Internal Controls Policy

The University at Buffalo (UB, university) is committed to a strong system of internal controls focused on accountability and oversight of operations to reasonably assure that the university:

• Meets its mission
  
• Promotes performance leading to effective accomplishment of objectives and goals
• Safeguards assets
• Provides accurate and reliable financial and other key data
• Promotes operational efficiency and economy
• Encourages adherence to applicable laws, regulations, policies, and practices

An effective system of internal controls is supported by best practices including, but not limited to:

• Segregation of Duties – To prevent the occurrence of undetected errors or fraud, responsibilities must be divided so that one individual does not control all aspects of a transaction.
• Safeguarding Assets – Assets and records must be kept secure at all times to prevent unauthorized access, loss or damage. The security of assets and records is essential for accurate operations.
• Safeguarding Confidential Information – Ensure the security and confidentiality of personal and private information, protect against any anticipated threats to its security or integrity, and guard against unauthorized access and use.
• Review and Approval – Review and approval of internal processes should be obtained from a knowledgeable and independent party.
• Timeliness – Make all efforts to meet prescribed deadlines and prioritize critical work to avoid fines and negative impacts on operational processes.
• Documentation – Provide evidence for transactions to support accuracy and consistency.

The university’s internal control program is a system of accountability and includes all the plans and actions that assure reasonable control over university operations. Control activities, which occur throughout the organization at all levels and functions, help ensure that necessary actions are taken to address risk while achieving the university’s objectives. Internal controls are owned by the individuals performing the university’s operations and every employee is responsible for ensuring that the program is effective in achieving the university’s mission. Employee competence and professional integrity are essential components of a sound internal control program.

While internal controls, themselves, are owned by the employees responsible for the control, along with their managers or supervisors, the internal control program is supported at the highest levels of university management. Senior leadership provides guidance and the resources to maintain a successful program. The internal control program is enforced through thoughtful, risk-based assessments.

The university has adopted this policy in accordance with the State University of New York Internal Control Policy and the New York State Government Accountability, Audit and Internal Control Act. In addition, the university follows the Committee of Sponsoring Organizations (COSO) Integrated Framework.

An effective internal control system provides reasonable assurance that the university will achieve its mission. Reasonable assurance is a concept that recognizes the cost of internal controls should not exceed the benefits. Managers must use judgment and estimates to assess cost, benefit, and risk and develop controls that support achievement of department goals and adequately safeguard assets, provide reliable information, and meet compliance requirements.

This policy applies to all university entities.

Effective Control

Management-directed, -authorized, and -monitored performance, which includes periodically comparing actual with planned performance, and documenting these actions to provide reasonable assurance that organizational goals will be achieved.

Internal Control

The integration of the activities, plans, attitudes, policies, and efforts of the people of a department working together to provide reasonable assurance that the organization will achieve its objectives and mission.     

Professional Integrity

Demonstrate behaviors that show a commitment to consistent and willing adherence to guidelines and policies as well as to ethical conduct in support of the mission of the university.

Reasonable Assurance

Errors and other deviations are kept to a tolerable level; for example, in the normal course of their assigned duties, employees will prevent errors or improper acts and will detect and correct them within a reasonable time, thereby mitigating their detrimental effects.

Risk

A probability or threat of damage, injury, liability, loss or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

• Promote a culture that embraces an effective internal control program.
• Support the internal control program by providing the necessary resources.

• Champion the campus-wide effort to establish, implement, and maintain a system of internal controls and a program of internal control review.
• Evaluate the overall internal control program and risk assessments for applicability to the university’s strategic objectives.

• Review and report on the adequacy of departmental and institutional internal controls.

• Coordinate and communicate all aspects of the university’s internal control program.
• Facilitate documenting an inventory of internal controls in the university.
• Develop and coordinate all policy related to the internal control program.
• Implement an on-going training process for all employees.

(SMEs are identified across the university and specifically in high-risk areas including, but not limited to, Financial Management, Procurement Services, Human Resources, Information Technology, and Athletics)

• Develop, implement, and review internal controls policy and training in their area of expertise. 
• Perform internal control reviews on an ongoing basis.
• Promote the internal control program within their area of expertise to gain consistency in the way the university thinks about risk. 
• Encourage a culture that self-identifies gaps in internal controls and aids in mitigation of the identified risk.

• Establish, maintain, and support an effective system of internal controls within their areas of responsibility. Collaborate with the Director of Business Compliance and Internal Controls, as appropriate.
• Create a control environment that encourages compliance with university policies and procedures.
• Coordinate with the Director of Business Compliance and Internal Controls to periodically review and test the system of internal controls.
• Identify and implement appropriate corrective actions.

• Fulfill the duties and responsibilities established in their performance program.
• Monitor their work to ensure it is done properly and that errors are corrected promptly.
• Follow university and department policies and procedures.
• Safeguard resources against waste, loss, unauthorized use, and misappropriation.
• Attend education and training programs to increase awareness and understanding.
• Report breakdowns in internal control systems to their supervisor.