Internal Controls

Policy Information
Policy TitleInternal Controls
Responsible OfficeRisk Management and Administrative Compliance
Policy TypeLegal and Compliance
Policy Number904
Last Revision Date2/6/2024

The Internal Control Act of 1987

The Internal Control Act, more specifically referred to as the New York State Governmental Accountability, Audit and Internal Control Act (originated in Chapter 814 of the Laws of 1987, then made permanent in Chapter 510 of the Laws of 1999), is the basis for the Binghamton University Internal Control Program. The Internal Control Act requires that all state agencies, including SUNY institute a formal internal control program.

  1. Internal Controls

    Internal controls are an integral part of each system used to regulate and guide operations. Internal controls are designed to promote performance leading to the effective accomplishment of an organization's goals and objectives.

  2. Internal Control Systems
    Internal controls with a common purpose are grouped together and referred to as internal control systems. Basically, internal control systems are the laws, policies and procedures that affect the daily operations and management of Binghamton University. There are six requirements of the Internal Control Act of 1987 as shown below:
    1. Maintain written internal control guidelines.
    2. Maintain an internal control system for continuous review of operations.
    3. Make a concise statement of policy and standards available to all employees.
    4. Designate an Internal Control Officer.
    5. Educate and train all employees on internal controls.
    6. Evaluate the need for an internal audit function.
  3. Reasonable Assurance
    All internal control systems must provide reasonable assurance that the objectives of the campus will be met in a cost effective manner. Reasonable assurance provides sufficient confidence that internal controls are functioning to ensure the organization will meet its goals and objectives.
  4. The Cost of Internal Controls
    Internal control systems should remain cost effective and not exceed the benefit derived.

Binghamton University Internal Control Office

Eric E. Backlund, Internal Control Officer
Tel: 607-777-7475
email: Eric Backlund (

Tracey Debnar, Internal Control Coordinator
Tel: 607-777-2157
email: Tracey Debnar (

Office Location:
Office of Internal Control
Binghamton University
PO Box 6000
Binghamton, NY 13902-6000
Fax: 607-777-4255

Binghamton University's Internal Control Program 

  1. Binghamton University’s Internal Control Program provides us with a formal mechanism to help identify existing controls and evaluate their effectiveness.There are five specific objectives to Binghamton University’s Internal Control Program. CARES stands for these objectives as described below:
         Compliance with applicable laws and policies
         Accomplishment of the entity’s mission
         Relevant and reliable data
         Economical and efficient use of resources
         Safeguard assets

  2. The foundations of Binghamton University’s internal control systems are the various policies and procedures applicable to its daily operations. Below is a sample of basic foundations that affects all employees of Binghamton University:
         Policies of the Board of Trustees of SUNY
         SUNY Administrative Procedures Manual
         Policy Handbook — Chancellor — SUNY

         Personnel Handbook
         NYS Public Officers Law, Sections 73, 73a, 74, 75, 76, 77 and 78
         Collective Bargaining Agreements (e.g., UUP, CSEA, PEF, Council 82)
         Campus Purchasing Procedures
         Time and Attendance Policy
         Hiring Practices
         Transaction Process

  3.  Segmentation
    The first step in the Internal Control Process is to segment the organization. Segmentation is the process of identifying the program and administrative functions necessary for the campus to carry out its mission. Functions identified through this process are called "assessable units" and provide the framework for the Internal Control Program.
  4. Risk Assessment
    After the campus is segmented into assessable units, each unit's risk is assessed. This process may be done through a self-assessment survey or a one-on-one discussion with the unit manager and the Internal Control Officer or designee. By means of this evaluation, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. Some of the factors examined in the risk assessment are: inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover.
    Upon completing a risk assessment, a rating of low, average or high risk is assigned to the assessable unit. These ratings are considered when scheduling internal control reviews.
  5. Internal Control Review
    The internal control review analyzes procedures and policies to insure they are functioning as intended and that they assist the unit in meeting its goals and objectives. Examples of procedures and policies that may be reviewed include: planning activities, program evaluations, the budget cycle, personnel transactions, information systems, cash activities, contract management and capital programs.
    Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting or changing internal controls or procedures for the unit. If recommendations are accepted, a timetable for implementation is agreed upon.
  6. Follow-up
    The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.
  7. Preventive and Detective Controls
    1.  Preventive Controls are designed to keep errors or irregularities from    occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages. However, preventive controls do not require significant ongoing investments.
    2.  Detective Controls are designed to detect errors and irregularities, which have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and are often costly, but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.
  8. Standards
    General Internal Control Standards describe what we want to achieve, while Specific Internal Control Standards tell us how to achieve those objectives.
    1. General Standards
      a. Reasonable Assurance: Internal control systems should provide reasonable assurance that the objectives of the organization will be accomplished.
      b. Supportive Attitude: Managers and employees should maintain and demonstrate a positive and supportive attitude toward internal controls at all times.
      c. Competent Personnel: Managers and employees should have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.
      d. Control Objectives: Internal control systems should help to assure compliance with laws and that the campus meets it goals and objectives.
      e. Control Techniques: These are the means to accomplishing the objectives of the internal control systems (i.e. Specific Internal Control Standards)
    2. Specific Standards
      1. Documentation: Adequate records of all internal control systems, transactions, and events should be maintained.
      2. Records: All transactions and events should be recorded promptly and accurately.
      3. Authorization: All transactions and events should be authorized and executed by persons within the scope of their authority.
      4. Structure: Key duties and responsibilities in authorizing, processing, recording and reviewing transactions should be separated.
      5. Supervision: Adequate supervision must be provided to ensure that internal control objectives are achieved.
      6. Security: Access and accountability to assets and records should be limited to authorized individuals.

Who is responsible and for what? 

  1. All employees are responsible for the following: 
    1. Fulfilling the duties and responsibilities established in their job description and meeting applicable performance standards.
    2. Monitoring their work to ensure it is being done properly.
    3. Correcting errors they identify before work is referred to higher levels for review.
    4. Taking all reasonable steps to safeguard University assets and resources against waste, loss, damage, unauthorized use, or misappropriation.
    5. Reporting breakdowns in internal control systems or suggesting improvements to their supervisor.
    6. Refraining from using their position to secure unwarranted privileges.
    7. Attending education and training programs as appropriate to increase awareness and understanding.
  2. Management, in general, has the following additional responsibilities:
    1. Maintaining an appropriate internal control system in their areas of operation.
    2. Educating staff regarding control activities and encouraging them to be alert to and report any irregularities.
    3. Documenting policies and procedures that are to be followed in performing unit functions.
    4. Maintaining a work environment that encourages employees to understand the purpose of policies and procedures and that supports the maintenance of a positive internal control environment.
    5. Identifying the objectives for the unit and implementing cost effective internal controls designed to meet those objectives.
    6. Regularly testing the internal controls implemented to determine if they are functioning as intended.
    7. Reminding staff to note changes in their immediate internal and external environments, to identify any risks and to report opportunities for improvement.
    8. Listening to employee suggestions concerning the internal control systems.
    9. Particular to the management level, responsibilities are further outlined:

Supervisors: Monitoring all activities and transactions in their unit to ensure that staffs are performing their assigned responsibilities, control activities are functioning properly, the unit is accomplishing its goals, the unit's control environment is appropriate, communication is open and sufficient, and risks and opportunities are identified and properly addressed.

Mid-Level Managers:  Assessing how well controls are functioning in multiple units within an organization, and how well supervisors are monitoring their respective units.

Executive Management

  • Monitoring activities on the major divisions of the organization.
  • Monitoring for the existence of risks and opportunities in either the internal or external environment that might indicate the need for a change in the organization's plans.

Additional References

Office of Internal Control