Good internal control practices allow the university to achieve its objectives while maintaining an environment that focuses on ethics and accountability.
Internal controls are measures adopted by the university to promote the thoughtful and efficient use of all resources. UB is fundamentally committed to the principals and practices of internal controls.
“…All university employees are responsible for safeguarding the significant resources with which UB is entrusted. This responsibility is met through thoughtful consideration of the risks presented in our daily operations and through mitigation of those risks with meaningful policies, procedures, and collaborative best practices. Success of the internal control program is dependent on the individual integrity of every employee…
We, as members of our university community, must be committed to adhering to the principles and practices of UB’s system of internal controls. Stewardship of the public trust is integral to our university values and mission.”
-Satish K. Tripathi, President, University at Buffalo
Effective internal controls help departments:
Departments benefit by:
Effective and efficient performance accomplishes goals and objectives in an accurate and timely fashion using minimal resources; consistent performance increases reliability. Operations are considered effective when they get the job done. Best practices eliminate duplicated efforts, streamline processes, increase productivity, and employ a variety of means to achieve consistent, efficient and effective processes.
Inefficiencies occur when processes are performed that provide no additional benefit or value. Inefficiency and ineffectiveness may result in a lack of resource availability and may cause a unit to be unable to meet its objectives. Frequently, this results in added operational costs to the organization. Those costs could be measured in overtime wages, unmet targets, lost productivity or the inability to accept additional responsibility. Ultimately, inefficiencies result in the inability to be effective in attaining objectives.
Written policies and procedures:
If written policies and procedures do not exist, are inaccurate, incomplete, or simply not current, the following could result:
Segregation of duties is a primary concept in a system of internal control. Adequate segregation of duties reduces the likelihood that errors (intentional or unintentional) will be detected. The basic idea underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. One person should not be able to initiate, record, authorize, execute and review a transaction. Reconciliations should be performed by a person independent of the basic process.
If an adequate segregation of duties does not exist, the following could occur:
Assets are the economic resources of the university that are expected to be of benefit in the future. Assets include cash, office supplies, equipment, furniture, buildings and land. Protective measures must be taken to ensure that assets are maintained in a properly controlled and secured environment and include administrative, physical and technical security. Assets and records should be kept secure at all times to prevent unauthorized access, loss or damage. The security of assets and records is essential for accurate operations. If safeguards are not in place the following could occur:
Unauthorized transactions or processing
Information is one of the university's most valuable resources and requires responsible management and safeguarding by all members of the university community. We collect, retain and use personal information from such sources as hard copy applications, electronic forms, background checks or over the internet. While collecting and handling this information, we must ensure the security and confidentiality of such personal information, protect against any anticipated threats to its security or integrity and guard it against unauthorized access to or use. Improper disclosure of private information can lead to:
A good internal control system provides a mechanism to verify that transactions and activity are for the correct purpose and amount and are allowable. When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process. The reviewer should be able to identify errors and omissions. The approval should be documented to verify that a review was done. Review and approval help to reduce errors, irregularities and inaccurate or incomplete information in accounts and reports.
Inadequate review and approval could result in the following:
In simple terms, timeliness means meeting prescribed deadlines. When deadlines are not met, the following could occur:
The timeliness of processing may not be a major priority on an individual’s “to do” list, but if you don’t have the time to do it right, when will you have to the time to do it over? As organizations continue to push to do more with less and create increased operational efficiencies and profits, timeliness has become important to the overall success of the organization. It’s the one area where all employees can analyze their workflows and identify ways to work smarter and save time.
In the context of internal controls, paper or electronic communication which supports the completion of the lifecycle of a transaction meets the criteria for documentation. Anything that provides evidence for a transaction, who has performed each action pertaining to a transaction, and the authority to perform such activities are all considered within the realm of documentation. Documents provide a record of each event or activity to support the accuracy and completeness of transactions. Proper documentation provides evidence of what has transpired as well as provides information for researching discrepancies. Decision makers rely on facts provided in reports, therefore, it is imperative that the information be accurate, complete and current; fully disclosed; concise, objective and provided on a timely basis.
Inaccurate or incomplete reporting could result in the following:
Accounting is a system that measures business activities, processes information into reports, and communicates findings to decision makers. Two major controls of an accounting system are accurate posting of transactions and adequate account review and reconciliation.
Inadequate controls over an organization’s accounting system could result in:
The New York State Governmental Accountability, Audit and Internal Control Act (Internal Control Act) embodies New York State’s commitment to efficient and effective business practices, quality services and ethics in the operations of State government. The Internal Control Act outlines the requirements for a comprehensive system of internal controls. Internal control is the integration of activities, plans, attitudes, policies and efforts of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.
As such, internal control is people-dependent. Every member of the organization has a role, since every activity of the organization should be directed toward achieving its mission.
The Internal Control Act requires the university to provide each employee a clear and concise statement of the generally applicable management policies and standards with which employees are expected to comply. This includes a position description and performance program, pertinent collective bargaining agreement, policies of the SUNY Board of Trustees and Public Officers Law. Copies of these documents may be obtained by contacting Human Resources, 120 Crofts Hall at 716-645-7777.
In addition, other policies and standards are issued by the President and other officers of the university.