Effective Internal Control Program in New York State

Learn about managing and evaluating the internal control system within New York State, specifically focusing on the State University of New York (SUNY). The program covers the roles, responsibilities, and activities supporting compliance with state regulations. Discover the purpose and outcomes of internal control systems for operations, reporting, and compliance, as well as the significance of having them in place for governmental accountability.

• Internal control
• New York State
• SUNY
• Compliance
• Governmental accountability

lowie Follow

Uploaded on Mar 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Managing & Evaluating the Internal Control System New York State Internal Control Association (NYSICA) October 19, 2023

2. State University of New York Joe Carbone Internal Control Officer State University of New York System Administration Office of the University Controller Email: Joseph.Carbone@suny.edu Dave Lackraj Internal Audit Manager State University of New York System Administration Office of the University Auditor Email: Davendra.Lackraj@suny.edu SUNY THE STATE UNIVERSITY OF NEW YORK 2

3. Overview State University of New York (SUNY) Internal Control Program COSO Internal Control Framework Internal Control Roles and Responsibilities Activities that support compliance with the NYS Internal Act Annual Review of Internal Controls over the Payment Process SUNY Office of the University Auditor Internal Audit Role and Responsibilities Auditing Internal Controls SUNY Internal Audit Process SUNY THE STATE UNIVERSITY OF NEW YORK 3

4. Internal Control System What is Internal Control? Internal control is a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Achievement of Objectives Operations, Reporting, and Compliance Process Ongoing tasks and activities Effected by People Everyone ! Provide Reasonable But not Absolute Assurance Adaptable to the Entity Structure SUNY THE STATE UNIVERSITY OF NEW YORK 4

5. Internal Control System Why do we need them? For those in NYS Government: Required by the New York State Governmental Accountability, Audit and Internal Control Act Act Establish and maintain guidelines for a system of internal controls Establish and maintain an internal control system and review process Make a clear and concise statement of managerial policies and standards Periodically evaluate the need for an internal audit function Provide internal control education and training Designate an Internal Control Officer But we also all know that SUNY THE STATE UNIVERSITY OF NEW YORK 5

6. Internal Control System Outcomes of an Effective Internal Control Program Reporting (Financial/Non- Financial) Accurate and Timely Compliance Laws and Regulations Operations Efficient and Effective Protect against Waste, Fraud and Abuse Accountability and Transparency Mitigates Our Risks and Preserves our Reputation in achieving the Organizations mission. SUNY THE STATE UNIVERSITY OF NEW YORK 6

7. Mission Statement The mission of the state university system shall be to provide to the people of New York educational services of the highest quality, with the broadest possible access, fully representative of all segments of the population in a complete range of academic, professional and vocational postsecondary programs including such additional activities in pursuit of these objectives as are necessary or customary. These services and activities shall be offered through a geographically distributed comprehensive system of diverse campuses which shall have differentiated and designated missions designed to provide a comprehensive program of higher education, to meet the needs of both traditional and non- traditional students and to address local, regional and state needs and goals. SUNY THE STATE UNIVERSITY OF NEW YORK 7

8. State University of New York Student Enrollment (Fall 2022) Total: ~363,000 o State-Operated: ~204,000 o Community Colleges: ~159,000 Established in 1948 75th Anniversary 64 Universities and Colleges 29 State-Operated Campuses 5 Statutory Colleges o Cornell U. 4 o Alfred U. - 1 30 Community Colleges SUNY Employees (a/o Fall 2022) Total: ~83,000 o State-Operated: ~64,000 o Community Colleges: ~19,000 SUNY THE STATE UNIVERSITY OF NEW YORK 8

9. Internal Control Program Framework Control Environment Risk Assessment Control Activities Internal Control Program Information and Communication Monitoring Activities SUNY THE STATE UNIVERSITY OF NEW YORK 9

10. Control Environment 1. Demonstrates commitment to integrity and ethical values Designated Ethics Officers at each campus Resource and Oversight: Public Officers Law, Financial Disclosure Requirements, and Ethics Training Informational Ethics Inter/Intranet websites Ethics laws and regulations, requirements for adherence, contact information "Tone at the Top" from Campus President or designee to the campus community Expresses their commitment and support of internal controls Adherence to policies and procedures Employee roles and responsibilities Internal Control Education and Training Computer/LMS Training - SUNY/Campus-based developed training videos Provide an overview of our internal control program The importance of internal controls and why we have them How employees play a part in maintaining an effective internal control environment Periodic newsletters and/or internal control brochure Links/references to the internal control portion of the campus website SUNY Policy & Procedure and hotline to report suspected fraudulent activities SUNY THE STATE UNIVERSITY OF NEW YORK 10

11. Control Environment 2. Exercises oversight responsibility Standing committees of the Board of Trustees Audit Committee Assist the Board in fulfilling its fiduciary responsibilities Formally meets throughout the year o SUNY/Campus leadership and external parties (e.g., accounting firms) o Risk management and internal controls activities o Internal and external (financial statement) audit activities SUNY Internal Control Program (ICP) Policy SUNY Board of Trustees approved policy Establishes SUNY s formalized program of internal control SUNY Internal Control Program (ICP) Guidelines State-operated campuses, Statutory colleges and SUNY System Administration (Campuses) Each establish and maintain an internal control program Designate SUNY-wide ICO and Campus ICOs Implementation and administration of the SUNY and each campuses ICP Responsibilities of management and staff Key elements for compliance with the NYS IC Act requirements SUNY THE STATE UNIVERSITY OF NEW YORK 11

12. Control Environment 3. Establishes structure, authority, and responsibility SUNY Board of Trustees SUNY Chancellor Campus Presidents SUNY & Campus Senior Leadership (E.g., Provost, CFO, COO, other Senior/Vice Presidents) Campus Organizational Assessable Unit Director/Head (or Equivalent) Functional Area Manager/Supervisor (or Equivalent) Personnel/Staff Campus Internal Control Officer SUNY Internal Control Officer SUNY Office of the University Auditor SUNY THE STATE UNIVERSITY OF NEW YORK 12

13. Control Environment 4. Demonstrates commitment to competence 5. Enforces Accountability Annual employee performance program/evaluations Goals and objectives established annually Discuss performance, areas to improve, additional training needed Employee job descriptions Developed and maintained Outline roles and responsibilities of position Reporting relationships Knowledge and skills required Employee Recognition Chancellors Awards of Excellence Years of Service Internal Promotions Policies and Procedures SUNY-Wide Campus-Wide Unit-Level Hiring Practices Job duties and qualifications Established for positions Search committee for professional positions Identify and select the most qualified persons Professional Development/Training Provided internally or through external organizations SUNY THE STATE UNIVERSITY OF NEW YORK 13

14. Control Environment Open Group Discussion: Shared Best Practices and/or Guidance What are examples of how your organization 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority, and responsibility 4. Demonstrates commitment to competence 5. Enforces Accountability SUNY THE STATE UNIVERSITY OF NEW YORK 14

15. Risk Assessment 6. Specifies suitable objectives . SUNY mission statement and objectives Clearly stated on the SUNY public website SUNY Chancellor has established and communicated key initiatives 7. Identifies and analyzes risk Risk/Vulnerability assessments of organizational assessable units Internal Control Reviews over high-risk areas Collaborate process between campus stakeholders Risk Areas High Risk Areas Amount /Activity (annual) Financial Compliance Operational Reputational $13.4B ($3.4B in cash) Revenue/Cash Management Over $5B Payroll/HR Over $3B in OTPS Expenses Procurement $3.4B in Equipment Property Control $1.2B Financial Aid Establishes Oversight/Tone at the Top Supports business and academic systems Help ensure effective planning and continuity General Control Environment Information Technology Emergency Management SUNY THE STATE UNIVERSITY OF NEW YORK * Campuses may identify additional high-risk areas specific to their operations 15

16. Risk Assessment 8. Assesses fraud risk 9. SUNY/Campuses are proactive Monitor any significant changes (E.g., external, internal, human resource related) SUNY/Campus Leadership Counsel and Government Relations Offices Operational and Financial Unit management/staff Changes are distributed through various communication methods Presentations to SUNY/Campus leadership, management and staff (E.g., Business Officers, Financial Aid Directors, Procurement Directors) Policies and procedures, e-mail announcements and/or list serves Working groups may be established in the implementation of any operational changes Manages risk during change Assessment process Provides the means to identify potential of fraud risk (e.g., conflicting job duties, separation of duties, approval systems, etc.,) Internal Control Reviews Review templates Provide steps to assess potential fraud risk. (e.g., SODs within the procure to pay and revenue/cash management processes) Policies and Procedures Control activities that employees are expected to comply with (e.g., documentation requirements, reviews, and approvals) SUNY Policy on fraud and irregularities and a Procedure for reporting SUNY THE STATE UNIVERSITY OF NEW YORK 16

17. Risk Assessment Open Group Discussion: Shared Best Practices and/or Guidance What are examples of how your organization 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Manages risk during change SUNY THE STATE UNIVERSITY OF NEW YORK 17

18. Control Activities 10. Selects and develops control activities 11. Selects and develops general controls over technology SUNY Information Security Policy SUNY-wide Chief Information Security Officer (CISO) Assists and provides subject matter expertise regarding information/cyber security SUNY/Campus IT security professionals Monitor system activities Campus Security Administrators who manage user access Procedures for managing access Information/cyber security awareness training Educate employees on such matters as phishing and other attacks Annual user access reviews to business systems OSC Advisory 28 and SFS Validation Verify user appropriateness and continued relevance Established/Updated upon a variety of internal control related activities Risk assessments Internal control reviews Audits Executive/management/staff meetings and discussions Changes in the external or internal operating environment Observations made or reported to management SUNY THE STATE UNIVERSITY OF NEW YORK 18

19. Control Activities 12. Deploys controls through policies and procedures Open Group Discussion: Shared Best Practices and/or Guidance What are examples of how your organization 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys controls through policies and procedures SUNY-wide policies and procedures Policy and procedure library on the SUNY website Contribute to the mitigation of risks to achieving the University s objectives Major functions and operations E.g., Procurement and Contracting, Academic, Financial Management, Information Security Unit heads are responsible for those relating to their operations and functions Communicate policies and procedures to campus partners and staff Work with campus partners and staff regarding execution and compliance Campus-specific policies and procedures Specific to their operations SUNY THE STATE UNIVERSITY OF NEW YORK 19

20. Information and Communication 13. Uses relevant information 14. Communicates internally Systems that capture, process and generate relevant data/reports Financial Management Systems Human Resource Systems Statewide Financial System Business Intelligence Dashboards Updates or new applications Go through a test environment Any malfunctions are resolved prior to production Accuracy of transactions and information Internal and external websites Provide access to policies and procedures (and other relevant information) SUNY/Campus internal control webpages Standing Committees of the Board Presentations/reports on the Internal Control Program to the Audit Committee Presentations to SUNY/Campus leadership, management and staff Newsletters and e-mail announcements Internal Control (and other financial/operational) e-mail list-serves SUNY THE STATE UNIVERSITY OF NEW YORK 20

21. Information and Communication 15. Communicates externally Communicate with external parties (e.g., vendors, relevant stakeholders, accreditation entities) and Federal and state agencies (e.g., US ED, OSC, DOB) Formal and informal meetings (e.g., audit engagements, academic accreditation and financial aid program reviews, vendor compliance with procurement and payment requirements) Annual internal control certifications Board - Audit Committee Meetings Announced and opened meetings Press releases and announcements to the public Audited financial statements available on the SUNY public website Open Group Discussion: Shared Best Practices and/or Guidance What are examples of how your organization 13. Uses relevant information 14. Communicates internally 15. Communicates externally SUNY THE STATE UNIVERSITY OF NEW YORK 21

22. Monitoring 16. Conducts ongoing and/or separate evaluations OSC AP Advisory 28: Certifying Controls over the Agency s Payment Process Annual certification to the OSC Voucher authorizers' designation process, The payment process (e.g., SODs, User Access, etc.,) A segment of the payment process or a focus area Required: State-operated campuses (including SUNY SA) required Complete and submit to SUNY SA SUNY submits one consolidated Certification to the OSC. SFS Annual User and Role Validation Annual assessment of controls over security access to the SFS (e.g., user access and role assignments) Involves three individuals to complete (1)Campus Security Administrator, (2) Compliance Reviewer, (3) Financial Certifier Required: State-operated campuses, Statutory Colleges and SUNY SA Separately complete within the SFS. NYS Internal Control Act Annual completion and submission to the Division of the Budget (DOB) Agency s level of compliance with the requirements of the Internal Control Act. Required: State-operated campuses, Statutory Colleges complete and submit to SUNY System Admin (SA). SUNY submits one consolidated Certification to the DOB. SUNY THE STATE UNIVERSITY OF NEW YORK 22

23. Monitoring 16. Conducts ongoing and/or separate evaluations, cont., 17. Evaluates and communicates deficiencies SUNY Office of the University Auditor External audits and reviews The NYS Office of the State Comptroller Various University-wide or campus- specific programs and activities SUNY independent external auditors KPMG Conduct annual audit of the University s financial statements NYS independent external auditors - KPMG NYS Single Audit of federal financial assistance programs Communicates deficiencies Corrective actions are communicated to senior unit- level over the reviewed unit/function Plans are developed and implemented Campuses report results SUNY THE STATE UNIVERSITY OF NEW YORK 23

24. Monitoring Open Group Discussion: Shared Best Practices and/or Guidance What are examples of how your organization 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies SUNY THE STATE UNIVERSITY OF NEW YORK 24

25. SUNY Internal Audit Function Office of the University Auditor To provide independent and objective assurance and consulting services. Aims to evaluate, add value, and improve the effectiveness of SUNY s governance, risk management, and control processes. Purpose & Mission: The mission of the Office of the University Auditor (OUA) is to enhance and protect organizational value by providing risk-based, objective assurance, advice, and insight. OUA is expected to be independent from the operations they are auditing. This independence ensures they can provide unbiased assessments of the processes. OUA must disclose any impairment of independence, in fact or appearance, to appropriate parties. Independence: OUA activities include, but are not limited to, audits, follow-up reviews, consulting engagements, and other independent assessments for the audit committee/management. These activities encompass the adequacy and effectiveness of internal controls, identifying areas of risk, verifying compliance with policies and regulations, and suggesting improvements. In all cases, OUA functions only as an advisor, with management responsible for final decisions. Scope of Activities: OUA has a direct line of reporting to the Audit Committee of the SUNY Board of Trustees and has an administrative line of reporting to SUNY System Administration senior leadership. These reporting lines helps maintain independence and ensures that findings are communicated to those responsible for governance. Reporting & Authority: OUA has unrestricted access to all SUNY s and SUNY Campus related entities functions, records, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information. OUA conducts audits throughout the fiscal year as determined by the risk-based annual audit plan. OUA does not preform cyclical audits. Frequency: SUNY THE STATE UNIVERSITY OF NEW YORK 25

26. Auditing Internal Controls Planning: Auditors start by understanding the organization's business processes, objectives, and associated risks. Then identify the key controls that are relevant to each process and objective. Develop a testing plan that outlines the scope, objectives, procedures, and resources required for the audit. Risk Assessment: Auditors assess the risks associated with each control and high-risk controls are usually more scrutinized during testing. Testing Methods: Testing of Control Design - review the design of controls to ensure they are appropriately designed to address risks (i.e., policies/procedures) or Testing of Control Operation - assess whether controls are functioning as intended by performing tests on a sample of transactions/activities (i.e., examining evidence for approvals, adequate documentation, etc.) Sampling: Auditors often use sampling techniques to select a representative subset of transactions or activities for testing. Audit Procedures: Auditors perform various audit procedures based on the nature of the control. For example, they might review authorization records, perform reconciliations, inspect documentation, and simulate scenarios to evaluate control responses. Documenting Findings: Auditors note any deficiencies or weaknesses in the controls, along with the potential impact and recommendations for improvement. Reporting: Auditors prepare a report that summarizes the testing process, findings, and recommendations which is shared with management and the audit committee of the board of directors. Follow-up: Auditors may follow up to ensure that management has taken appropriate actions to address identified control deficiencies. SUNY THE STATE UNIVERSITY OF NEW YORK 26

27. SUNY Internal Audit Process For each internal audit we perform the following: Complete research on the audit area(s) to identify all applicable federal, State, and local policies and procedures, regulations, laws, etc. Meet with SUNY System Administration departments with oversight of the audit area(s), including the Compliance Department and Internal Control Officer Develop a questionnaire to identify existing internal controls, obtain supporting documentation, and gain a better understanding of audit area(s) or any related IT and business systems used Identify and document the general and specific risks, and any mitigating internal controls associated with the audit area(s) and correlate it to our audit program Conduct fieldwork, which includes testing certain internal controls through our audit procedures and documenting our results Issue the audit report to management with our recommendations in serval stages (Preliminary, Draft, and Final) Post Audit Monitoring Quarterly process based on the corrective action implementation dates identified by auditee SUNY THE STATE UNIVERSITY OF NEW YORK 27

28. Auditing of Internal Controls Open Group Discussion: Shared Best Practices and/or Guidance What are examples of how your organization: Audit internal controls Assess risks of audit area(s) Sampling techniques Document results Follow-up SUNY THE STATE UNIVERSITY OF NEW YORK 28

29. Thank You