University at Albany Internal Control Program

Employee Training

Internal Control Officer: Steve Beditz Internal Control Coordinator: Darri Scalzo

NOTE: This PowerPoint presentation is designed for the slides to advance automatically. However, you may still right click with your mouse and click on next or previous if you find it necessary to advance or repeat a slide.

ObjectiveBrief overview of internal controls - what they are and why we need them

Why Internal Controls?It is the LAW!The NYS Governmental Accountability,Audit and Internal Control Act of 1987Also called the Internal Control ActMade permanent in Chapter 510 of Laws of 1999Requires all state agencies, including SUNY campuses, to institute an internal control program

Why Internal Controls?It is the LAW!The Division of Budgets Budget Policy and Reporting Manual Item B-350, Governmental Internal Control and Internal Audit RequirementsRequires all state agencies to perform certain internal control responsibilitiesRequires all state agencies to certify each year that they are in compliance with these internal control requirements and the Internal Control Act.

History of Internal Controls at UAlbanyInternal Control Program on campus since 1989, but not very far reaching in the late 1990s and early 2000s.Nearly found non-compliant in spring 2005Program revamped, Steering Committee appointed, action plan put into place as required by System AdministrationCurrently in second phase of action plan Employee training and internal control reviews

Definition of Internal Controls Internal controls are the integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission.

Examples of Internal Controls Used Every DaySeparating duties among employees so that no one employee controls all aspects of any transaction or processLocking office doors each eveningTraffic lights and stop signs located at each intersectionPainted signs or stickers on glass doors and plate glass windows

In work environments, we use the term Internal Controls because:They are used to ensure that our internal operations work the way we want so that we accomplish what we wantThey are managed and used by people within the organizationThey are built into our work activities

Internal Controls help us to:Operate effectively and efficiently - or in other words to do the right things in the right way Provide quality products and servicesEnsure that we comply with all applicable laws, regulations, policies, and contracts Protect our assets and resourcesDevelop, maintain, use, and provide data that is accurate and reliable

Internal Controls help protect us from risks - the things that could go wrong and prevent us from accomplishing our goals

Internal Controls and Risk ManagementFirst we must identify our goalsThen we need to determine what could go wrong in trying to achieve those goals - those things are RisksNext we decide how to manage those risksImplement internal controls to decrease the chance that something will go wrong; ORLive with the risk

Internal Controls - What we use to decrease risks and help make sure things happen the way we want

People doing things

Things put into place by people

Internal Controls - What we use to decrease risks and help make sure things happen the way we want

Preventive - stop unwanted events from happening

Detective - identify unwanted events that have occurred

Examples of Internal ControlsPreventiveSegregation of duties - dividing responsibilities so that no one person controls an entire activity and thereby could cause and conceal errors or fraudSafety procedures - precautions taken to help prevent accidents DetectivePhysical inventories - inspect assets on hand and match to assets recorded in the books to detect any missing itemsSupervisory reviews - review of work performed to detect any errors

Why Internal Controls?Good Business Sense

In order to succeed, an organization must manage its operations effectivelyInternal controls provide reasonable assurance that an organization meets established objectives and goalsInternal controls decrease the risks to an organization

What if we do not have Effective Internal Controls?

We could fail to meet our goals and objectives We might violate laws or regulations We may lose assets and/or opportunities

Can Things Really Go Wrong Here?Unfortunately - Yes! They can and have.

In the past few years, there have been a number of disciplinary and legal situations on campus that at their core involved a breach of internal controls.

Recent Examples of Internal Control Breaches at UAlbany

1. An employee falsely claimed to be going on a business trip and signed out a state vehicle for that trip. He actually went to visit family, and got into a car accident in the state vehicle. He attempted to cover it up but the vehicle was damaged and an investigation revealed there was no business purpose for the trip or vehicle use.

Recent Examples of Internal Control Breaches at UAlbany

2. An employee used a state vehicle to go off campus to dine without the knowledge or approval of his supervisor. The employee also did not use break time but rather stayed on the clock while dining off campus.

Recent Examples of Internal Control Breaches at UAlbany

3. State owned property and equipment is for official University business only. Several instances of inappropriate use of state assets have been uncovered, including use of fax machines and copiers to support a political candidate and use of laundry equipment for personal wash.

Recent Examples of Internal Control Breaches at UAlbany

4. Employees who are on the clock are expected to be working as they are being paid by the state to work. Several recent cases have arisen of employees being caught sleeping on the job either by other employees or by students.

Recent Examples of Internal Control Breaches at UAlbany

5. Employees are expected to be honest on their job applications, but supervisors must thoroughly check references and backgrounds before hiring an applicant. One employee checked on his application that he had never been convicted of a felony but then was overheard remarking that he had. An investigation revealed that he had in fact been convicted and falsified his application.

Recent Examples of Internal Control Breaches at UAlbany

6. Reports containing personal identifiable information for students were being left in recycling bins without any assurance or guarantee that the information was being shredded or properly secured before disposal.

Internal Controls are IMPORTANT for every area of the University

No matter how big or how small the department isNo matter whether or not the department handles moneyNo matter whether or not the department handles confidential information

Who has a role in Internal Controls?

Everyone!

Who is responsible for Internal Controls?Every employee has the responsibility to help ensure that internal controls are effective by following controls and reporting problems or suggesting improvementsThe greatest amount of responsibility rests with deans, department chairs, and managers to assure appropriate controls are in place for all operationsThe President has the ultimate responsibility, and must sign the annual certification that UAlbany is in compliance with the Internal Control Act

What can you do?Follow the policies and procedures in place for your job.Always lock the door when you leave.Keep documents containing confidential or sensitive data in secure files.Shred documents containing confidential or sensitive data when no longer needed.

What can you do?Save files containing Personal Identifiable Information on your departmental drive, not your PCs hard drive.Do not share or post computer passwords.Always turn off your computer when you leave for the day.Use password-protected screensavers.Do not download any free items or software from the Internet.

What can you do?Communicate problems with current procedures or suggestions for improvement to your supervisor.Report any suspicious persons or activities to your supervisor, to the Internal Control Coordinator, or to the Internal Control Hotline.

Internal Control Program Contacts

Darri Scalzo, Internal Control CoordinatorPhone: 956-8092E-mail: dscalzo@uamail.albany.eduhttp://www.albany.edu/internalcontrol/

Other Important ContactsMartin Manjak, Information Security OfficerPhone: 437-3813 E-mail: mmanjak@uamail.albany.eduhttp://www.albany.edu/its/besecure.htm

Janet Thayer, Associate CounselPhone: 956-8050E-mail: jthayer@uamail.albany.edu

Internal Control HotlineConfidential and anonymous means ofreporting observed or suspected wrongdoing,maintained by the Office of Audit and Management Services.

437-4738ichotline@uamail.albany.eduhttp://www.albany.edu/ichotline/

To provide an audit trail of who has received this state-required Internal Control training, please click on the link below and complete the attached form before closing this presentation.www.albany.edu/internalcontrol/ICTrainingRecord.shtml

Thank you for your participation! Please note that the link may not work if you are using a browser other than Internet Explorer. In that case, you can copy and paste the link directly into your web browser.

Welcome to the University at Albanys online training program on internal controls. My name is Darri Scalzo and I will be walking you through the program. On behalf of our Internal Control Officer, Steve Beditz, I would like to thank you in advance for participating in this training.The objective of this state-required internal control training is to give each employee a brief overview of what internal controls are and why we need them.The New York State Governmental Accountability, Audit and Internal Control Act was passed in 1987 with a 10 year sunset provision. The Legislature made it permanent effective January 1, 1999. The Act requires all state agencies, including SUNY campuses, to institute and maintain an internal control program.

Additionally, the Division of Budget sets forth internal control requirements in their Budget Policy and Reporting Manual, and requires all state agencies to certify, on an annual basis, that they meet those requirements. Failure to certify will result in administrative penalties that limit our flexibility to operate, and also will reflect negatively on the campus.The Chancellor submits the certification to DOB on behalf of all SUNY campuses, but prior to submitting that certification, the Chancellor requires that the President of each campus submit a certification to him.

Although our campus has had an internal control program since around 1989, it had not been very far-reaching, especially in recent years, and we were nearly found non-compliant in certification process of spring 2005. Then President Hall responded to the deficiencies in March 2005 by moving responsibility for the internal control program to Kathy Lowery and Leo Neveu, and by appointing a high level steering committee. The charge was to revitalize the internal control program and bring UAlbany into full compliance with the law. Due to our tenuous certification in March 2005, System Administration required the campus to develop a specific action plan by which we would get into full compliance. System Admin specified the action steps, the first phase of which included segmenting the University into its assessable units and conducting vulnerability assessments. We completed that first phase in December 2005, and are now well into the second phase, which is employee training and internal control reviews of the various units. Many of you may have participated in internal control training previously, but the state recently updated its requirements to now state that employee training must occur every 2 years. Managers are also required to be trained every 2 years. To back up just a bit, exactly what are internal controls? Although it is what typically first comes to mind, internal controls are not restricted to just accounting or auditing functions, and do not apply only to financial transactions. Internal controls are much broader than that, and in fact should apply to and impact every aspect of our operations. In fact internal controls have been defined as:The integration of the activities, plans, attitudes, policies, and efforts of everyone working together to provide reasonable assurance that the University will achieve its mission. So hopefully, other than a paycheck, that is why we all come to work each day. We come in and work together with other people toward a common goal or objective. To reach those goals, we have various processes and procedures that we follow to help ensure everything goes as we intend. Those things are internal controls!While we may not think of the daily processes we use as internal controls, internal controls are things that we all do every day. Just to give a few examples of internal controls to which we can all relate: 1. Separating duties among employees so that no one employee controls all aspects of a transaction or process,2. Locking the office doors each evening to protect the equipment and files contained in the office3. Traffic lights or stop signs at each intersection to control the flow of traffic and prevent accidents4. Stickers or painted signs on glass doors or plate glass windows to prevent people from walking through them

In work environments and operations, the term internal controls is used because the controls are:Meant to ensure that our internal operations work the way we want so that we accomplish what we wantManaged and used by people within the organizationBuilt into our daily activitiesThe purpose of internal controls are to help us:1. Promote efficient and effective operations ensuring we do the right things in the right ways2. Produce quality products and services to better serve our students and community3. Ensure adherence to laws, regulations, policies, contracts, and management directives4. Safeguard resources and assets from loss, either from mismanagement or from theft5. Develop and maintain reliable data, and accurately present that data in timely reportsInternal controls also help us protect ourselves from the various things that could go wrong and thereby prevent us from achieving our goals. These things are called Risks.Internal controls help us to manage our risks. First, we must identify our goals. Then we must determine what our risks are what could go wrong and keep us from achieving those goals. Next, we must decide how to manage those risks. We can either decide that we should implement some internal controls to decrease the probability that the risk will occur, or we can decide that we can live with the risk. If the likelihood of the risk happening is low and the cost of implementing controls to prevent that risk are high, we probably will decide to live with the risk. On the other hand, if the likelihood that the risk will happen is high and the cost of implementing controls to prevent that risk are relatively low, we should implement internal controls to help prevent that risk from happening.The purpose of internal controls is to protect ourselves and our operations from risks and to help make sure that our operations proceed in the way that we want. Internal controls can either be people doing things, such as supervisory reviews or authorizations. Or, they can be things put into place by people, such as password protected screensavers on computers or locked file cabinets. Internal controls can also be Preventive in that they stop unwanted events or actions from happening; or Internal controls can be Detective in that they identify unwanted events or actions that have occurred.Some examples of Preventive Internal Controls are:

Segregation of duties which is dividing responsibilities among employees to prevent any one employee from controlling an entire activity, process, or transaction and thereby having the ability to both cause and conceal errors or fraud.Safety procedures the precautions taken to help prevent accidents

Some examples of Detective Internal Controls are:

Physical inventories the process in which assets on hand are inspected and matched to the assets recorded on the books to help detect any missing assetsSupervisory reviews a supervisors review of their employees work to ensure the work is appropriate and to detect any errors Not only are internal controls required by state law, they are also plain good business sense. We must be able to manage our operations effectively and efficiently in order to succeed, and internal controls help us do that. They are the policies and procedures, ethics and attitudes, we have in place to provide reasonable assurance that we can meet our goals and objectives, as well as protect ourselves from risk.If we do not have effective internal controls in place, we could fail to meet our goals and objectives. We might also violate laws or regulations. Both of these situations would lead to bad publicity and lower credibility in the community as well as with the state and other regulatory agencies to whom we must report. A lack of internal controls could also result in our losing assets and/or opportunities, which would leave us with even less than we currently have with which to work.

You may be thinking still that this doesnt apply to me, that nothing bad could ever happen here. Unfortunately bad things can and have happened here, in just about every area of the campus. In the past few years, there have been a number of disciplinary and legal situations at the University that at their core involve breaches of internal controls. In many such cases, the employee in question was terminated. Several cases also resulted in the arrest and prosecution of the employee. UPD and the District Attorneys Office were involved in many of the situations, and the media also publicized some of the situations. None of us want the University to be in such a bad position. In most cases, implementing proper internal controls can help prevent these situations. Just a few examples of these from the past few years are included in this presentation. In the first example, an employee falsely claimed to be going on a business trip and signed out a state vehicle for that trip. In fact, he went to visit family and while on that personal trip had a car accident in the state vehicle. He attempted to cover up the improper use of the vehicle but it was damaged in the accident. An investigation revealed that there was no business purpose for the trip or vehicle use.In our second example, another employee also misused a state vehicle. In this case, the employee used a state vehicle to go out to eat off campus without knowledge or approval of his supervisor. Not only did he misuse the state vehicle for personal purposes, but he also stayed on the clock while dining off campus and thus misused state time.State owned property and equipment is for official University business only. Our first two examples showed more extreme misuses of state assets, but several other instances of inappropriate use of state assets have been uncovered, including the use of fax machines and copiers to support a political candidate and the use of laundry equipment for personal wash. These instances are also improper and when discovered subject the employee in question to disciplinary actions.Employees who are on the clock are expected to be workingthat is what they are being paid by the state to do. There have been several cases recently of employees being caught sleeping on the job by other employees or by students. Again, these employees are subject to disciplinary actions. Potential employees are expected to be honest on their job applications, but supervisors must thoroughly check references and backgrounds before hiring an applicant. One employee checked on his application that he had never been convicted of a felony, but then was overheard remarking to his coworkers that he had in fact been convicted of a felony prior to being hired by the University. An investigation revealed that he had been convicted and had falsified his job application. He was terminated.Over the past few years in the course of conducting internal control reviews across campus, we have discovered that several offices have large reports containing personal identifiable information of students. In some cases, these reports were being left in recycling bins without any assurance or guarantee that the information was being shredded or properly secured before disposal. In this day and age when identity theft is such big business for criminals, this is not a risk that we can afford to take.Hopefully these situations help to further demonstrate that internal controls are important in every area and aspect of the University, regardless of the size of the office or department, regardless of whether or not the department handles money or financial transactions, and regardless of whether or not the department handles confidential information.Everyone has a role in Internal Controls, from the top executives down to the entry level staff. Each person plays an important part in helping to ensure that our internal controls are effective.

Every employee at every level has a responsibility to follow the internal controls, or the policies and procedures and regulations, in place in their area and to be ethical in their operations. As the front line people doing the hands-on work, the employees are typically in the best position to see and know what really works and what doesnt. As such, they have the responsibility of reporting any problems or weaknesses in the internal controls to their supervisors as well as suggesting improvements they feel would be beneficial.Deans, department chairs, managers and supervisors have even more responsibility as they must make sure that appropriate controls are in place in their area. They should really listen to their co-workers and employees when they report problems or suggest improvements in the internal controls. They should also set the tone for their area with the proper attitude and professional integrity.Finally, ultimate responsibility for the Universitys internal control program rests with the President, and he or she must sign the annual certification to the Chancellor.

There are some simple things that everyone can do every day to help reduce risks and improve internal controls. They are:Follow the policies and procedures in place for your jobAlways lock the door when you leaveKeep any documents containing confidential or sensitive data in secure filesShred any such documents when they are no longer needed

Any electronic files containing personal identifiable information such as names combined with social security numbers should be saved on your departmental drive rather than on your PCs hard drive so that the information will be protected by the Universitys firewall.Do not share your computer passwords or post them in obvious places where others could find themAlways turn off your computer when you leave for the dayDuring the day, use screensavers that are password protected to prevent unauthorized access to your computer while you are away from your deskDo not download any free items or software from the internet as it could contain spy ware or viruses Communicate any problems or inefficiencies with current procedures or any suggestions for improvements in operations to your supervisor Report any suspicious persons or activities to your supervisor, to the Internal Control Coordinator, or to the Internal Control Hotline. The contact information for the Coordinator and the Hotline are included at the end of this presentation.

Hopefully this session has provided you with an introduction to internal controls and you now see, if you didnt before, how and why internal controls are important in your area of operations. If you should have any questions regarding internal controls, my contact information is included here or can also be found on the internal control website at http://www.albany.edu/internalcontrol/.

Marty Manjak, the campus Information Security Officer, and Janet Thayer, Associate Counsel for the University, have been working closely with me in conducting internal control reviews as well as other activities to promote internal controls on campus. Contact information for each of them is included here should you have any questions or issues for them.As one final note, I wanted to mention that the Office of Audit and Management Services maintains an Internal Control Hotline as a confidential and anonymous means of reporting observed or suspected wrongdoing. The contact information for that hotline is also included here and on our website.

The campus will be audited on whether or not we have provided internal control training to all employees. To ensure that your participation is recorded, please click on the link below and enter your name and department information. If the link does not work, please try entering the address directly into your browser. Thank you again for your time.