Internal Controls

What Are Internal Controls?

Internal controls are actions taken to help an organization achieve its mission. Good controls safeguard assets, promote efficiency, encourage compliance with laws and regulations, provide reliable information and seek to eliminate errors, fraud and abuse.

SUNY Empire State College’s internal control program is designed to ensure the college has a system of accountability and oversight of its operations to assist the college in obtaining its goals and objectives.

College Internal Control Officer

  • Internal Control Officer (Vice President for Administration)
  • Office of Administration oversees the internal control function for the college
  • responsible for internal control program and related reporting
  • responsible for internal control assessments, reviews and testing
  • responsible for providing applicable training to college employees

The New York State Governmental Accountability, Audit and Internal Control Act (1999) requires that all state agencies institute a formal internal control program.

Internal Controls

  • involve all employees at all levels
  • impact every aspect of a department, center or unit
  • are woven into the day-to-day responsibilities of mangers and staff
  • must make sense within each department's, center's or unit's unique operating environment
  • are effective when people work together
  • provide accountability.

Examples of Internal Controls

  • protecting computer systems with IDs and passwords
  • fire drills for safe evacuation in the event of an emergency
  • supervisory oversight and review to assist staff in doing their jobs
  • securing access to confidential data by locking doors and cabinets and encrypting personal information data
  • reviewing bills or procurement card statements prior to approving for payment
  • shredding documents containing sensitive data.


Both management and employees have their own specific responsibilities related to the college’s internal controls. Internal controls depend on the participation of all employees at every level. Employee competency and professional integrity are essential components of a sound internal control program. Managers have a significant impact on an organization’s system of internal controls and the environment that the program functions in. 

Employee Responsibilities

  • successfully fulfilling the duties and responsibilities of their job as defined in the performance program or job description
  • meeting appropriate performance standards
  • taking responsible steps to safeguard assets against waste, loss, unauthorized use and/or misappropriation

Management’s Responsibilities

  • maintaining an office environment that encourages internal controls. Also known as “tone at the top,” meaning managers set the tone for the expectations related to the internal control program and encourage and promote those expectations
  • documenting policies and procedures to be followed
  • identifying control objectives with cost effectiveness in mind
  • regular testing and reporting on internal controls.

Cost – Benefit

A good internal control program also needs to be cost effective. The cost of the applicable controls should make sense from a cost/benefit perspective. It is not desirable to have a program that is too complicated or too costly to the organization.


  • risks are conditions or events that threaten or impede an organization's ability to achieve its objectives and mission
  • major categories of risk include:
    • financial
    • operational
    • legal
    • technology
    • strategic/market
    • reputation.

Assessment, Reviews and Reporting

The internal control officer or designee is responsible for:

  • establishing policies and procedures necessary to identify what safeguards to put in place and how to monitor them
  • ensures that controls are working properly
  • risk assessment and internal control reviews
  • prompt remedial action on control weaknesses identified in internal reviews and audits
  • annual certification of internal control programs.

Risk Assessment/Management

  • the internal control officer identifies potential risk by functional area through a risk-assessment process
  • identifies specific functional areas
  • identifies risks associated with each functional area
  • measures risk (high, medium and low) based on likelihood and impact on the organization
  • manages and minimizes risk by implementing policy and procedure to avoid or reduce the impact of risk
  • performs test of controls through periodic internal control reviews.