government (Issued by the Office of the State Comptroller) AP2

511189

SECTION I

GENERALLY APPLICABLE BACKGROUND INFORMATION, CONCEPTS ANJI PRINCIPLES RELATING TO INTERNAL CONTROLS

Scope of SUNY's Internal Control Program

The University's Internal Control Program encompasses the internal control programs of the State-operated colleges and the statutory colleges at Alfred and Cornell Universities.

The Research Foundation of State University of New York, the auxiliary service corporations, the campus-related foundations, the student government organizations and the community colleges are not included within the scope of the University's Program in response to Chapter 814 of the Laws of 1987.1

Matters such as statutory development or interpretation, determination of program needs, resource allocation, rule making, or other discretionary policy-making activities are not normally included within the scope of an internal control program. The internal control evaluation and improvement process begins at the point at which a program or function has been authorized by the policy-level body or official having authority to do so, and focuses on the steps involved in the operation of the program. Internal control would include, for example, among others, an evaluation that criteria,for the operation of the program are followed; that there is reasonable assurance that obligations and costs are in compliance with applicable law; funds, property and other assets are safeguarded; and that revenues, expenditures and other key data are properly recorded.

Objectives of SUNY's Internal Control Program

1. Successful achievement of the University's and campus's mission, objectives and goals

2. Operational effectiveness, efficiency and economy

1 It is recognized that the operation of a campus involves a dynamic interaction between all of its programs and the organizations that play a part in meeting the campus's mission. Therefore, the development of an efficient and effective internal control program should account for this interaction and, at the discretion of the campus, may include part or all of these organizations' operations.

5/l/89 - 1.1 -

c-

t-

3. Compliance with laws, regulations, policies, procedures and guidelines

4. Safeguarding assets * Prevent or minimize waste, loss, unauthorized use of assets * Prevent misappropriation of funds * Maintain complete inventory of equipment items and verify the

accuracy of the inventory by regular periodic physical inventories

5. Accurate recording, preservation and reporting of financial and other key data

Internal Controls, Some Definitions

1. "Internal controls". Internal controls encompass the plan of organization and all of the coordinate methods and measures adopted within an organiaation to meet its mission , promote performance leading to effective accomplishment of objectives and goals, safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency and encourage adherence to prescribed managerial policies and practices. Internal controls include the ongoing evaluation of the control systems themselves, and where appropriate, removing unnecessary and noncost-effective controls. Internal controls encompass internal administrative controls, internal program controls, and internal accounting controls.

2. "Internal administrative controls". The plan of organization and procedures and records that encourage adherence to policies to promote efficiency in the daily operation and management of the University. Elements of administrative controls include, but are not limited to:

a. Administrative manuals,

b. Organization charts and decision-making hierarchies,

C. Formal statements and policies governing hiring practices, and

d. Formal job descriptions and evaluation standards.

3. "Internal program controls". The plan of organization and the procedures and records that are concerned with aCcomplishing organizational objectives and goals, including instructional, research and student programs and services, in an efficient and effective manner. Elements of program controls'include, but are not limited to:

a. Mission statements,

b. Program definitions and related budget materials,

C. Programmatic and administrative goals, and

d. Operational objectives which define what is to be accomplished, by when and the standards by which accomplishments are to be judged.

5/l/89 - 1.2 -

4. "Internal accounting controlsu. The plan of organization and the procedures and records that are concerned with the safeguarding of assets and the reliability of financial records and consequently are designed to provide reasonable assurance that:

a. financial transactions are executed in accordance with management's general or specific authorization,

b. such transactions are recorded in conformity with generally accepted accounting principles or other applicable criteria and to maintain accountability for assets,

C. access to assets is permitted only in accordance with management's authorization, and

d ., the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

5. "Vulnerability assessment". The methodology and process followed by management to determine the relative susceptibility of the University and campus programs, functions, or organizational entities to conscious or unintended abuse, misuse through misappropriation of assets, accounting or reporting errors, or reduced operational efficiency or effectiveness. A vulnerability assessment may result in taking immediate corrective action or in the analysis.of existing activities for the purpose of identifying those areas where more intensive review should be conducted.

m 6. "Internal control review". An internal control review is a detailed examination of specific University activities to determine if adequate and appropriate control measures are in place. It involves analyzing those vulnerable activities, identified through the vulnerability assessment, which expose the University to some degree of risk to see if procedures and policy directives associated with each activity are functioning as intended to achieve the objective of that activity.

7. "Internal audit". An independent appraisal activity supported by management to review agency operations as a means of assuring conformance with management policies and the effectiveness of internal control systems. The internal audit tests the reliability of the internal control system, identifies material internal control weaknesses, and includes recommendations to improve those controls to promote adherence to prescribed policies and procedures.

8. "Internal control officer". An individual with sufficient authority to act on behalf of the Chancellor/campus president to ensure the implementation and review of the University/campus Internal Control Program. This individual should have a broad knowledge of University and campus operations, personnel, and policy objectives.

9. "Event cycle". A series of related activities that are performed to get something done. E.g., Personnel Cycle: recruiting, selecting, hiring, testing, training, evaluating, promoting, terminating, retiring, maintaining personnel records, and processing PR-75's.

5/l/89 - 1.3 -

Some Key Concepts and Basic Principles

Internal controls should be geared to and consistent with the successful achievement of the University's and campus's mission, objectives and goals -- effectively, efficiently and economically.

A system of internal control should be an integral part of the overall responsibility of management to safeguard University, campus and public assets and to continually direct , monitor and improve operations. It should not be a separate and distinct system within the University or campus, but the embodiment of all the plans and devices which assure reasonable control over operations. Accordingly, the ultimate responsibility for good internal controls rests with the University's and campus's own internal management and not with any external unit. The same managers who are responsible for day-to-day operations and decision making are also responsible for ensuring the presence and effectiveness of internal controls within their area of responsibility.

Internal controls are an integral part of the University's and campus's policies, procedures, guidelines, programs , practices and operations including, but not limited to, the following:

a. b.

r C. d. e. f.

lt : I.

:: 1. m. n. 0. P.

Education and Other Applicable Laws Board of Trustees' Policies and Regulations Policy Handbook Policy Memoranda Administrative Procedures Manual MasterPlan, Interim Progress Reports and Master Plan Amendments Curriculum Review/Approval Guidelines Collective Bargaining Agreements Budget Development and Execution Processes:

-- Operating Budget -- Capital Budget

Finance Bulletins Chart of Accounts Accounting System Internal Audit Activity Equipment Inventory System Physical Plant Inventory/Evaluations Various Other Guidelines and Instructions

P’

Internal control systems:

* Are the responsibility of every manager * Are not a new concept * Apply equally to programmatic, administrative, and financial

activities * Form an integral part of normal operations * Support and strengthen planning * Provide reasonable assurance, not absolute assurance * Include cost/benefit (materiality) considerations

As used in these Guidelines, "cost" is taken broadly to mean both the financial measure of resources consumed in accomplishing a specific purpose

5/l/89 - 1.4 -

.p and a measure of lost opportunity, such as a delay in operations, a decline in service levels or productivity, or low employee morale. A "benefit" is measured by the degree to which. the risk of failing to achieve a stated objective is reduced. Examples of a benefit include increasing the probability of detecting fraud, waste, abuse, or error; Preventing an improper activity; or enhancing regulatory compliance.

Management/Employee Responsibilities for Internal Controls

A general principle applicable to all managers and employees is that they are to have personal and professional integrity and are to maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.

As 'used in the context of internal control, the terms "managementn and "manager" relate to organizational responsibilities and authority, not to collective bargaining agreement definitions.

Management responsibilities:

1. Internal controls are an inherent part of a manager's responsibility, not an overlay.

2. The manager is accountable and responsible for the development, maintenance, documentation and supervision of adequate internal control systems for those programs and functions for which he/she is responsible.

3. Management plans and conducts vulnerability assessments and internal control reviews.

4. Management implements the decisions resulting from vulnerability assessments and internal control reviews.

5. Management responds to changes in the operating environment in terms of internal controls.

Employee responsibilities:

1. Each employee is responsible for adhering to the established University and campus internal controls.

S/1/89 - 1.5 -

SECTION II

INTERNAL CONTROL EVALUATION AND IMPROVEMENT PROCESS

The objective evaluation and , where determined appropriate, the improvement of internal controls, if they are to be performed in an effective, efficient and economical manner, make an organized approach certainly desirable and perhaps necessary.

The general approach outlined below should be viewed by the campuses as a guide only. The outlined approach may be modified and refined by each campus as necessary to meet the unique characteristics, circumstances and requirements of the campus.

The following eight steps comprise the recommended general approach to the evaluation and improvement process:

Step 1: Organize the Process

Step 2: Segment the Campus

Step 3: Develop a Schedule for Vulnerability Assessments

Step 4: Conduct Vulnerability Assessments

Step 5: Establish Plans for Subsequent Actions

Step 6: Conduct Internal Control Reviews

Step 7: Take Corrective Action

Step 8: Prepare Summary Reports on Internal Controls

Further and more detailed information on the internal control evaluation and improvement process outlined in these Guidelines will be found in the SUNY Internal Control Program Training Guide.

S/1/89 - 2.1 -


STEP 1: ORGANIZE THE PROCESS

An organized approach is a key program. Thoughtful diligence invaluable in both approaching

ingredient to a successful internal control applied to this step will prove to be the more detailed steps and maintaining your

controls. The organizational step u~uuzes row major components:

1. Assign responsibility

2. Develop internal reporting system

3. Establish documentation process

4. Commit personnel

ASSIGN RESPONSIBILIm

if-? A system of internal control is not a separate and distinct system within an organization, but the embodiment of all of the plans and devices which assure reasonable control over operations. Accordingly,' the ultimate responsibility for good internal controls rests with the internal management at each campus and not with any external unit. The same managers who are responsible for day-to-day operations and decision making are also responsible for ensuring the presence and effectiveness of internal controls.

The actual assignment of duties will vary significantly among campuses and subunits depending on such factors as size and organizational structure. However, it is recommended that consideration be given to the following assignments:

Campus Internal Control Officer

One senior official, having a broad knowledge of the campus operations, personnel and policy objectives, should be designated as the campus internal control officer. This individual should be responsible for coordinating the campus-wide internal control effort and providing visible administrative leadership. This designee should have sufficient authority to act on behalf of the campus president to ensure the successful implementation and review of the campus internal control program. Typical duties of this individual as they relate to the internal control effort may include:

* Preparing, issuing and maintaining campus guidelines

* Developing campus-specific objectives

5/l/89 - 2.2 -

,-,, * Chairing a campus steering committee comprised of representatives from key functional areas, i.e., academic, finance and business, and student services

Evaluating plans for vulnerability assessments and internal control reviews

Coordinating development and presentation of campus-specific training programs for involved staff

Monitoring progress

Reviewing results of vulnerability assessments and internal control reviews

Monitoring the implementation and effectiveness of corrective actions

Reporting progress and status to senior campus management

Heads of Major Campus Organizational Units

,f-- \

The head, typically the vice president, dean or director, as appropriate, of each major campus organizational unit (or other component as identified in the segmenting process) should be responsible for internal control within that unit. Typical duties may include: .

Participating on campus steering committee

Ensuring that line managers are motivated and trained to accomplish their assignments. Participation in the Internal Control Program may appropriately be reflected in the individual performance program and evaluation.

Developing/reviewing event cycle objectives

Arranging and/or conducting vulnerability assessments and internal control reviews

Reviewing and analyzing the results of vulnerability assessments and internal control reviews

Ensuring that significant weaknesses in controls are corrected

Ensuring that all additions and changes to rules, procedures, systems, etc., include proper controls

(---- Line Managers

Personnel who are uniquely familiar with individual operations and who are responsible for the management process must take an active role in

ATTACHMENT 4

ILLUSTRATION OF A

PLAN AND SCHEDULE FOR

INTERNAL CONTROL EVALUATIONS AND LMPROVFMENTS

’

5/l/89 - AT4 -

Campus: SUN-L' cS.E,DUS at Auex

Plan and Schedule for Internal Control Evaluations and Improvements

C w

Assessable Unit Planned Actions Targeted Completion Date

lritic Teacher Tuition Update written au89 laivers procedures to reflect

current acceptable practices. Add documentation of internal controls to the procedures.

Prepared by: Date: m/a9 Title: Coordin&r. Student Teacher Programs

Reviewed by: /g&j/&2& Date: 615/89 Title: Dean. School of Education

5/l/89 - AT4.1 -

ATTACHMENT 5

ILLUSTRATION OF A

PLAN AND SCHEDULE FOR AND STATUS REPORT ON INTERNAL CONTROL EVALUATIONS AND IMPROVEMENTS

5/l/89 - AT5 -

CAMPUS: SUNY Campus at Apex

PLAN AND SCHEDULE FOR AND STATUS REPORT ON INTERNAL CONTROL EVALUATIONS AND IMPROVEMENTS

TARGETED IMPROVEMENT IMPROVEMENT EVALUATION ACTION ACTION

ASSESSABLE EVALUATION COMPLETION INDICATED COMPLETION CURRENT UNIT METHOD DATE YES/NO DATE STATUS

I

z Critic Teacher Vulnerability m/a9 Yes Tuition Waivers Assessment LA

ama9 Completed

TARGETED

Prepared by:

Telephone: ( 007) 987-6543

Title: Campus Internal Control Officer

Date: 12/31/89

ATTACHMENT 6

ILLUSTRATION OF A

SUMMARY ON RESULTS OF

INTERNAL CONTROL EVALUATION AND IMPROVEMENT ACTIONS

5/l/89 - AT6 -

CAMPUS : SUNY Campus at Apex

SIJMXARY ON RESULTS OF INTERNAL CONTROL EVALUATION AND IMPROVEMENT ACTIONS

ASSESSABLE UNIT RESULTS OF EVALUATION AND IMPROVEMENT ACTIONS

Critic Teacher Tuition Waivers

This activity had a moderately low risk vulnerability. However, the written procedures were updated to reflect current acceptable practices. Documentation of the internal controls was also added to the written procedures.

Prepared by : L +G-t&-= Title: Campus Internal Control Officer

Telephone: (007 ) 987-6543 Date: 12f3ua9

S/1/89 - AT6.1 -

,p

SECTION VI

APPENDICES

5/l/89

APPENDIX 1

NEW YORK STATE GOVERNMENTAL ACCOUNTABILITY, AUDIT AND INTERNAL CONTROL ACT (CIIAPTER 814 OF THE LAWS OF 1987)

~&+a. ~’ 2$.’ ~: “, :i ;~4$.?&~

,,,, ,., ,,>,42;,

(NOTE: THIS iPPENDIX~'IS ALSO FOUND IN THE INTERNAL% CONTROL PR&IUIM,T&iINING GUIDE.)

5/l/89 - API -

STATEOFNEWYORK 6. 6462 CHAPTER 814, LAWS OF 1987 A. es34

1987-1986 Regular S*s*lon*

SENATE-ASSEMBLY July 2, 1987

IN SENATE -- Introduced by See.. ANLXRSON, BRUNO, COOK, DALY, DONOVAN, D’J?i?iE, FMLEY, FLOSS. GOLD, GOODSUE. GOODMAN, JOHNSON, REHOE, KNORR, RUEL, LACK, LAVALLE , E. LEVY, N. LEVY. LCMBARDI. MRCHI. IURIHO, UcBUGR; MEGA, OHRSNSTEIN, PADAVAN , PRBSENT , ROLISON. SCHERUERXORN , SEWARD, SRELOS. SPANO. STAFPORD. TRIJNZO. TULLY. VELELLA. VOLKER -- (at request of the Governor) -- read twice And ordered printed, and when printed to be coauitted to the Committee on Ruler

IN ASSPIBLY -- Introduced by CWITTEE: ON RL&ES -- (at request of 16. of A. U.‘H. Miller, Schlmmingcr, Dearice Phcffcr. Scaincrio, Young) -- iat request of the Governor -- read once and referred to the Committee on Nays and Means

AN ACT to,Aaand the state finance law. the executive law, the lcgisla- tivc 1~. the judiciary IJW, the public authorities lav and the public officers law, in relation to systems of internal control for state agencies, covered authorities, the legislature and the judiciary and providing for the repeal of such provisions upon expiration thereof

1 2 3 4 5 6 7 e 9

10

The Pco~lc of the State of Nev York, revresented in Senate and Asset- bly, do enact as follows:

/ Section 1. Short title. This act shall be known and my be cited as

tn. ‘N&w York state governmental accountability, audit and internal control act of 1987’..

s 2. Legislative findings. The legislature hereby finds that the scope. size and complexity of state government rake it neccssaiy to .s- mare that the state’s systems of internal control provide reasonable control over all state operations, and provide the public. the governor, the state legislature, the judiciary and the heads of state agencies and authorities with assurance that state assets and rmources, including but not limited to, cash, investments, facilities inventories. supplies.

BXPLANATION--Uatter fin Italics (underscored) is new; matter in brackets [ 1 is old law to be oaittcd.

LBDllSO&04-7

- AP1.l -

1 2 3 4 5 6 7 a 9

10 11 12 13 14 1s 16 17 18 19 20 21 22 23 24 2s 26 27 26 29 30 31 32 33 34 35 36 37 36 39 40 41 42 43 44 45 46 47 4a 49 50 51 52 53 54 55

5. 6441 2 A. es14

l qulpwnt, perconel end contrSctuS1 r.rv1c.S art being utillrtd con- rlst*nt rlth the r*qulr*m*nt* of 1Sr end duly l etabl1eh.d nsn.g.rlal po1ici.e Snd in Sn l ff*ctlv*, .conon\crl and efficient manner.

Th,. l.g1Slatur. further fIndS that the public heS l right to know the l xtint to vhlch state Sg.nc1.r and l uthorIt1.s. the legieletur. and th. judiciary are l chlwtng the objectives of lntecnel control de8crtb.d hereIn and consequently to be fully 1nform.d of w.akn.rS.s Idrnt If iod through the conduct of oxternS l udltr of lnternel controlS.

The legirlatur. further finds that prudent mansgcment of state govern- m*nt r.qulr*s controls in all SspectS of stat* gov*rnm*nt designed to .ss”r. that SsS.tS .r. Froperly Saf.guSrd.d. that accounting entries and data at. accurate and rellabl., and thet pr.Scrib.d managerial policies arc adhered to, including eSSuranc.t that such esS.tS Snd reso~rc.s are used only for proper purpose‘. Therefore, this ect requires syrtcmr of internal control throughout state government es well a5 the external Su- dit thcrrof.

The legislatur. finds that the adequacy and effectiveness of l ristlng state government internal controls and lntarnsl eudit functions can be improved by the implcmentetion of e more coaprchensivc system of intcr- nsl control end internal audit that encompasses all of state government and will foster th. effective and efficient us. of government r.sourc.s end ensure the int.g,rity of accounting l ysttms.

The legislatur. further finds that it is rrsponsibl. for the gcnera- tion of revenue and the appropriation of funds: and, in keeping with the constitutional prineiplc ok the separation of powers and the fact that it is directly chosen by the people, the l.glSlarur. is its.lf directly responsible to the public for the proper use and application of the resources necessary for its operation; and the operational r*qu1r*m*ntr Of the i.glSlstur,., which is S lat.rSl, collcgial institution rather than S hierarchial orgSnlzStion and is’ constltutlonSlly charged with determining the fulcs of its own proceedings, differ in many respects fiom those agepclcs charged vith the delivery of goods and scrviccs to the people of the stat..

The legislstur., thercfor., finds thst existing systems of internal control can be improvcd~and made aare comprehensive, and that it is desirable to build on and cwrdin.ate existing internal control efforts and provide a firm statutory foundation for Sn efE.ctive and continuing comprehensive system that will foster the effective and efficient Us. Of government reSources and ensure the integrity of accounting SysteES.

5 3. The stat. finance law is amended by adding a new section tvO-a t0 read es follovs:

5 2-a. Additional definitions. As used in subdivisions two-b and two-C of section eiaht of this ChaDttr, the followins terms shall have the followinq mcaninqs:

1. ‘Internal controls’. Internal controls l ncompess the plan of orsanization and all of the coordinate methods and measures adopted within Sn organization to safeguard Its assets, check the accuracv and reliability of its accountinq data, promote operational l fficiencv Snd .ncourScJ* adherence to prescribed Waeqerial Po1lCi.S. Sntcrnal controls l nCoWeSs both internal SdminiStratlve controls and lnt.rnAl SCcOUntino ControlS.

2. ‘Internal Sdminirtratlv. c~xitrols’. The plan of orqanirstion and procedures and records that are concerned with the decision PrWCSS*S lcadino to manaoement’s l uthorlzation Of transactions.

3. ‘Internal accountinq controls’. The DlSn of oroaniratlon Snd th* procedures and record6 that are concerned with the saf*wdinq of a-

- AP1.2 -

1 2

f-- 3 4 5 6 7 a 9

10 11 12 13 14 15 16 17 1s 19 20 21 22 23 24 25 26 27 28

f? ,29 30 31 32 33 34 35 36 37 38 39 40 41

p

42 43 44 45 46 47 48 49 so 51 52 53 54 55 56

m*tm rnd thr rrllrbllity of fI.~~nclal rccorar rn4 con~rQur”tly ,rq dmlqned to ~rC~ld* remmnrblr .s.uc.nc. thatt

S. CInSnclSl trrnractlonm are executed In accordance with manaqenmt’# general or s~eclf\c l uthor\ration;

b. lUCh tr~“~sctIo”~ .r. recorded In conformity with qwvrrllv a~- ceoted l ccountlnq prInclpleS or other Sppllcablc crItcrIS Snd to aSIn- t~1” l CCOUnt~bil~t~ Cot ~s,*tri

c. l cccsm to asset* 1~ permitted only in accordance vlth manaqcmcnt’s Suthorizrtion; and

4. the recorded SccountSbilitv for IsSetS IS compared with the ?ximt- inq SSSetS St reasonable i”tervSlS Snd SpDrOpriSte Sction is taken with respect to l nY dlffcrcnccs.

4. ‘Internal audit’. An SDPrSiSsl (Ictlvitv cstSblishc4 by the me.“wc- ncnt of Sn 0rsanIration for the rcvicr of 0perStions S* S mtma of cS- surins conformance rlth nanaqemcnt wlicic~ and the effectiveness of internal adminiStrative and accountinq controls, and conducted In conformance with gcncrallv accePted Standards for internal suditinq.

5. ‘State wency-. Any State ,dcpartment, State universitv of New York, ?ity university of New uork, board,burcau, diviSion, cornmiSSion, committee, council, office or other qovcrnmental entity performins S qovernmental or proprietary function for the state, or w~v combination thereof Ss provided in subdivision two of section nine hundred fifty-one of the executive lw, except Snv public suthocitv or public benefit eor- porst ion, the iudiciarv or the state lcqislaturc.

6. ‘Judicisrv’. The courts Snd court-related programs, ineludinq the office of court SdminiStrStIon, of the state-funded wrtio” of the unified court system and a11 components thereof .SS provided in subdivision two of section two hundfcd forty-nine-S of the judiciary 1~.

7. ‘Statc.lcqislaturc~. The 1Sqislaturc of the StStt of Neti Pork, including all components thereof as provided in subdivision two of section ninety of the lcsislativc 1~.

a. ‘Covered authority’. Any public Suthoritv or public benefit eor- porstion, other than a bi-state authority or public benefit corwcation, a majority of whose members iire appointed bv the qovcrnor or serve SS members by virtue of holdina state offices to which they wdrS apwintcd by the qovernoc, or any combination thereof.

S 4. Subdivision two-a of section eight of such law Is amended by adding S new paragraph d to read Ss follows:

4. which is subject to such interns1 accountina controls Ss,thc CORD- troller deems ~CCCSJA~Y.

5 5. Section l iaht of such law is amended by adding two new subdivisions two-b and two-c to read Ss follows:

2-b. For the purposes of the New York state qovernmental Sccountabil- ity, Sudic and internal control Set of 1987, assist in the dcvclo~mcnt and imDlcrentation of a” audit ~roqram for the state bv:

a. tither *s part of one or mart SuditS, or Separately, conductinq periodic iudlts of internal controls and orerations of state aqcnci*s jother than those stStc wcncica for which an audit iS rcauircd DurSuMt to scctlom nine hundred fiftv-three and nine hundred fifty-four of the crccutivc isvI and covered authorities. All such audits shall bS =C’ formed in accordance with qtnrrallv accepted Sudlting standards. Nothinq in the New York state oovcrnmcntal accountabilitv, audit and internS control Act of 1987 shall be deemed to disinlsh or impair the cmKJtroller’s Povcr to audit and authority to SUPWV~S~ ScCOuntS under articles V and X of the State constitution and this chapter. The ludIts aall identify internal control wce,kncsSeS that h(LvC not bee” COrreCted

- Ml.3 -

p,

C---Y

1 2 3 4 5 6 7 a 9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 3s 36 37 38 39 40 41 42 43 44 4s 46 47 46 49 SO 51 52 53 54 55

end action. lhdt ert rrcommrnded to correct t t.cs’r JC8k”C.bC7. --- lr any such 1nttrn.l CJllltOl wc.kncsscs .r* rIQnlfIc.nt or mat., ial with tt,pect to the o~tr.tlonl of the .qe”Cy that lr the .ubjrct Of the .u- Qlt, the Comptroller .h.ll .o .t.te. The COmptrOller .h.:I R.ke .v.i:.- blc to the public the results Of any such sudlt?.

b. Prcvidinq tcchnicdl .ssIsl.nce to state agencies and covered .uthorities and, upon request, to the .t.te ltqisl.ture .“d the judici- dry in the implementntion of Intern.1 audit functions, whi&ha!~i-& consistent with qentrslly accevtcd standards for internal .udiLili<. and, upon rtque.t, Interpret such standards.

2-c. Provide technical assistance to s:.te .qenc*es and cot.rred authorities snd. upon request, to the .t.te lcqislaturc and the judici- .ry in the iaDlement.tion snd periodic l vsludtinn of intern.1 Jccountinq controls, which shall be consistent with qeneraJlv .cceo:ed s t<xnd& .._ &r internal aCCOUntl”q control and, “*on leO”eSt, L”t~::l“ct S”ClY standards.

5 6. Section one hundred twelve of such lav is amended by adding . new subdivision one-. to read . . follovs:

1-a. The sv~-tem of acrountinq prpscribwd by the comDtrcIle: P ‘ICS”.“t io the provisions of subdivision one of this section shall bmlect t0 such internal accountinq controls .s the compr:oller deems “eCeSS.rv.

s 7. The executive law is amended by adding . new article Forty-five to read . . follows:

ARTICLE 45 INTERNAL CONTROL RESPONSIBILITIES OF STATE

AGENCIES Section 950. Definitions.

951. Internal control reswnsibilities. 952. Intern.1 audit responsibilities. 953. Indeoendent audits of the executive chamber and the divi-

sion of the budqet. 954. Independent audits of the department of audit and COI

and the department of law. S 950. Definitions. As used in this article, the followins terms shall

have the follovinq meaninqs: 1. ‘Internal co”trols’. Internal controls encomp.ss the plan of orqan-

itation and all of the coordinate methods and measures adopted within a” orqanization to safequard its dsstts, check the .ccur.cv and reliability of its accountinq data, promote operational efficiency and encourdqt adherence to prescribed m.n.aeri.1 policies. Intern.1 CO”t:OlS e”coaWss both intern.1 administrative controls and intern.1 dCCOuntl~7 co”t~ols’.

2. -1*t*r*.1 administrative controls’. The plan of orqanization and procedures and records that art concerned with the decision proces.ts le.di”q to o.“.qement’s authorization Of tr.“S.CtiO”..

3. ‘Internal .ccou”ti”q controls’. The plan of orqal.izh:io” .*d the procedures .“a records th.t hre concerned with the safequardinq tif .S- sets and the rcliabilitv of financial records and conseauentlv are dcsiqncd to provide reasonable ..sur.nee that:

. . fin.nci.1 transaction. .rc executed in accordance with manaqement’s general or specific .uthoriz.tiO”;

b. such transactions are recorded in conformity with qenerallv .C- cepted accountinq orinciplcs or other apulicable criteria .“d to maintain sccountability for assets;

c. .cce.. to . ..ets is permitted onlv in accordance with m.“.qeme”t’. authorization: and

- AP1.4 -

I 2 3 4 5 6 7 8 9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 2s 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 4a 49 50 51 52 53 54 55 56

6.. recorded rccount.~bIllty lora_scc-tfi 1s c .nll-r-=d with tht l xl#t- lnq a,,~.. .t reasonable Inlervals and l wroprl#t.~ actron 1s taken rlth rts~tct to my dlffermccs.

4. l Xnternal audit=. @ appraisal actlvlty “*llshcd by the .ansqe- nent of .n orwnir~tIon for the revler of o~eratlons as a means of a.- surlnq conformmce with mnaqemnt POLICIES and the effoctlvwwss of ln- vernal sdm1nIstra~lw and hccountinq controls, and conducted In COnfOrn- ar.cc with qencrally accepted standards for lntcrnal auditlnq.

5. ‘State agency-. Any state department, state univcrrLtv of New York, city univerrlty of New York, board, bureau, dIvir1~~. COmmiSSiOn, cots- It:itttt, council. offlee or other qovcrnmental cnti-ty performins l qov- ~nmenCs1 or ProPrictsry function for the state, oc any combinatfon thereof as provided In SubdIvision two of section nine hundred fifty-one c;! this article, l xcCpt any Public authority or Public benefit eorwra- iIon, Lhe 5udIclary or the state lesislature.

6. ‘Judiciary’. The courts and court-related Pro!~r~ms, Includina the office of court l dminlstratlon, of the state-funded Portion of rhc U”i- fied court system and all cowonents thereof as Provided in subdivision ko of SectIon two hundred forty-nine-s of the iudiciarv law.

7. ‘State lcqislature’. The leqjrlatuce of__the state of New York, In- cludinq all components thereof as Provided in subdivision two of Section ninety of the Lcqislative law.

8. ‘Covered authoriry’. Any Public authority or Public benefit COT- poration, other than a bi-state authority or Public benefit CoWOratiOn. a maiority of whose mcnbers are aDPainted by the governor Ot serve as members by virtue of holdinq state offices eo which they were spwintcd by the qovernor, Or any combination thereof.

5 951. Internal control reswnsibilities. 1. The head of each state aqency shall:

A. establish and maintain for the aqency guidelines for a SYstem of internal controls:

b. establish and maintain for the agency a system of internal controls and a Proqram of internal control review. The lxosram Of internal control review shall be desiqnsd to identify internal control weaknesses and identify actions Lha.t are needed to correct these weaknesses:

c. make available to each officer and employee of the aqency a clear and concise statement of the sencrally aPPlicable manaqement Policies and standards with which the officer oz 'employee of such aqency will be exuccted eo com~lv;

d. desionste en internal control officer to implement and review the internal control reswnsibilicies established pursuant to this Section;

c. implement cducat ion and traininq efforts to ensure that officers and emPl0yees within such aqency have achieved adequate t"arZZ"tSS and understanding of internal control standards and. as aPProDriate, walua- tion techniaues; and

f. wtri0dically evaluate the need for an internal audit functiw. 2. In order to identify all seatt aqencies and their resDonsibil1ties

for the Pur~0seS of implementinq the PrOviSiOnS of this article, the director of the division of ehe budget shall issue and, at his di%cra- tion, wriodicallv revise a schedule which lists all State 8qenCiCs.

s 952. Internal audit resP0nsib111ties. 1. Tho director of the division of the budqct, after revievinq the evaluation of the head Of each state aqeney as to the need for an internal audit funct1On, shall issue and, at his dircrctlon, Periodfcally revise a schedule of state aqenc1eS lother than the dcPartment of audit and conrrol and the department of law) which are required to establish and mcintain an internal sudlr

- API.5 -

6. 61:; b A. 6534

functron. The com::rollel l Id the .ttor”.Y o.n.t.1 01 the,! d.slqn.e, shall d.trrmlne, 4”~ Derlodlcally review such determination o., rheth., ml Internal rudlt function rlthln th.Ir re~~ectiv. deoartmcnts is reauir.d. Establlshmrnt of such function shall b. bssrd upon a” l va1ua- t1on of l xposur. to risk, costs and b.n.fIts of Implcmcntat~on, and any other factors that .I. determined to b. relevant. Th. heed of each .t.t. awncy listtd in the budqet dlrcctor’r schedule, and th. compt~ollcr and the attorney qenersl if they or their deslqnees so determine, shall .s- tablirh an Internal audit function which operates in bccordanc. with generail~ accepted vrof.ssion.1 standards for internai duditinq. Any such internal audit Eunction shall be directed bv an ~ntcrnal auditor who shall report dlrectlv to the head of such st.t. 49C”CY. NobLhstandiw anv other provision of law, each internal auditor shall h. apuornted by the head of the sqencv, and exc.ot in the C&S. of the department of audit and control and department of law, such appointment shall be subject to the s~~roval of the director of the ,budget. Th. position OL internal auditor shall be an exempt wsition. For aocncies for which an independent audit is not rewired pursuant to sections nine hundred fiftv-three and nine hundred fiftv-four of this article, the intrrnal audit function shsll.evaluate the agency’s internal controls and OD.r.t:OnS. The internal audit function shall also identify internal contra: weaknesses that have not been corrected and make recommendations to cor:ect these veaknesses.

2. I” the event the head of a state aqencv does not establish an internal audit function pursuant to subdivision one of this section, he or she Shall nevertheless establish and maintain the proqram of internal control review rewire4 bv section nine hirndred fifty-one of this article.

5 953. Independent audits of the executive chamber and the division of the budqet. 1. At least once every two years, the independent certified p&lic accountant or accountants selected wrsuant to this section shall conduct audits of the internal controls of the executive chamber and the division of the budset. either as a single audit or separately. Such audits shall be DerfOrmed in accordance vith qenerallv accepted auditing standards and shall include a report on whether the executive chamber and di.<ision of the budset’s internal accountins controls and internal administrative controls are established and functionins in a manner that provides reasonable assurance that they meet the objectives of internal Controls as defined in section nine hundred fiftv of this article. The report shall identify the internal controls both evaluated and not evaluated and shall identify internal control weaknesses that have not been correcred and actions that are recommended to correct these weaknesses. If any such internal control weaknesses are siqnificant OE material with’ re.5P.c: to the entity, the independent auditor shall so state. The 9ov- .YZ”Or and the director of the budoet shall make avaiLable to the DUbliC the results of such audits, including any related mansqement letters. The qovernor ahd director of the budset and any officer or emDlovee Of the executive chamber and the division of the budqet shall make availd- ble upo” reauest to such independent certified Dublic accountants all books and records relevant to such independent audits.

2. The aovernor and the director of the budqet, either separatelv Or jointly, shall request proposals from independent certified public aC- CountantS EOC audits of the internal controls of the executive chamber and the division of the budqet. The requests for proposals shall include a reference to the resuirements for audits conducted pursuant to subdivision one of this section. The qovfrnor and the director Of the budqet

1 2 3 4 5 6 7 8 9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 36 39 40 41 42 43 44 45 46 47 48 49 50 51’ 52 53 54

P 55 56

- AP1.6 -

5. 641: 7 A. 6534

shsll selec’ such Independent sudltcr or sudltors In rccordrnce rlth a convet~tlve procedure lncludlng an svdludtlon. bdsed on auslltv rnd price factor@, of thode ~rowsrls received In response to such reauests Cot orowrdls. NO contrdct for .n Independent sudltor m&v extend, for

1 2

p 3 4 5 6 7 a 3

10 11 12 13 14 15 16 17 1E 19 20 21 22 23 24 25 26 27 28

r: :: 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

more chdn four years. s 954. Independent audits of the debartment of dudlt dnd control and

the depdrtment of l&r. 1. At lesst once every two yedrs, the ~Indcpendent wC1.d DublIC sccountantr selected wrruant to this sectlon shall conduct audits of the Internal controls of the department of dudit and cant rol and the department of law, resoectlvely. Such dudltr shsll be performed ln accordance with oenerally l ccepttaudltinq standards and shall include a rewrt on whether the departments’ internal accountlnq controls and internal administrative controls ate l stdblished and cunc- tioninq in a manner that provides rcasonabla l dsurance that they meet the obiectives of Internal controls as defined In section nine hundred fifty of this article. The rewrt &hall Identify the Internal controls both evaluated and not evaluated and shall identifv internal control vedknesses that have not been corrected and actlons that are recommended to correct these ueakncsscs. If any such internal control weaknesses are signiLicant or material with respect to such departments, the independent auditors shall so stdte. The comptroller and the attorney general shall m&kc avsilable to the public the results of such audits, lncludlnq anv related manaqement letters. The comptroller and attorney general and pnv officer or emolovee of such deoartments shall nake available.uwn request to such indeoendcnt certified public accountants all books dnd records relevant to such independent audits.

2. The comptroller and the attorney aeneral shall rcauest prowralr from indeoendent certified public accountants for audits of the internal pntrolc of their rcspecctivc departments. The requests for prowsala shall include d reference to the reauircscnts for audits conducted our- !+u.nt to subdivision onc of this section. The comotrollcr and attorney general shall select such independent auditors in accordance vith a eom- petitivc DrOCeduCe including an evaluation, based on quality and price factors, of those pcowsals received in response to such requests for prowsals. No contract for an independent auditor mav extend for more than four years.

3. Whenever the comptroller or hia dwointee is a member of any board, commission, committee, council, or corwration, which constitutes a state agency, the qovcrninq bodv of duch board, commission, committee, council, or corwration shall select an independent auditor for the PUI- pore of conduetinq audits of internal controls in accordance with this section.

S 6. Article six and sections ninety and ninety-one of the legislative lav are renumbered article seven and sections one hundred and one hundred one and a nay article aix ia added to read as follows:

ARTICLE 6 INTERNAL CONTROL RESPONSIBILITIES OF TEE STATE LEGISLATURE

Section 89. Definitions. 90. Internal control reswnsibilities. 91. Internal audit res~nsibllities. 92. Independents audits.

s 89. Definitions. As used in this article, the follorinq terms shall hsve the followina mednfnos:

1. ‘Internal controls.. Internal controls encompass the plan of oroan- ization and all of the coordinate methods and measures adopted uithln an orqanization to aafequard its assets, check the dccuracy and reliability

- API.7 -

6---

r-

6. 6442 0 A. 6534

1 pf it8 rccOuntinq eat., D~o-o~* 0~errt10r~l •rt~c~ell~y l nd l nc0ur.qe .a- - 2 herrnce to D rescrlb*d l .n.q*rl.l Dollclus. Intern.1 controls .ncomD.ss 3 both Intern.1 rdmlnlstretlve controls and lntetnrl l ccountlnq controls. 4 2. ‘Intrrnal hemini~trativ0 cont’rolr’. The D1.n of orq.nIr.tlon and 5 th.e Drocedurer .nd records th.t .r. concerned ulth the decision 6 processes leading to l .n.qement’s .uthorlr.tlon ol transactions. 7 3. ‘Intern.1 .ccountlnq controls’. The plan of orqanitatlon &nd the 8 proceduree end records that .I. concerned with the sefeouardino of ..- 9 ‘et. .od the cell.bllltv of f Lnancial records and conseuuentlv .ce

10 desfqned to DrOVIde re.son.ble .ssur.nce th.t: 11 . . fln.ncl.1 tr.ns.ctIons are executed In .ceord.nce vlth manaoement’s 12 general or .oecltlc .uthorisation; 13 b. such tr.ns.ct10ns .re recorded In conformttv with qenerallv .e- 14 cepted Accountina Drinciples or other .PDliC.bie criteria .nd to msin- 15 tsin l ccountabilitv for assets: 16 c. .ccess to .ssets is permitted onlv in accordance with manrmement’s 17 .uthorlz.tlon: .nd 16 d. the recorded .ccount.bility for assets is compared with the exist- 19 Inq .sset. at ressonsble intervals .nd appropriate .ctlon is taken with ?O 21 22 23 24 25 26 27 20 29

respect to any differences. 4. -Internal audit’. An apprsisal activity established by the aanaoe-

ment of an orqsnirstion for revlev of operations 06 . me.ns of assuring conformance with management policies and the effectiveness of internal administrative and .ccountinq controls, and conducted in conformace with qenersllv .ccepted standsrds for intern.1 auditinq.

5. .Leqisl.tore’. The leqlslsture of the state of New York, including a11 commnents thereof .s provided in subdivision two of Section ninety of this Ch.Dter.

s 90. Intern.1 control responsibilities. 1. The senate ani the asem- 30 bly shall e.ch: 31 . . l st.blish and Mlntain by rule ouldelines for . .ystem of intern.1 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

controls: and b. establish and Dalntain . system of internal controls and a ~rwran)

of intern.1 control review for their respective house. 2. III order to identify all the comwnants of the lealcl.ture .nd

their responsibilities for the purposes of ImDlementinq the DrOuiSlonS Of this article, the temooxacy president of the senate end the sDc.ker

~of the sssemblv shall iointlv lssuc. and at their discretion. Deriodi- callv rcvisc . schedule which lists sll components of l .ch of their res+ectlve houses of the leqislatura. The temporary president of the senate and the speaker of the asscmblv pby identify in a schedule COIDO- nents for vhlch joint intern.1 administrative controls, intern.1 .c- countinq controls .nd intern.1 control reviews vi11 be established and maintained. 7 91. Intern.1 audit responribilitles. 1. The tewor.fy president of the senate and the Sneaker of the assembly or their desiqnees sh.11 detersine, and periodically review such determination of. whether .n ln- tern.1 audit function within their respective house is reauired. zeta- blishment of such function shall be based upon an l valuation of Cost. .nd benefits of implementation and other factors that ate determined to be relevant. In the event it 1. determined th.t .n intern.1 .udlt fune- tion is required for one or both houses, the temporary president of the senate or the spe.ker of the sssemblv shall establish .n intern.1 .udlt function wlthln the respective house which operates In .ccOrd.nce with gcner.llV .cCeDted standards for intern.1 auditinq. &iv such interM audit function shall be directed and shall report in . runner prescribed

- API.8 -

r;

5 544: 9 3. S514

by the rrsf&ctlvc hous... the Intern&l audit functIo:a shrll evsit ?te the fcspect Iv* house’s lr..ern*l controls~ ldent 1Cv lnternrl :mt to1 rerknesses th&t hrve not been corrected and make rrcommendstlons to car-

1 1 1 4 rect these re&knesse&. rect these re&knesse&. 5 2. 2. In the event the teapor&rY DreSident Of the #enate Of the SDelker In the event the tewor&rY DreSidWIt Of the #enate Of the SDelker 6 of the ssscmbly does not l st&bllsh an Internal audit of the ssscmbly does not l st&bllsh an Internal audit function Dursuant function Dursuant 7 to to subdivision one subdivision one of this section he or she shsll nevertheless est.- of this section he or she shsll nevertheless est.- 6 bllsh md maint&In the Droqr&m of Intern&l controls review bllsh md maint&In the Droqr&m of Intern&l controls review required by required by 9 p?ctIon ninety of thlm article. p?ctIon ninety of thfm article.

10 5 92. Independent audits. 1. At la&St once l verY two Ye&Cs, the lnde- 5 92. Independent audits. 1. At la&St once l verY two Ye&Cs, the lnde- I1 kendent certified public accountants selected wrsuant to kendent certified public accountants selected wrsuant to this this sect Ion sect Ion 12 J :.l~l conduct audits of the Internal controls of l &ch house of the 13 &esislsture. Such audits shall be perfOrmed In accordance with senerally 14 _hCCeDted suditino standards and sn.11 Include a reDort on whether the 15 zespective house’s internal aceountinq controls and Interns1 adminlstra- 16 tive controls sre established and functlonlno in s manner that provides 17 ge.sonable &ssur&nce that they l eet the oblectives of internal controls 1S as defined in section l lohtv-nine of this article. The reoort shall 19 identify the internal controls both ‘evaluated and not evaluated and 20, E!!sLL-- idanti Internal control weaknesses that have not been corrected 21 and actions that are recommended to correct these vesknesses. If any 22 such intern.1 cant rol weaknesses are siqnlficant or material with 23 respect to each house, the indeDendent auditor shall so st&te. The tam- 24 DorarY president of the senate and the.socaker of the assemblv shall 25 make available to the public the results of such audits. includino arty 26 ccl&ted manaqement letters. The temooraw oresldent and the weaker and 17 any officer or emploYcc of each house shall make available won reaUest 28 to such independent certified public &ccdunt&nts all books and records 29 relevant to such indeoandent audits. 30 2. The temporary brcaident of the senate and the SDcaker of the assea- 31 bly shall reauest ~rowsals from lndefxndent certified Dublic account- 32 ants for audits of the internal controls of their respective house. The 33 ceouests for rxowsals sh.11 include a reference to the reauirements for 34 audits conducted pursuant to subdivision one of this section. The tem- 35 porarv president and the speaker shall select such indePendent aodl tots 36 in accordance with a competitive DrOcedure lncludlm an evaluation. 37 based on aualitv and orice factoro, of those ~row~als received in 38 response to such requests for ~,rowsalr. NO contract for an indewndent 39 auditor may extend for more than four Yeats. 40 s 9. Subdivision one of section two hundred eleven of the judiciary 41 law is amended by adding a new paragraph (g-One) to read &I fOlhW: 42 19-l) A system of internal control for the unified court systea, DUI- 43 suant to article seven-D of this ChaDter. 44 s 10. Such law is amended by adding a new &rtlcle seven-D to read as 45 follows: 46 ANTICLB 7-D 47 INTEaNAL CONTROL RESlQNSIBILITIES Oy TEE 40 JuDIcIARY

S\

49 Section 249. Definitions. 50 249-a. Internal control reswnaiblllties. 51 249-b. Internal audit reswnsibillties. 52 249-c. Indewndcnt audits. 53 S 249. Definitions. AS used In this article, the follovins terms ahall 54 have the follovins meanlnos:

- AP1.9 -

‘I -7

24 25 26 27 28 .- L 30 31 22 33 34 3s 36 37 3R

40 41 42 43 44 45 46 47 40 43 so 51 52 5’1 54 55 5 S

f 6442 IP A. 034

1. ‘Intcrnel co”:.roll’. Internal controls .ncomp,s, the ~lrn of orq.“- lr~tlon and 111 or thv coordlnbtw methods and l easure# adopted wlthl” a” orqrnlratlon Co rdwuard Its assets, check the .CCU~.CY 8nd t.llrblllt~ of its wxountlno data, Dronote ooerrtlonal 8fClcl.ncy and .ncour.q. 4d- herrnce to Drescrlbmd l anaqrrlsl wllclrs. Internal controls .“comD.ss both Intern@1 l dminlstcatlv~ controls and Intrrnal l ccountlnq controls.

2. ‘Int*r”al l dminlstratlv~ CO”tCOls*. The Dla” of OrqanIrrtlon and procedures and racords that .re concerned vlth the declslon Droc,s..s leading to aanmcmcni’s l uthoriz.atlon of transactlona.

3. “I”t*r”al accountinq controls’. The plan of orqaniration and the procedures and records that are concerned with the satcquardfnq of as- 5,f.t s and the rcllablllty of fI”a”clsl records and consequently .I. desiqncd to Drovldr reasonable assurance that:

. . financial transactions are executed in accordance vlth ma”aqem.nt’s general or srncific authorization;

b. such transaction‘ ar. recorded 1” conformity vlth qenerally .c- ccDted wxountinq DrinclDlcs or other aDDllcable criteria and to uin- Cain accountability for ..set‘;

c. access to assets is permitted only in accordance with unaacmwxt’m guthoriration; and

d. the recorded accountability for assets is COmDared with the exirt- ins .sSsets at ressonable intervals and awropriate action 1s taken vith resDect to any differences.

4. ‘Internal audit.. An awraisal activity established by thq manaqe- merit of an orsanitation for the review of operations as a means of as- surinq conformance with management ~olicics and the effectiveness of internal administrative and sccountinq controls, and conducted in confotm- ante with qenccally l cccPtcd standards for internal l uditinq.

5. ‘Judiciary’. The courts and court-related ~roarans, includinq the office of court l dmlnistr.stion, of the state-funded Dortion of the unified court skstcn and all coaponcnts thereof .ss Drovided in subdivision two of section two hundred forty-nine-a of this article.

g 249-a. Internal control responsibilities. 1. The chief judqc shall: a. establish and maintain for the judiciary guidelines for a system of

internal controls; b. establish and maintain for the judiciary a svstem of internal con-

trol‘ and . DCWZa. Of internal Control KeVieW. The DrOqram Of internal review shall be dcsiqned to identify internal control weaknesses and

3entify actions th.st are needed to correct these weaknesses: and c. desiqnate one or more internal control officers to implement and

review the internal controls rewonsibilitics established Dursuant to this section: and

2. In order to ldcntify all comwncnts of the iudiciarv and their rtswnsibilitics for the Dur~oses of isDlescntinq the prOViSiOnS Of this article, the chief iudqe shall issue and, at his or her discretion, periodically rwisc l schedule which lists all such components.

9 249-b. Internal audit rcsrnnsibilities. 1. The chief iudqe or his or her desiqnee shall determine, and Deriodically review his or her dctcr- n inat ion of, whether an internal audit function within the ludieiarv is required. Cstabllshment of such function shall be based uDOn a” evaluation of •Z~~SUZC to risk, costs and benefits of imolcme”tationC and a”Y wr factors that arc determined to be relevant. In the event It io determined that an internal audit function is required, the chief judge shall establish an Internal audit function which OPeratee in accordance with qlnerally accepted Drofessional standards for internal auditinq. UIV such internal audit function shall be directed bv an internal audi-

- AP1.10 -

1 : I 4 S 6 7 a 9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34, 35 36 37 3a 39 40 41 42 43 44 45 46 47 40 49 50 51 52 53 54 55 56

S. 6442 11 A. 8514

tar rho lh.11 r.~orI directly to th. ch1.C rdmlnlstratlv. judqr. The In- tern.1 .udIt function *hall rvaluatr the ~udlcirry’s Int.rnrl co”trolr, Idrntlfy Int.rn.1 control waknr‘sra that hrw not b.en corrrcted and make recommrndatlons to correct these waknwseS.

2. In th. WW~C th. ch1.f iudqe do.6 not .stablish an Intern.1 audit functlo” Dur‘u.“t to ‘ubd1vl‘Io” on. of this ‘mXion he or she shall ncvcrth.l.ss c‘tabllsh and sa1”ta1” th. DrOqr.. of 1”ttr”al co”tro1 rcv1.v r.sulrad bv l .ctlo” two hundred forty-nlna-a of this l rtlcl..

s 249-c. Indcocndcnt audits. 1. At least one. .v.ry tvo y.ars, ths In- drprndcnt crrt1fl.d Dubllc accountant s.lected pursuant to this section ahall conduct audits of the Internal controls of the judiciary. Such au- dlts shall be performed In accordance with qmerally acc.Dtod l uditlnq standards and shall include a rwort on rhccher the $udiciary’s internal l ccountinq controll and internal .dministratlw controls •~. .stablish.d and functioninq In a manner that DrOVidW reasonable .ssufanc~ that they l ..t the obiectiws of internal controls as dofined in section tuo hundred forty-nine of this article. Tha rawrt ahall Id.ntify the int.rnal controls both evaluated and not l va1uac.d and ahall Id.ntifv internal control ucakncsscs thar hav. not b..n corrected and actions that l ra rccommcnded to cgE=k-~vcakncsscs. If any such intrrnal control v.ak”.s‘.# arc siqnificant or mattrial vith resoact to the judiciaryc the indeocndtnc auditor shall so stat.. The chief ludq. ahall make available to the Dublic the results of such audits, includinq ant related management letters. The chi.f ludq. and any officer or cmD1oy.c of the iudiciary shall make available uwn rwuest to such indcocndent certified DUbliC accountants all books and records relevant to such in- dcpcndent audit‘.

2. The chief judq. shall rcuucst orooosals from ind.o.nd.nt c.rt1f1.d public accountanta for audits of the internal control8 of the judiciary. The requests for prowsals shall include a rcfcrmce to th. r.quir.m.nts for audits conducted oursuant to subdivision on. of this section. The chief judge shall select such ind.o.nd.nt atiditor in accordance with a comoetltivc Drocedurc ineludinq an *valuation, based on quality and price factors, of those ~rowsals rcceivcd in rcswnsc to such f.qu.sts for proposals. No contract for an indco.nd.nt auditor may extend for more than four y.ars.

S 11. Article “in. of the public l uthorit1.s law is amended by adding ,a n.u title eight to read as follows:

TITLE 8 INTERNAL CONTROL RESPONSIBILITI!ZS OI PUBLIC AUTRORITIES

Section 2930. Dcfinitiona. 2931. Internal control raswnsibilities. 2932. Internal audit r.swnsibiliti.s.

s 2930. Dcfinltiona. ?or the purwses of this titl., the followinq terms shall have th. follovinq l eaninqs:

1. ‘Internal controls’. Internal controls cnco~was the plan of organization and all of th. coordinate methods and n .asur.s adootcd within an organization to safcquard Its l saats, check the l CCUIILCY and r.liability of its accounting data, xx-et omrational cfficioney and .ncourw. adherence to mescribed unaocrial wlici~s. Int.rnal controla .ncomoas. both intern.1 administrativ. controls and internal l ccountino Controls.

2. ‘Internal administrative controla’. The elan of oroa”isatiO” m-id procedures and records that .I. cone.rn.d with th. dcciaion Droc.¶s.s leadinq to manaqcmcnt’o authorization of transactions.

3. ‘Internal accountinq controls.. The plan of orqanisation and the procedures and records that are concerned vith the l afcwardino Of as-

- API.11 7

i 2 3 4 9 6 7 8 9

10 11 12 l3 14 15 16 17 18 19 2n 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 30 39 40 41 42 43 44 45 46 47 4a 49 SO 51 52 53 54 55

pets and the r~llablllty 01 IInsnctrl records and conmzurntly are deslqned to DrOVtide r~asvnablr r*rurrnce thbt:

9 Clnmcl.1 transactions are rrecutrd ln l ccordmce with unm~ment’r . epneral or a~clflc ruthorlsrtlon~

b. such transactions .r* r.corded In contormltv with qen.rallv .c- pDt.6 l ccountlnq Drlnclol~s or other .DDllcable criteria and to win- tain l ecD”nt~blllty for ASSOtSi

c. access to assets is D*rmltted only ln accordance vlth unaqmnmt’s l “thor1ratlon~ and

d. the recorded accountability for assets Is CornDared with the exist- lnq l ss.ts at rrmonable lncarvalr and l wrotxlrte action is taken with respect to any differences.

4. gIntcrnml audit’. An s~~raissl activity established by the man&w- merit of an orqaniration for the r.vleu of oD.rrtlons as a means of as- surlnq conformity with l anawmcnt wllci~s and the l ff~etivwwss of internal l dminlstratlv~ and l ccountlno controls, and .conducted in confora- SDCC with qcn.rallv .CCeDted standards for Internal auditing.

5. ‘covered .uthorityg. Any DUbliC authority or DUbliC benefit cor- poration, 0th.r than . bi-*tat. authority or Dublic benefit corwration. a mri.xity of whore members are .Dwinted bv the qovernor or serve as members by virtue of holdina state offices to vhlch they vcrc .DWinted by the qov.rnor, or any eomblnacion thermof.

s 2931. Internal control rcswnsibillties. The qovcrninq board of each covered .“thority sh.11:

1. l rtablish and maintain for the authority quIdelines for a .ystem of lnt*rnal controls:.

2. establish l d maintain for the authority a system of internal controls and a proqru of internal control review. The Droaram of intern.1 review shall bc designed to identify internal control weaknesses and identify action. that are needed to correct these waknesse*:

3. make .vailablc to .ach me&r, officer and cm~lovec a clear and concise #tatcment of the qcner.lly l DDlicablc Mnaqerial wlicies and standards with which he or she is expected to comDly;

4. designate .n internal control officer to ImDlcmtnt and review the internal controls rcswnrlbilitics l stsbllshed uursuant to this S*CtiOni *nd

5. i=Dlcmnt education and trainina efforts to wmurt that mclbcrs, officers and cmDlo~ccs have achieved l deauate awareness and undcrstsnd- inq of internal control standard. and, as aDoraDriatc, *valuation

ca s 2932. Internal audit rcswn.ibilitics. 1. The qoverninq board of ch covered authority or it. dcsiqnec shall dctcrmint, and wriDdically

review the deter~inacion of, whether an intern.1 audit function within the cowrcd l uthmity 1. rcaulrcd. Establishacnt of such function shall b. based uwn m evaluation of C~~D.UIC to risk, costs and bcncfits of imDlc~cntation, and any other factors th.t l e determined to bc r*lcvant. In the event it is dctergincd that an internal audit function is.rwuired, the qovecninq board of each eovcrcd authority *hall l Sta- b1i.h .n internal audit function ublch owrates in accordmcc with acn- crally .cceDt.d profe.aion.1 standards for internal audltinq. Any such internal, audit function shall k directed bv an internal auditor who shall rewrt dlreztly to the qoverninq board of the l thorlty. The internal .udit function shall evaluate the .“thority’. internal controls and ooerations, identify internal control rcakncssos that have not b..n corrected and uke recouondation# to correct the.. rcaknesscs.

t*chn1au.*.

- API.12 -

6. 6442 II A. es34

1 2 3

.f- 4 5 6 7 8 9

10 11 12 13 14 1.5 16 17 19 19 20 21 22 23 24 2s 26 27 28. 29

,r>, 30 31 32 33 34 35 36 37 38 39 40

2. In the went thr aowrnina borrgdoc~ not retrbllrh rn Intern81 cu- dlt function pur.u.nt to Bubdlvlrlon en. of thir mectlon it rhrll n,“.r- thel**l l mtrbllrh rnd mrlntrln thr oroar.. of Internal controlr rwlrr JtwIred by s.ctIon twenty-nine hundred thirtv-On* Of thi# title.

S 12. Para9rrph (91 of wbdlvlrlon two of rectlon l lghty-seven of the public officers law, . . added by chapter nine hundred thirty-thr.. OK the laws of nInetern hundred swwty-sewn, im amended to read aa follows:

(9) .re inter-agency or intreaqrncy material* which .I. notI 1. Itati#tIcal Or factual tabulatlonr or data: ii. instructions to staff that affect the publict (or1 111. final apcncy policy or detccminatlons; or lv. external rudlta, includina but not ltlnitod to audits ocrformcd by

the cosotrollcr and the federal qovcrnm.nt: or S 13. Paragraph (11 of rubdivision tvo of section eighty-cipht of such

law Is relettared paragraph (k) and l new parapr8ph (j) Ir added to read a8 follous:

yJ, external audits conducted DUrSUs”t to reetion ninctv-two of the lc9islstivc law and achedulcr isrued pur#uanc to subdivision two of #CC- tion ninety of the leqislative lsri

S 14. This act shall take effect immediately and shall reaaln in full force and effect until January first, ninctwn hundred ninety-four at uhlch time thi8 act shall be deemed empealed, provided that sections rcv*n, nine, ten, and elwen of this act *hall take effect April first, nineteen hundred eighty-nine. and section eight of this act shall take effect January first, nineteen hundred ninety, except that commencing on and after the date on vhich this act shall have become l law, the atate comptroller, atate agencies, covered authorities, the #tat* legislature and the judiciarj UC authorized to take all actions nccersary to implement their respective internal control and l udi’t responsibilitiw under such sections of this act, and provided that paragraph l of subdivision two-b of section eight of the state finance law. . . added by section five of this act, and rubdivision one of section nine hundred fifty- three and subdivision one of section nine hundred fifty-four of the cxe- cutivc law, as added by section seven of this act, and subdivision one of.scction tuo hundred forty-nines of the judiciary law, as added by section ten of this act, ahall take effect April first, nineteen hundred eighty-nine, and subdivision one of section ninety-two Of the lr9isls- tivc law, as added by section eight of thir act, ahall take effect JUIU- ary first, nineteen hundred ninety.

- API.13 -

APPENDIX 2

STANDARDS FOR INTERNAL CONTROLS IN NEW YORK STATE GOVERNMENT

ISSUED BY TRE OFFICE OF THE STATE COMPTROLLER

(NOTE: GUIDE.)

IN THE INTERNAL CONTROL PROGRAM TRAINING "

r: INTERNAL CONTROL STANDARDS

The internal control standards defme the minimum level of quality acceptable for internal control systems in operation and constitute the criteria against which systems are to be evaluated. These internal control standards apply to all operations

and administrative functions (both manual and automated) but are not intended to limit or interfere with duly granted authority related to development of legislation, rulemak- ing, or other discretionary policymaking in an agency.

General Standards

l.Reasonable Internal control systems are to provide reasonable assurance that the objectives of the systems will be accomplished.

2. SuDwnive Managers and employees are to maintain and demonstrate a positive and supportive attitude toward internal controls at all times.

3.Comoetent Managers and employees are to have personal and professional integrity and are to maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing

and implementing good internal controls. . . 4. m Ill- temal control objectives are to be identified or developed for each agency activity and are to be logical, applicable, and reasonably complete.

5.ConuolTechniaues.h temal control techniques are to be effective and efftcient in accomplishing their internal control objectives.

6. Continuous &, Agency heads are to establish and maintain a program of internal review that is designed to identify internal control weaknesses and implement changes that are needed to correct the weaknesses.

- AP2.1 -

Specific Standards

I. Document- Inter- nal control systems and all transactions and other significant events are to be clearly documented, and the documentation is to be readily available for examination.

2. ftecorw flpns and Events, Transac- tions and other signhicant events are to be promptly recorded and properly classified.

3. Pxecution of m stons and Events. Transac- tions and other significant events are to be authorized and executed only by persons acting within the scope of their authority.

‘4. m of Duties, Key duties and responsibilities in authorizing. processing, recording, and

reviewing transactions should be separated among individuals.

5. SuDentision. Qualified and continuous supervision is to be provided to ensure that internal control objectives are achieved.

6. Access

Access to resources and n- cords is to be limited to authorized individuals, and accountability for the custody and use of resources is to be assigned and maintained. Periodic comparison shall be made of the resources with the recorded accountability to determine whether the two agree. The frequency of the comparison shall be a function of the vulnerability of the asset.

Audit Resolution Standard

ppypt Res!?Jbmf and recommendations, and w Managers (3) complete, within tea- are to (1) promptly evaluate sonable time frames, all ac- fmdings and recornmenda- tions that correct or tions reported, by auditors, otherwise resolve the matters (2) determine proper actions brought to management’s at- in response to audit fmdings tention.

- AP2.2 -

EXPLANATION OF GENERAL STANDARDS General Internal control standards apply to all aspeas of Internal controls.

Reasonable Assurance

Internal control systems The standard of rea- are to provide reasonable sonable assurance recognixes assurance that the’objec- that the cost of internal con- tlves of the systems will be trol should not exceed the accompiishfl. benefit derived. Reasonable

assurance equates to a satisfactory level of confidence under given considerations of costs, benefits, and risks. The required determinations call for judgment to be exer- cised.

In exercising that judgment, agencies should:

.o Identify (1) risks inherent in agency operations, (2) criteria for determining low, medium, and high risks, and (3) acceptable levels of risk under varying circumstances.

0 Assess risks both quan- titatively and qualitatively.

Risk assessment should be done foIlowing the infor-

mation prepared by the Governor’s Office of Man- agement and Productivity: A Guide to Conducting Vulner- ability Assessments, August 198% (See note below.)

Cost refers to the financial measure of resources consumed in accomplishing a speciflld purpose. Cost can also mptesent a lost opportunity, such as a delay in operations, a decline in service levels or productivity, or low employee morale. A benefn is measured by the degree to WhiClJ the risk of failing to achieve a stated objective is reduced. Examples include preventing an improper activity; enhancing~regulatory compliance; or increasing the probability of detecting fraud, waste, abuse, or error.

Note: A modified version of this guide is included in the State University . . ,of New York Internal Control Prowam Guide- and Tra~wn”iri-

Supportive Attitude

Managers and em- ploy* are to maintain and demonstrate a positive and supportive attitude toward internal controls at all timas.

This standard requites agency managers and employees to be attentive to internal control matters and to take steps to promote the effectiveness of the controls. Attitude affects the quality of performance and, as a result, the quality of internal controls. A positive and supportive attitude is initiated and fostered by management and is ensuted when internal con-

trols are a consistently high management priority.

Attitude is not reflected in any one particular aspect of managers’ actions but rather is fostered by managers’ commitment to achieving strong controls through actions concerning agency organixation, personnel practices, communication, protection and u.%c of tesources through sys- tematic accountability, moni-

- AP2.3 -

‘toring and systems of rc- porting, and general leadership. However, one important way for management to demonstrate its support for good internal controls is its emphasis on the value of internal auditing and its responsiveness to information developed through internal audits. Similarly, management should be supportive of and responsive to

information developed through external audits made by organizations such as the Office of State Comptroller and independent CPA firms.

The organization of an agency provides its management with the overall frame- work for planning, dincting. and controlling its operations. Good internal control requires clear lines of authoriry and responsibility; appro-

priate reporting nlation- ships; and appropriate separations of authority.

In the final analysis, general leadership is critical to maintaining a positive and supportive attitude toward internal controls. Adequate supervision, training, and motivation of employees in the area of internal controls is important.

Competent Personnel

Managers and employees are to have per-

This standard requires

sonal and professional managers and their staffs to

integrity and are to main- maintain and demonstrate (1)

tain a level of compe!*xbce personal and professional in-

that allows them to accom- tegrity, (2) a level of skilI

plish their assigned duties, necessary to help ensure ef-

as well as understand the fective performance, and (3)

importance of developing an understanding of internal controls sufficient to effec-

and implementing good internal controls.

tively discharge their responsibilities.

Many elements influence the integrity of managers and their staEs. For example, personnel should periodically be remmded of their obligations under an operative code of conduct and the Public Of- ticen Law. In addition, hiring and staf?ing decisions

.

should include pettinent veri- tication of education and experience and, once on the job, the individual should be given the necessary formal and on-the-job training. Managers who possess a good understanding of internal controls are vital to effkc- tive corm01 systems.

Counseling and performance appraisals arc also important. Overall pafonn~cc appraisals should be based on an assessment of many critical factors, one of which should be the implernenta- tion ilnd maintenance of effective internal controls.

- AP2.4 -

f-

Control Objectives

Internal control objec- This standard requires tives are to be identified or that objectives be tailored to developed for each agency activity and are Lo be logi-

an agency’s operations. All

cal, applicable, and rea- operations of an agency can generally be grouped into

sonably complete. one or more categories called cycles. Cycles comprise ail specific activities (such as identifying, classifying, R- cording, and reporting information) required to process a particular transaction or event. Cycles should be com- patible with an agency’s organization and division of responsibilities.

Cycles can be categorized in various ways. For example:

l Agency Management. l Financial. : ;~&yv;+tioni).

Agency management cycles cover the overall policy and planning, organization, data processing, and audit flnlctions. l=iiancial cycles cover the traditional control areas concerned with the flow of funds (revenues and expcnditums), Elated assets, and financial information. Program (operational) cycles arc those agency activities that relate to the mission(s) of the. agency and which anz peculiar to a specific agency. Administrative cycles are those agency activities pm- viding support to the agency’s pritnaty mission, such as library services, mail processing and delivery, and printing.

The four types of cycles obviously interact, and controls over this interaction

must be established. For example, a typical contract award cycle would be concerned with proper con- tracting procedures and, if awarded, administration of the contract. At the time of the award, the contract (program) and disbursement (financial) cycles would join together to control and record the payment authorization.

Complying with this standard calls for identifying the cycle% of agency opemtions and analyring each @ detail to develop the cycle control objectives. These are the internal control goals or targets to be achieved in each cycle. The objectives should be tailored to tit the specific operations in each agency and be consistent with the overall objcc- tives of internal controls as set forth in the New York State Governmental Ac- countability, Audit and Inter- nal Control Act of 1987.

In the New York State Ac- counting System User Pro- cedure Manual, Volume XI Controls and Special Pro- cedures has, in Section 3.OCO. suggested guidelines for internal controls applicable to the major fmancial areas of payroll, cash, account coding, equipment, materials and supplies, and travel. Agencie:: should con- sider this material when de- signing, operating, and evaluating their internal control systems.

- AP2.5 -

Control Techniques

internal control techniques are to be effective and efficient in accomplishing their internal control objectives.

f-y -

Internal control techniques are the mechanisms, whether manual or automated, by which control objectives are achieved. Techniques include, but are not limited to, such things as specific policies, procedures, plans of organization (in&d- ing separation of duties), and physical arrangements (such as locks and fie alarms). This standard requires that internal control techniques continually provide a high degree of assurance that the internal control objectives are being achieved. To do so they must be effective and efficient.

To be effective, techniques should fulffl their intended purpose in actual application. They should provide the coverage they are

supposed to and operate when intended. To be efficient, techniques should be designed to derive maximum benefit with minimum effort. Techniques tested for effectiveness and efficiency should be those in actual operation and should be evaluated over a period of time.

In develbping control techniques, management must recognize that there are both prevention controls and detection conbolr. Pre- vention controls are designed to infhrence behavior to ensure that transactions are processed properly. Detec- tion controls are designed to identify deviations fmm expected norms which should be investigated to verify that trmsactions are executed properf y.

Continuous Monitoring

The systems in place should be evaluated on a continuous basis to identify weaknesses and allow management to take corrective action.

f-7

Internal control systems that have been put into place by management should be reviewed periodically to verify that they are working aa intended, are still needed, and are cost effective. Controls that ate not working should be identified and, if still needed, changed so they are working. In addition, agency heads should closely monitor agency action initiated to correct internal control weaknesses identified by internal or external auditors.

Management must recog- nisc that in&Ml CO&O1 evaluations are accurate only at the lime they are made and that procedures and the effectiveness of re- latrd internal controls are subject to change. For example, controls can change when employees change or when work flows are changed. Continuous evahra- tions help to ensure that established procedures and controls are being followed and continue to be appropriate.

- AP2.6 -

EXPLANATION OF SPECIFIC STANDARDS

A number of techniques be achieved. These critical are essential to providing the techniques are the specific greatest assurance that the in- standards discussed below. ternal conaol objectives will

Documentation

Internal control systems

r and all transactions and

\ -’ other significant events are to be clearly documented,

a and the documentation is to be readily available for examination.

This standard requires w&en evidence of (I) an agency’s internal control objectives and techniques and accountability systems and (2) all pertinent aspects of transactions and other significant events of an agency. Also, the documentation must be available as well as easily accessible for examination.

Documentation of internal control systems should include identification of the cycles and related objectives and techniques, and should appear in management directives, administrative policy, and accounting manuals.

Documentation of nansac- tions or other signil%ant

events should be complete and accurate and should facilitate tracing the transaction or event and related information from before it occurs, while it is in process, to after it 8 completed.

Complying witJ~ this Stan& requires that the documentation of internal control systems and hmsac- tions and other signijfcant events be putposeful and useful to managers in controlling their operations, andto auditors or others involved in analyzing opem- time. This standard applies to both manual and automated systems.

- AP2.7 -

Recording of Transactions and Events

Transactions and other significant events are to be promptly recorded and properly classified.

Transactions must be promptly recorded if pertinent information is to maintain its relevance and value to management in controlling operations and making decisions. Thii standard applies to (1) the entire process or life cycle of a transaction or event and includes the ini- tiation and authorization, (2)

all aspects of rhe transaction while in process, and (3) its fmal classification in summary records. Proper classification of transactions and events is the organization and format of information on summary records from which reports and~statcments are prepated.

Execution of Transactions and Events

Transactions and other significant events are to be authorized and executed only by persons acting within the scope of their authority.

This standard deals with management’s decisions to exchange, transfer, use, or commit resources for specified purposes under specific conditions. It is the principal means of assuring that only valid transactions and other events are entered into.

Authorization should be clearly communicated to

managers and employees and should include the specific conditions and terms under which authorktiona are to be made. Conforming to the terms of an authorization means that employees are carrying out their assigned duties in accordance with. directives and within the limi- tations established by management.

- AP2.8 -

Separation of Duties

Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions should be separated among individuals.

To reduce the risk of error, waste, or wrongful acts or to reduce the risk of their going undetected, no one individual should control all key aspects of a transaction or event. Rather, duties and responsibilities should be assigned systematically to a number of individuals to ensure that effective checks

and balances exist. Key duties include authorking, ap- proving, and recording transactions; issuing and receiving assets; making payments; and reviewing or auditing transactions. Collu- sion, however, can reduce or destroy the effectiveness of this internal control standard.

Supervision

Qualifnd and contina- ous supervision is to be pr6- vided to ensure that internal control objectives are achieved.

‘l’lds standard requires supervisors to continuously review and approve the assigned walk of their staffs. Italsomquiresthattlleypro- vide their stat% with the nee- essaryguidenceandtmining to help ensure that errora, waste,andwmngfulactsam . . . tNlUW.dandthatgKcitiC

P dilectiva ale

As&me+ review, and approval of a staff’s work re- qtlim:

0 cleady c-unicac- ing the duties. responsibilities: and accountabilities amped each staff member.

0 Systematically reviewing each member’s work to the extent necessary.

l Appmving work at critical points to ensure that work tlows as intended.

Asaignrnent, review, and t4pproval of a staff’s work should tusult in the proper proceasing of transactions and events including (I) following approved procedums eJpFFf~~*y- misunderstandings, and improper practices, and (3) dis- couraging wrongful acts from occurring or from mcur- ring.

- AP2.9 -

Access to and ACcountability for Resources

Access to resources and records is to be lim ited to authorized individuals, and accountability for the custody and use of resources b tobeassignedMdmahl- tained. Periodic comparison shall be made of the resources with the recorded accoantabiiity to determine whether the two agree. The frequency of the compsri- son shall be a function of the vulnerability of the aset.

The basic concept behind ‘. l Assigning or havmg

restricting access to re-

agement. However, restricting access to lesources

sources is to help reduce the

depends upon the vulnerabii-

risk of unauthorized use or

ity of the resource and the perceived risk of loss, both of which should be peri-

loss to the State, and to help

odkally assessed. For ex-

achieve the directives of man-

ample, access to and accountability for highly vulnerable d ocuments, such as check stocks, can be achieved by:

l Keeping them locked in a safe.

Other factors affecting

each document assigned a

access include the cost, pona- bii, exchangeabiity, and the perceived risk of loss or

sequential number.

impmper use of the resource. In addition, assigning and

0 Assigning custodial ac-

maintaining accollntabuity for resources involves dimct-

countability to responsible in-

ing and communicating re-

dividuals.

sponsibility to specifii individuds within an agency forthecuatodyanduseofrc- so- in achieving the specifiially identified management directives.

’ , * .’

6 EXPLANATION OF THE AUDIT RESOLUTION STANDARD

Prompt Resolution of Audit Findings

f--

Managers are to (1) The audit resolution stand- promptly evaluate findings ard requires managers to take and recommendations re- prompt, responsive action on ported by auditors, (2) de- all findings and recommenda- termine proper actions in tions made by auditors. Re- response to audit findings sponsive action is that which and recommendations, and corrects identified deticien- (3) complete, within rea- ties. Where audit findings sonable time frames, all actions that correct or

identify opportunities for im-

otherwise resolve the mat- provement rather than cite deficiencies, responsive ac-

ters brought to manage- tion is that w!tich produces tuent’s attention. improvements.

The audit resolution process begins when the results of an audit are reported to management, and is completed only after action has been taken that (1) corrects identified deficiencies, (2) produces improvements,

or (3) demonstrates the audit findings and recommendations are either invalid or do not warrant management action.

Auditors are reSponsible for following up on audit fmdings and recommendations to ascertain that resolution has been achieved. Auditor’s fmdings and recommendations should be monitored through the resolution and follow-up processes. Top management should be kept informed through periodic reports so it can assunz the quality and timeliness of individual resolution decisions.

- AP2.11 -

reviewing and improving controls. On some campuses, the heads of organizational units may also perform the duties of line managers. Internal control assignments to line managers may typically include:

* Establishing an atmosphere within the work environment which is supportive of internal controls

* Conducting vulnerability assessments and internal control reviews

* Initiating improved controls when a need is identified

* Maintaining documentation of controls, vulnerability assessments, internal control reviews and improvements

DEVELOP INTERNAL REPORTING SYSTEM

An internal reporting and follow-up system should be established to monitor the progress of the various tasks that make up the evaluation and improvement process. As a minimum, areas that should be monitored include:

* Status of training

* Scheduling and completion of vulnerability assessments

* Scheduling and completion of internal control reviews

* Progress of csrrective actions in areas where controls are either necessary but nonexistent, sufficiently weak to warrant improvement, or excessive as to hinder operations or be noncost-effective

In addition, the reporting system should include summary information regarding the results of vulnerability assessments, internal control reviews, and corrective actions.

ESTABLISH DOCUMENTATION PROCESS

Documentation should be maintained for activities conducted in connection with vulnerability assessments, internal control reviews and follow-up actions. ,The kind and quantity of documentation and the method of maintaining it are matters that each campus should define for its own purposes. At a minimum, the documentation should show the personnel involved (in the assessment, review or follow-up), the key factors considered, the evaluation methods used and the conclusions reached.

Documentation should be of sufficient detail to permit effective supervisory review, as well as oversight review. Independent reviewers should be able to examine and understand the documentation and determine how the original campus reviewers reached their conclusions.

5iua9 - 2.4 -

f+ COMMIT PERSONNEL

Each campus should decide, during the organizational phase, what level of personnel resources will be committed to the evaluation and improvemenf pDXeSS.

Orientation and training requirements should be decided concomitant to the committing of personnel. Orientation should be provided to senior managers to familiarize them with the University and campus program and objectives, and to make them aware of their responsibilities in the evaluation, improvement and reporting processes. In addition, training should be provided to the personnel who are assigned to conduct vulnerability assessments and internal control reviews.

See Attachment AT1 for a suggested listing of administrative tasks in implementing the Internal Control Program.

5/l/09 - 2.5 -


STEP 2: SEGMENT TEE CAMPUS

The primary goal of this step of the internal control process is to develop a campus-wide inventory of "assessable units", each of which will be the subject of a vulnerability assessment. A complete coverage of all administrative, finance and business, and program areas should be included in the inventory. Segmenting the campus provides the groundwork necessary to determine a reasonable level of personnel involvement.

There is no best method to follow in the segmentation process. As a practical matter, a segmentation may be decided upon that includes a combination of organizational units, administrative functions, program activities. and discrete systems.

Sources that should prove useful in developing an inventory of assessable units are organization charts, budget and financial plan materials, schedule of positions, monetary certificates of approval, regulations and manuals, end management information systems. Determining factors may include:

Organizational structure Nature and size of programs and administrative functions Numbers and sizes of subprograms and subfunctions Degree of independence of programs or functions Budget levels Funding source Geographic location, e.g., extension centers Number of personnel

Once the campus inventory of assessable units has been developed, it should be documented.

See Attachment AT2 for a partial listing of suggested activity areas subject to campus internal control evaluation and improvement efforts.

5f 1189 - 2.6 -


STEP 3: DEVELOPASCEEDULEFOR WLNERABILITYASSESSBENTS

Having developed an inventory of assessable units in Step 2, the next activity is to establish a time schedule for conducting the vulnerability assessments. The schedule should recognize the prioritization of the vulnerability assessments based on such factors as the relative importance and the potential risks of the assessable units included in the inventory.

5/l/89 - 2.1 -


STEP 4: CONDUCT WLHERABILITY ASSESSMENTS

A vulnerability assessment is performed by management on each of the assessable units identified in Step 2, the segmentation process. It is intended as a quick analysis and should not require an inordinate amount of staff time and effort. A vulnerability assessment is a preliminary judgment concerning the existence and adequacy of safeguards or controls now in place to assure:

* Successful achievement of the campus's mission, objectives and goals

* Operational effectiveness, efficiency and economy * Compliance with laws, regulations, policies, procedures and

guidelines * Safeguarding of assets * Accurate recording, preservation and reporting of financial and

other key data

The manager of each assessable unit should be responsible for and participate in each of the unit'b vulnerability assessments, which consist of five sub-steps: %

Step 4A: Analyze general control environment

Step 4B: Identify and analyze inherent risk

Step 4C: Conduct a preliminary evaluation of existing safeguards or controls

Step 4D: Establish an overall vulnerability ranking

Step 4E: Recommend subsequent action

Managers who perform vulnerability assessments should guard against any tendency to devise a low vulnerability rating with the main purpose of avoiding a detailed internal control review. Also, they should be aware that if a weakness is observed which is perceived as placing the unit in immediate jeopardy, corrective action should be implemented as soon as possible.

STEP 4A: ANALYZE GENERAL CONTROL ENVIRONMENT

The environment in which activities are conducted has a major impact on the effectiveness of internal control. An analysis of the environment is performed to determine the extent to which the work setting supports a system of internal controls. This evaluation may be performed for the entity as a whole, or individually for each assessable unit. Determination

- 2.8 -

p: should be based upon the size and nature of the entity. The following should be among the factors that are used to analyze the control environment:

Management attitude Organizational structure Personnel Delegation of authority Policies and procedures Budgeting and reporting practices Organizational checks and balances EDP considerations

STEP 4B: IDENTIFi AND ANALYZE INHERENT RISK

The second sub-step in the vulnerability assessment process is an identification and analysis of the risks involved in the assessable unit's activities. Inherent risk may be defined as the'potential for nonachievement of the campus's mission, objectives and goals; waste, inefficiency or ineffectiveness; loss, unauthorized use or misappropriation of assets; noncompliance with laws, regulations, policies, procedures and guidelines; or the inaccurate recording, preservation and reporting of financial and other key data.

This analysis should be performed without regard to controls~that are in place to counteract those risks. The following should be among the factors considered in analyzing the inherent risk: .

* Purpose and characteristics of the activity * Budget and resource level * Procurement of goods or services * Impact outside of the University/campus * Age and life expectancy of the activity * Degree of decentralization * Prior reviews

STEP 4C: CONDUCT A PRBLIMINARY EVALUATION OF EXISTING SAFEGUARDS OR CONTROLS

The third sub-step in the vulnerability assessment process involves making a preliminary judgment concerning the existence and adequacy of safeguards/controls used by the assessable unit to assure:

* Successful achievement of the campus's mission, objectives and goals

* Operational effectiveness, efficiency and economy * Compliance with laws, regulations, policies, procedures and

guidelines * Safeguarding of assets * Accurate recording, preservation and reporting of financial and

other key data

5/l/89 - 2.9 -

An in-depth Rather, the experience, Section VI, standards.

review is not appropriate during vulnerability assessments. evaluator'sjudgment should be based on knowledge and and should be made in reference to internal control standards. Appendix AP2, provides a description of the internal control

STEP 4D: ESTABLISH AN OVERALL WLNERABILITY RANKING

The overall vulnerability ranking is derived from,consideration of the conclusions reached in the analysis of the general control environment, the inherent risk and the evaluation of the safeguards from sub-steps 4A, 4B and 4C, respectively.

STEP 4E: RECOMMEND SUBSEQUENT ACTION

The recommendation for subsequent action is derived from consideration of the conclusions reached in sub-steps 4A through 4D above and from your knowledge, experience and judgment of and concerning the vulnerability of the unit or activity.

See Attachment A!C3 for an illustration of an internal control vulnerability assessment.

5/l/89 - 2.10 -


STEP 5: ESTABLISH PLANS FOR SDBSEQOEAT ACTIONS

The vulnerability assessment provides an initial evaluation of risks and safeguards and is used to determine recommended actions to be taken.

The next step is to establish a plan and schedule for taking the approved recommended actions for each of the assessable units, or for the areas which are determined to be most susceptible to loss. Four activities should be considered during this step:

* Classify vulnerability assessments according to the degree of ,risk * Prioritize vulnerable areas based on such factors as the degree of

risk and relative critical nature of the specific activities * Select specific courses of action * Develop a schedule for completing the approved recommended actions

Line managers and succeeding supervisors are the best qualified to establish plans for subsequent actions.

See Attachment AT4 for ai illustration of a plan and schedule for internal control evaluations and improvements.

5/l/89 - 2.11 -


STEP 6: CONDUCT rln%mAL CONTKOL EXVIEWS

Depending upon the outcome of the vulnerability assessment and other appropriate considerations, it may be appropriate to conduct internal control reviews. Internal control reviews are detailed examinations of activities to determine whether adequate control measures exist, are implemented, and are effective. They involve assessing a specific group of activities (event cycle) to ascertain if defined techniques (processes and documents) are functioning as intended, and if they efficiently and effectively meet the established control objectives for the event cycle. During an internal control review , the flow of an event should be tracked from beginning to end: how it is created, how it is processed, and how it is reported. The following five sub-steps comprise one approach to conducting internal control reviews:

Step 6A: Identify event cycles

Step 6B: Analyze general control environment

Step 6C: Document the event cycles

Step 6~: Evaluate internal controls within the event cycles

Step 6E: Test the internal controls

Line managers should have the primary responsibility in the internal control review process. This responsibility includes planning and organizing each review, assigning responsibilities to personnel who will conduct the actual review, and monitoring the process.

5/l/89 . - 2.12 -


STEP 7: TAKE COIUOXCIVE ACTION

After reviewing the system design and testing the functioning controls, the reviewer should reach conclusions concerning the effectiveness of the controls. When the reviewer concludes that areas remain where controls do not provide reasonable assurance that a control objective is being met, or that unnecessary controls exist, follow-up actions are required.

Reports should be prepared which not only identify the weaknesses, but also recommend how to correct them. The recommendations should correlate with the risks involved; that is, a level of control should be recommended that considers the materiality or degree of the weakness. The recommended change should provide reasonable assurance of control and should be cost effective when weighed against the expected benefit that results from risks avoided or from errors or irregularities detected.

The recommendations should be considered by management, and a decision should be made to institute new controls, improve existing controls, or accept the risk inherent in the weakness. In many instances, the appropriate action will be apparent, but in other instances, further analysis may be necessary. In either case, approved corrective actions should be initiared as promptly as possible.

A formal system should be established to log and track the weaknesses identified, suggested actions, and actions taken. This follow-up system should identify responsible personnel and target dates.

See Attachment AT5 for sn illustration of a plan and schedule for and status report on internal control evaluations and improvements.

5/1/~9 - 2.13 -


STEP 8: PREPARE S-Y REPORTS ON lXTERML CONTROLS

Management reports should be prepared on a regular basis to apprise senior campus management of the status of the Internal Control Program. These reports should include such topics as areas with nonexisting or inadequate control techniques, areas with controls not functioning properly, and areas where excessive controls exist, as well as the plans and schedules for addressing the identified concerns.

See Attachment AT6 for an illustration of a -ry on results of internal control evaluation and improvement actions.

511189 - 2.14 -

SECTION III

MAJOR UNIVERSITY INTERNAL CONTROL SYSTEMS

The following is a listing of several of the major University-wide internal control systems:

Education and Other Applicable Laws

Board of Trustees' Policies and Regulations

Policy Handbook

Policy Memoranda

Administrative Procedures Manual

r ‘, Functional Office Memoranda on Procedures and Guidelines

Quadrennial Master Plan and Interim Progress Reports and Master Plan Amendments

Comprehensive Review of Undergraduate and Graduate Academic Programs -- every five years according to established gauges of quality, need, efficiency and interrelationships with other programs

Middle States' Accreditation

Accreditation by over 50 Professional Groups -- review and certify specific academic programs

Collective Bargaining Agreements

Budget Development and Execution Process

Chart of Accounts

University Accounting System

Finance Bulletins

(-- _,

Applicable Civil Service, DOB, OGS, OSC and SED guidelines, procedures and reviews

Internal and External Audits

Audit Resolution Follow-up Process

5/l/89 - 3.1 -

SECTION IV

STATUS AND PROGRESS REPORTING ON INTERNAL CONTROL EVALUATION AND IMPROVEMENT EFFORTS

The State-operated/funded campuses have the primary responsibility for taking necessary actions to implement the provisions of the New York State Governmental Accountability, Audit and Internal Control Act. However, the Chancellor and Central Administration staff are accountable for the University's overall compliance with the provisions of the Act. In addition, Central Administration has responsibility for the consolidated reporting on the progress and status of the total University's Internal- Control Program efforts.

It is, therefore, necessary to establish a periodic reporting process which has been made as non-burdensome as possible. There are two report forms which will be found on the succeeding pages:

* The first report form, Plan and Schedule for and Status Rep&t on Internal Control Evaluations and Improvements, page 4.2, should identify those internal control systems or assessable units that either have had or are scheduled for an internal control evaluation and improvement review, the evaluation method to be used (vulnerability assessment, internal control review or other method), the targeted completion date for the evaluation, whether improvement action is indicated as a result of the evaluation, the targeted completion date for indicated improvement action, and the current status (completed, on schedule, delayed, etc.) of the evaluation and improvement action.

* The second form, Summary on Results of Internal Control Evaluation and Improvement Actions, page 4.3, provides summary information on the results of completed evaluations and improvement actions.

The initial Plan and Schedule for and Status Report on Internal Control Evaluations and Improvements should cover the period through December 31, 1989, and be received in the Office of the Senior Vice Chancellor, Division of Administrative Affairs, State University of New York, State University Plaza, Albany, New York, 12246, no later than February 15. 1990.

Campuses will be advised as to when subsequent reports are due in the Central Office.

See Attachments AT5 and AT6 for examples of the Plan and Schedule for and Status Report 011 Internal Control Evaluations and Improvements and the S-ry on Results of Internal Control Evaluation and Improvement Actions.

511109 - 4.1 -

CAMPUS :

PLAN AND SCHEDULE FOR AND STATUS REPORT ON INTERNAL CONTROL EVALUATIONS.AND IMPROVEMENTS

ASSESSABLE EVALUATION UNIT METHOD

TARGETED EVALUATION COMPLETION DATE

IMPROVEMENT ACTION INDICATED YES/NO

TARGETED IMPROVEMENT ACTION COMPLETION CURRENT DATE STATUS

Prepared by:

Telephone: ( )

Title:

Date:

(-1.

CAMPUS :

SUMMARY ON RESULTS OF INTERNAL CONTROL EVALUATION AND IMPROVEMENT ACTIONS

ASSESSABLE UNIT RESULTS OF EVALUATION AND IMPROVEMENT ACTIONS

Prepared by: Title:

Telephone: ( ) Date:

5/l/89 - 4.3 -

SECTION V

ATTACHMENTS

51 l/89

ATTACHMENT 1

RECOMMENDED ADMINISTRATIVE TASKS IN IMPLEMENTING THE INTERNAL CONTROL PROGRAM

51 II89 7 AT1 -

STATE WJ??ERSITY CAHPUS AT APEX

1.

2.

3.

5.

6.

7.

a.

NECONNENDED ADNJ.NISTR4TIVE Tdsgs INIMpLEHENTINGTNEMTEBHdL coNTRoLPRoGRAM

Campus President designates an individual to be the Campus Internal Control Officer.

Campus President names a Campus Internal Control Steering Committee with the Campus Internal Control Officer serving as a member (possibly Chair) of the Committee.

Campus President makes the campus's position and commitment to the Internal Control Program known initially to the Internal Control Steering Committee and at the appropriate time to the larger campus conanunity.

Develop and implement campus internal control guidelines to incltide: * Campus-specific objectives * Campus-specific internal control evaluation and improvement

process and mechanism for documenting each individual evaluation and improvement process

* Status and progress reporting system

Identify a campus-wide compilation of activity areas that should be subject to an internal control evaluation and improvement effort. (See Attachment ATZ.)

Designate an individual to conduct internal control training.

Develop and implement an internal control orientation program for senior campus management.

Develop and implement an internal control training program for other management and key staff.

5/l/89 - AT1.l -

ATTACHMENT 2

PARTIAL LISTING OF SUGGESTED ACTIVITY AREAS SUBJECT TO CAMPUS INTERNAL CONTROL EVALUATION AND IMPROVEMENT EFFORTS

5/I/89

STATI? IJNISWRSITY CAMPUS AT APIX

1.

2.

3.

,p,, 4.

5.

6.

7.

a.

9.

10.

11.

12.

13.

14.

15. (--“,

16.

17.

PARTIAL LISTING OF SUGGESTlID ACTIVITY ARRA.S SLlBJEcT -&a CANPUS IXXRNAL CONTROL EVALUATION AND I EFFORTS

Campus planning process

Campus budget development and execution process

Development, maintenance and administration of: * Academic programs and course offerings at the undergraduate,

graduate and professional ~levels * Continuing education programs * International programs * Library services * ,Research programs * Public service programs

Hospital and clinical programs

Student recruitment and admissions programs including minorities and handicapped

Student class scheduling and student records

Student financial aid programs

Graduate/teaching assistantships

Tuition waiver/reimbursement programs

Sabbatical leave program

Dormitory operations

Student health services

Computer services

Buildings and grounds maintenance

Public safety

Audit resolution

Revenue and expenditure accounting systems

511189 - AT2.1 -

18. Revenue generation cycle of activities including: * Billing * Cashiering * Individual account maintenance * Accounts receivable * Collections * Waiver and deferral of payments * Refunds

19. Personnel/Payroll transaction cycle of activities including: * Establishment/Deletion of positions * Job descriptions * Recruitments * Affirmative action * Appointments * Orientation * Training * Fringe benefit administration * Performance evaluations * Separations * Time and attendance reporting/recording * Payroll * Immigration Reform Control Act

f-. 20. Acquisition of goods/services cycle of activities including:

* Requisitioning * Purchasing * M/WBE efforts * Encumbering * Receiving i Accounts payable

-- and where applicable: * .Inventorying * Warehousing * Distributing * Petty cash Payments

21. Campus support services including: * Mail * Printing * Telephone * Travel/Transportation

22. Toxic/Hazardous Waste Management, Right-to-Know Law

23. Ethics in Government

5/l/89 - AT2.2 -

ATTACHMENT 3

ILLUSTRATION OF AN

INTERNAL CONTROL WLNERABILITY ASSESSMENT

f?

5/L/89 -,AT3 -

ILLUSTRATION

OF AN

INTERNAL CONTROL

VULNEFABILITI ASSESSMENT

OF THE

CRITIC TEACHER TUITION WAIVER PROGRAM

t 5/l/89 - AT3.1 -

VULNERABILITY ASSESSMENT

CAMPUS : SUNY Camous at Apex

PROGRAM/FUNCTION:' Teacher Education

ASSESSABLE UNIT: Critic Teacher Tuition Waivers

Prepared by: Date: 5/25/89 Title: Coordiidator, Student Teacher Program

Reviewed by: rrr. L?. J.L& Date: 5/31/89 Title: Dean. School of Education

Reviewer's Comments: Concur with vulnerability assessment and recommendation for subsequent action.

5/l/89 - AT3.2 -

VULNERABILITY ASSESSMENT MATRIX

CAMPUS : SUNY Campus at Apex

PROGRAM/FUNCTION: Teacher Education


General

CoIitrol

Environment

Inherent

(From Step 4B)

Step 4E 18 Recommendation for Subsequent Action 3

5/1189 - AT3.3 -

STEP 4A

ANALYZING THE GENERAL CONTROL ENVIRONMENT

CAMPUS : sum CemDUS at hex


ASSESSABLE “NIT: Critic Teacher Tuition Waivers

r 6. Personnel are reinforced for their involvement ,~, with internal controls.

7. Audit/evaluation findings are resolved in a timely manner.

8. Other (SpeciEy):

A. Enter totals for Columns 1 through 5

B. Rating value

C. Multiply A by B

* * s u D SD T N I TI RA A C S RS OG G E A OA NR R R G NG GE E T R GR LE E A E LE Y I E YE

N

i

1 ,I21314 I5 L

A Rh’ P ET P XT NL AT 01 R TC KC

J A SH B E L D E

6 7

- ATTITUDE PLEASE CIRCLE APPROPRIATE WEB(S)

I. Management is aware of the importance of internal controls as they relate to this assessable unit.

2. I" rhe last year, management has reviewed internal controls to assure they are not being circumvented.

3. Hanagement holds regular staff meetings.

4. Sufficient resources are provided to develop, maintain, and evaluate the internal control system.

5. Personnel have the authority needed to develop, maintain, and evaluate the internal control system.

D. Enter total of Line C acr"ss

E. Subtract I of NA (Column 6) entries from il of questions asked (7 or 8)

F. Divide Line D by Line E and round co nearest whole number

Conclusion: Management Attitude within this assessment unit may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall co"clusio" here, and an Matrix Line I)

* Particular attention should be given to "Disagree" and "Strongly Disagree" ratings.

22

7

xxx

E ,r IOn .-* I

STEP 4A


CAMFW: sum cs.mDus at ALEX

PROGP.AM/FDNCTION: Teacher Education

ASSESSABLE "NIT: Critic Teacher Tuition Waivers

s- T RA OG NR GE LE Y

1

u N

A C G E RR ET E A

I N

23

* *

0ilGAmzATI0~ snulm PLEASE CIRCLE APPROPRIATF NUMBER(S)

1. The organization chart is current.

2. The organizational structure helps rather ehan hinders work performance.

3. Sufficient flexibility exists in the unit's structtme to deal with changing circumstances.

4. The structure provides adequate supervision.

5. Responsibilities of this unit are clearly defined so as to avoid duplication, overlap, or conflicts.

6. Managers have the decision-making authority necessary to operate effectively and efficiently.

j--- 7. Managers routinely follow up on all delegation

of authority to employees.

8. Employees are held accountable for performance and results achieved. .

9. Employees perceive top management to be interested in c0*tr01s.

10. Other (Specify):


B. Rating value

C. Multiply A by B

D. Enter total of Line C across

E. Subtract # of NA (Column 6) entries from I of questions asked (9 or 10)

P. Divide Line D by Line E and round LO nearest whole number

Conclusion: The Organizational Structure of this unit may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations. indicate overall conclusion here, and on Matrix Line 2)


STEP 4A

ANALYZING THE GENERAL CONTROL ENVIROhXENT

CAMPUS : SUNY Cs.m”US at ADex



PeRSOriNEL PLEASE CIRCLE APPROPRIATE NUMBER(S)

1. Competent personnel are recruited.

2. Accurate and up-to-date position descriptions are available.

3. Sufficient training opportunities co improve competency and update employees on new policies and procedures are available.

4. The quality of supervision is periodically reviewed at all levels.

5. Employees are adequately supervised co ensure chat agency resources are safeguarded.

6. Managers periodically review employees" performances and provide necessary counseling.

7. Employees and managers are held accountable for satisfactory completion of performance elements.

8. This unit has a low turnover race.

9. Other (Specify):

A. Enter corals for Colllmns 1 through 5

B. Rating value

C. Multiply A by B

D. Enter total of Line C acvxs 18

E. Subtract # of NA (Column 6) entries from i/ of questions asked (8 or 9) 8

F. Divide Line D'by Line E and round co nearest whole "umber 2 2

Co"clusio": Personnel practices within this unit may be creating vul"erabllity which is:

(Using Line F as a guide as well as ocher appropriate considerations, indicate overall conclusion here, and on Matrix Line 3)

* Particular attention should be give" t" "Disagree" and "Strongly Disagree" ratings.

5/l/89 - AT3.6 -

STEP 4A


CAMPUS : SUNY Campus at Alex

PROGRAX/NNCTION: Teacher Education

ASSESSABLS UNIT: Critic Teacher Tuition !Jaivers

* *

D,l,.WMTW OF AUTIIORITY PLEASE CIRCLE APPROPRIATE NUMBER(S)

-1. Employees' job descriptions describe actual jobs.

2. Employees are aware of their individual responsibilities.

3. The delegations prevent overlapping, duplication, and conflicts of authority/responsibility.

4. The delegations grant sufficient authority CO officials co carry out their responsibilities.

5. Responsibility is divided so that no single official controls all phases of a critical transaction.

6. Ocher (Specify):


8. Racing value

C. Multiply A by B


E. Subtract II of NA (Column 6) entries from # of questions asked (5 or 6)

F. Divide Line D by Line E and round to nearest whole number

Conclusion: Delegation of Authority within this unit may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall conclusion here. and on Matrix Line 4)

* Particular attention should be given Co "Disagree" and "Strongly Disagree" ratings.

5/l/09 - AT3.7 -

STEP 4A


CAMPUS : SUNY CsmPUS at ATx?x

P~OGRAM/FDWTION: Teacher Educstion


PoLIcIESANDPRocED~

1. Procedures for this unit kept current and readily

T- T RA OG NR GE LE Y

1

F N C E R T A I N

3

* *

PLEASE CIRCLE APPROPRIATE N"MBER(S)

2. Policies and procedures are consistent with statutory authority.

3. Policies and procedures are simple and easy CO understand.

4. In the past year, the policies and procedures for this unit have been reviewed and revised.

5. There is sufficient communication between managers and employees on policies and procedures concerning this unit.

6. Other (Specify):


8. Rating value

C. Multiply A by B


E. Subtract d of NA (Column 6) entries from # of questions asked (5 or 6)

F. Divide Line D by Line E and round co nearest whole number

Ca"cl"sio": The Policies/Procedures of this assessment unit may be creating wlnerabilicy which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall conclusion here, and on Matrix Line 5)

19

5

4

* Particular attention should be given co "Disagree" and "Strongly Disagree" ratings.

STEP ‘A


CAMPUS : SUNY campus at Apex

PROGRAM/P”NCTION: Teacher Education


BnDGEnNG Am REKmwG PRACTICBS

* *

1. The budget system is integrated with the planning process.

2. The approved spending plan becomes the operating plan. .

3. Plans and budgets are effectively communicared throughout the orSanization.

4. Progress or performance reporrs show comparisons with planned performance, budget allowances, and/or past performance.

5. Reports are made in accordance With prescribed directives.

6. Reports are timely, accurate, useful. and disrributed Co appropriate users.

7. Problem areas are discovered and carrecrive action is taken promptly.

8. Financial and program achievement reports are used as effective managemenr tools.

9. Budgets and management repores are scrutinized by third parties or a higher level of management.

10. Budgeting and reporting practices support a system of internal control.


A. Enter totals for Columns 1 rhrough 5

B. Rating value

C. Multiply A by B

PLEASE CIRCLE APPROPRIATE NVMBER(S)

D. Enter total of Line c across

E. Subtract K of NA (Column 6) entries from P of questions asked (10 or 11)

Conclusion: Budgeting and Reporting Practices in this unit may be creating vulnerability which is:

(Using Line F as a guide ag well as other appropriate considerations, indicate overall conclusion here, and on Matrix Line 6)

1 5 / 6’ / 7 /

9

STEP 4A

ANALYZING TX GENERAL CONTROL ENTIRONMENT

CAMPUS: SUNY Csm~us at Apex

PROGF.AM/FUNCTION: Teacher Education


* *

i

oB!aaIzATIoRdl cm?cKs AND BAImcEs PLEASE CIRCLE APPROPRIATE KXXBgR(S

1. Program evaluations/Management reviews are performed routinely.

2. Audits are perfowed routinely.

3. Audit/Review findings are corrected in a timely ma**er.

4. This organizational unit has a sysrem for eracking corrective actions.

5. Objectives for internal controls have been identified and documented.

6. Reviews evaluate the intelnal controls at all levels of an operation.

7. Ocher (Specify):


B. Raring value

C. Multiply A by B

D. Enter total of Line C across 18 18

E. Subtract ff of NA (Column 6) entries from ii of questions asked (6 or 7)

F. Divide Line D by Line E and round to nearest whole "umber

Conclusion: Organizational Checks and Balances of this assessable unit may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations. indicate overall conclusion here, and on Matrix Line 7)

* Particular artentio" should be given to "Disagree" and "Strongly Disagree" rarings.

5/l/89 - AT3.10 -

STEP 4A


CAMPUS : SUNY CBmDUS at ADex


ASSESSABLE UNIT: Critic Teacher Tuition Yaivers

-i- T RA 06 NR GE LE Y

* *

Em? muSlD~TIOl?s PLEASE CIRCLE APPROPRIATE NUMSER(S)

1. Data is safeguarded to prevent unauthorized access, improper changes or loss.

2. EDP applications are in accord with guidelines which provide for dara and systems security.

3. Computer systems controls are reviewed and updated periodically.

4. Inpue is reviewed promptly for authorization, completeness, accuracy and timeliness.

5. Output is reviewed periodically for usefulness, completeness, accuracy and timeliness.

6. Personnel are aware of concml risks in SDP systems.

7. Other (Specify):

A. Enter totals for Columns i through 5

B. Raring value

C. Multiply A by 8 0 0 00 0 0 00 0 0

D. Enter total of Line C acr'oss

E. Subtract t of NA (Calumn 6) entries from # of questions asked (6 or 7)

P. Divide Line D by Line E and rczund to nearest whole number

Conclusion: u)P Considerations within this assessment unit may be creating vulnerability which is:

(Using Line P as a guide as well as other appropriate considerations, indicate overall conclusion here. and on Matrix Line 8)

* Particular artenrion should be given to "Disagree" and "Strongly Disagree" ratings.

i

5/l/89 - AT3.11 -

f-

r’ _/

ANALYZING INHERENT RISK

c.mms: SUNY carmu* st *c’ex

PROGP&UF”NCTION: Teacher Education


STEP 4B

PlmmSB Am -sTIcs OF m AcnvITY ,PL.EASE CIRCLE APPROPRIATE NLTMBER(S)

1. This activity has clear and concise mission statements, goals and objectives.

2. Regulatory requirements for this function are reasonable and consistent with the function's *Cti"ity.

3. Administrative policies and procedures for this activity are reasonable and consistent with the f""ctfon's acti"ity.

4. This activity does not involve a high degree of technical or administrative complexity.

5. Administration of this activity does not involve passing funds/authorities through ocher organizations or individuals to third party recipients for further actions and/or benefits.

.6. There is nalmallv sufficient time to satisfactorily accomplish this -activity without taking shortcuts to meet severe time constraints.

P

7. This activity does not Involve the handling of cash receipts.

8. This activity does not involve: Apprwal of Applicatio"s, Certification, Inspections, or Enforcement.

9. This activity is not influenced by a clientele and/or by public or private interest groups


A. Enter totals far Columns 1 through 5

B. Rating value

C. Multiply A by S


E. Subtract t of NA (Column 6) entries from il of questions asked (9 or 10)

F. Divide Line D by Line E and round to nearest whole "umber

conc1us*on: The Purpose and Characteristics of this unit nay be creating vulnerability which is:

Wing Line F as a guide as well as other appropriate considerations, indicate overall conclusion here, and on Matrix Line 9)


5/l /aa - bT? 1, _

9

3

STEP 48


C‘4KP”S : SbiNY CamPUS at npex

PROGRAWNNCTION: Teacher Education

ASSESSABLE “NIT: Critic Teacher Tuition Waivers

BUDGETARDpEsOWCEIJfK% PLEASE CIRCLE APPROPRIATE NUMBER(S)

1. This assessable unit has a small budget as compared with other programs/functims within the organizarian.

2. This unit is not responsible for valuable property, supplies, equipment, or other resc.,,rces that require safeguarding.

3. Other (Specify):


B. Rating value

C. Multiply A by B

0. Enter total of Line C across

E. Subtract # of NA (Column 6) entries from N of questions asked (2 or 3)


Co"clusio": Budgeting and Resource Level for this activity may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall conclusion here, and an Matrix Line 10)

* Pa&cular attention should be given to "Disagree" and "Strongly Disagree" ratings.

N N 0 0

n-r

D H D E 0 E R D R

! R I G H

2

5/l/89 - AT3.13 -

P. ANALYZING INHERENT RISK

CAMPUS : SUNY campus at Apex

PROGFUWFONCTION: Teacher Education


,p

STEP 48

* *

B OF Gems OR sERv?xEs PLEASE CIRCI;E APPROPRIATE N”lGER(S)

2. The activity is not involved in single or limited source contract.e.

3. Other (Specify):


a. Rating value

C. Multiply A by B

D. Enter total of Line C acrow

E. Subtract K of NA (Column 6) entries from # of questions asked (2 or 3)

. F. Divide Line D by Line E and round co nearest

whole number

COKlClLt.dO*: The Procuremenr of Goods or Services for this activity may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall conclusion here, and on Matrix Line 11)

* Particular ateenrion should be given to "Disagree" and "Strongly Disagree" ratings.

vu89 - AT3.14 -

2

1

STEP 48


CAMPUS : SUNY campus at, hex

PROGRWNNCTION: Teacher Education


s- T RA OG NR GE LE Y

r

7 N

A c G E R R E T

!

E A I N

2 3

-

i

* * 7

P P

NL OI TC

A B L E

L

mmcr oursmE 0F Tmz wIveusrn/-s PLEASE CIRCLE APPROPRIATE NLIMBER(S)

1. This activity has little potential for external pressures aimed at obtaining management decisions favorable to special interests.

2. There is little special intere$t group activity in this area.

3. Few members of the public are directly impacted by changes in this activity.

4. Other (Specify):


B. Rating value

c. Multiply A by B

E. Subtract # of NA (Column 6) entries from i/ of questions asked (3 or 4)

'3. Divide Line D by Line E and round Co nearest whole number

Conclusion: The Outside ImpacC on Che University/campus may be creating vulnerability which is:

(Using Line F as a guide as well as ocher appropriate considerations. indicate overall conelusion here, and on Matrix Line 12)


9

3

5/l/89 - AT3.15 -

STEP LB

ANALYZING INHERENT RISK r\

CAMPUS : SUNY cmpus at Aoex

PROGRAHIFDNCTION: Teacher Education

ASSESSABLE UNIT: Critic Teacher Tnition Waivers

s T RA OG NR GE LE Y

* *

AGE Am LIFE ExPEcrm OF TEE ACIIVITP PLEASE CIRCLE APPROPRIATE NUHBER(S)

1. It is expected chat this activity vi11 not experience significant change, decline or or phase-out within the next two years.

2. This assessable unit has been in existence for more than two years.

3. This unit is a permanent function of the University/campus.

4. This unit has not undergone reorganization in the last two years.

5. Ocher (Specify):


B. Racing value

C. Multiply A by B

D. Enter total of Line C BCTOBS

E. Subtract # of NA (Column 6) entries from N of questions asked (4 or 5)

F. Divide Line D by Line E and round CO nearest whole number

Canclusian: The Age and Life Expectancy of of this aceivity may be creating vulnerability which is:

(Ustng Line F as a guide as well as ocher appropriate considerations, indicate overall conclusion here, and on Matrix Line 13)

l Particular artemion should be given to "Disagree" and "Strongly Disagree" ratings.

S/1189 - AT3.16 -

STEP 4B

c- ANALYZING INHERENT RISK

CAMPWS : SUNY CsmrJUS at b%x

PROGRAM/F"NCTION: Teacher Education


P

L DEGPE OF DE-IOU PLEASE CIRCLE APPROPRIATE NUMBER(S)

1. The major responsibility far control of this activity exists within the unit and not at a centralized organizational level, separate from the unit being assessed.

2. There is an a~urocmiate amount of decentralization, paired with ahequate delegation of authority, needed CO manage and cormo1.

3. The decentralization of resources does not cause inefficiencies.

4. Deccntralisation does not create a barrier to getting work done.

5. Other (Specify):

A. Enter totals far Columns 1 through 5

B. Rating value

C. Multiply A by B

D. Eneer total of Line C across

E. Subtract # of NA (Column 6) entries from il of questions asked (4 or 5)


Conclusion: The Degree of Decentralization of this unit may be creating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall conclusion here, and an Kacrix Line 14)

* Particular attention should be given CO "Disagree" and "Srrongly Disagree" ratings.

4

1

5/l/89 - AT3.17 -

STEP 4B


Q.mws: SLW CamDUS at hex

PROGRAM/FUNCTION: Teether Education


FXIOR REvIEus PLEASE CIRCiE APPROPRIATE NUMBER(S)

1. The unit has been reviewed or audited within the past two years.

2. All findings of the above reviews were minor.

3. The audit or review findings disclosed chat previously tdentified problems were corrected.

4. The scope or coverage of recent reviews has not been extremely Ifmited.

-

5. Audits and reviews have s uncovered losses due CO waste or abuse in rhe last two years.

6. Other (Specify):


B. Racing value

C. Multiply A by S


E. Subtract X of NA (Column 6) entries from N of questions asked (5 or 6)

F. Divide Line D by Line E and.round co nearest whole number

Conclusion: Prior Reviews of this activity may be indicating vulnerability which is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall con&~sion here, and on Matrix Line 15)

* Particular attention should be given co "Disagree" and "Strongly Disagree" ratings.

4 M 0 D E R A

1 T

L EL 0 LO w YW

12 3056 7

S/1/89 - AT 3.18 -

STEP 4c

CAmUS : SUNY CamPUS at *xxx

PROGRAWPUNCTION: Teacher Education


.PRELIMINARY EVALUATION OF SAFEGU.&WS -

- STAnsAuDS PLEASE CIRCLE APPROPRIATE NUMBER(S)

1. REASONABLE ASSUEhNCE The internal contra1 systems provide reasonable

2. SuPPO*TI”E ATTITUDE The managers and employees demonstrate and

3. COHPETENT PERSONNEL The manazers and employees have the skills, knowledS; and an at&tide needed for

. accomplishing work requirements and developing and implementing internal controls.

4. CONTROL OB.ECTIVES Internal control objectives are identified DE developed for each significant risk within this assessable unit and are logical, reasonable and complete.

5. CONTROL TECRNIQUES Internal control technioues are effective and efffcfent in accomplishing the control objectives.

6. CONTINUOUS MONITORING Internal control, systems are reviewed uerfodicallv to determine if they are working as iniended, are- still needed and are cc.st effective.

A. Enter totals for Columns 1 thtough 5 (Page Total)

- -

5

-

5

-

5

-

5

-

5

-

5

- 0 -

-

6

6

-

6

-

6

-

6

-

6

-

-

7

-

7

-

7

-

7

-

7

-

7

-

(CONTINUED)

_ 5/1189 - AT3.19 -

STEP 4c

PRELIMINARY EVALUATION OF SAFEGUARDS

CAMP”S : SUNY camtlus at hex

PROGRAWFIINCTION: Teacher Education

ASSESS@LE UNIT: Critic Teesher Tuition Waivers

PRELIMINARY E”AL”ATION OF SAFEGUARDS - (CONTIWED)

SPECIFIC STANDABDS PLEASE CIRCLE APPRdPRIATE NUMBER(S)

1. DOCIMENTATION Internal control systems are clearly documented and available for examination.

2. RECORDING OF TRANSACTIONS AND EVENTS Transactions and other SiSnificant events ate promptly recorded and properly classified.

3. EXX”TION OF TRANSACTIONS AND EVENTS Transactions and other significant events are authorized and executed only by persons acting within the scope of their authority.

4. SEPARATION OF DUTIES Key duties and responsibilities in authorizing, processing, recording and reviewing transaceims are separated amnS individuals. -

5. SUPERVISION Qualified and continuous supervision is provided to ensure that internal control objectives are achieved.

6. ACCESS TO AND ACCOUNTABILITY FOR RESOURCES Access to resources and records is limited to authorized individuals, and accountability for the custody and use of resoutces is assigned and maintained. Periodic comparison between resources and records is made.

A. EmmmTALSmCoLmms1TERouGE5 mwsPLusPnEvIwSPAGE

B. Rating value

C. Multiply A by S

1,2 3

103

I@3

103

103

1, @ 3

3 9 2

1 2 3

3 18 6

Il. Enter total of Line c across 29

E. Subtract # of NA (Column 6) entries from t of questions asked (12)


12

2

Conclusion: In general. Compliance with Standards for this assessable unit is:

(Using Line F as a guide as well as other appropriate considerations, indicate overall conclusion here. and on Matrix Line 16)

* Particular attention should be given to “DisaSree” and “Strongly Disagree” ratings.

5/l/89 - AT3.20 -

40

4 5

4 5

4 5

4 5

4 5

0 1

4 5

0 5

6 7

6 7

6 7

6 7

6 7

6 7

-

STEP 4D

OVERALL VULNERABILITY RANKING

CAMPUS : SUNY Camous at Apex



The Overall Vulnerability Ranking is derived from consideration of the 16 factor conclusions reached.

Select an overall ranking from those listed below, and enter the corresponding number on Matrix Line 17.

Overall Vulnerability Ranking (Options)

4. Moderately High 5. High

.

5/l/89 - AT3.21 -

STEP 4E

RECOMMENDATION FOR SUBSEQUENT ACTION

CAMFW : SUNY Campus at Apex



The Recommendation for Subsequent Action is derived by your consideration of the conclusions reached in Steps 4A through 4D, and from your knowledge, experience and judgment of and concerning the vulnerability of your unit/activity.

Indicate your recommendation for subsequent action by entering the number that corresponds to your selection from the list below on Matrix Line 18.

Recommendation (Options) for Subsequent Action

1: Request no actfon at this time 2.

. e

Instruct or train personnel Establish or modify procedures

. Request an internal audit or management review 5. Conduct an internal control review

Note: In addition to selecting one of the above remarks may be attached if necessary.

recommendation options,

511189 - AT3.22 -

mtp 89-8 - suny system · vulnerability assessment may result in taking immediate corrective action...

Documents