Stony Brook University

Campus Internal Control Program Manual


Throughout the 1980s, New York State Government grappled with the problem of increasing the accountability of State government. One factor contributing to the increased emphasis on accountability was the continuing need to deliver more services with proportionally fewer resources; in other words, an increased emphasis on improved productivity. The limited availability of resources produced a climate in which inefficient and ineffective programs came under greater public scrutiny. Instances of waste and fraud in public programs added fuel to the movement toward increased accountability.

For many years, the existence of excessive State regulations and overemphasis on accounting controls at the expense of program outcomes hampered Stony Brook’s efforts to improve its overall management. One such example was the heavy dependence on manual pre-audits as the primary accounting control. The result was excessive delays and additional costs due to late payments to vendors and added burdens placed on State employees.

The passage of several waves of flexibility legislation in the 1980’s and 1990’s successfully culminated a long struggle by SUNY to reduce aspects of State bureaucracy that inhibited its ability to carry out its varied missions effectively. However, this increased authority also placed greater responsibility on campuses to establish local controls that provide adequate levels of accountability and to ensure that they continue to operate as intended. In addition, increasingly decentralized organizational structures and delegations of authority place greater responsibility on individual managers to ensure appropriate levels of control within their own divisions and departments and that these control activities are properly communicated and coordinated across organizational units.

A major step toward improved accountability in State government occurred in 1987 when the New York State Legislature passed the New York State Accountability, Audit and Internal Control Act (“Accountability Act”) requiring all State agencies, the Legislature, Judiciary and public authorities to establish internal control programs.

For the many State agencies, such as the State University of New York (SUNY), that had already established systems of internal control and internal audit functions, the Act did not intend to duplicate or replace these functions, or to add more bureaucracy. Rather, it intended to outline the internal control responsibilities of all State agencies and to provide common guidelines for establishing, coordinating, operating and monitoring their internal control programs.

The implementation of the Accountability Act at Stony Brook intends to emphasize both performance and accountability. Stony Brook wants each manager to understand that it is his/her responsibility to seek ways to identify and to eliminate wasteful controls that impede performance and to strengthen those controls designed to provide accountability and to preserve campus assets and scarce resources.


The New York State Governmental Accountability, Audit and Internal Control Act, Chapter 814 of the Laws of 1987, requires that all State agencies, the Legislature, Judiciary, and public authorities develop a system of internal controls. As a State agency, the State University of New York (SUNY) and its campuses must comply with this Act. In Budget Bulletin B-350, the New York State Division of the Budget further required that the State University of New York, and its campuses, establish and maintain guidelines for a system of internal controls. In addition, each campus is to implement the policies and practices needed to assure that the University and its state operated/funded campuses meet their mission, promote performance leading to effective accomplishment of goals and objectives, safeguard assets, check the accuracy and reliability of financial and other key data, promote operational efficiency and economy, and adhere to applicable laws and regulations.

Stony Brook University affirms its commitment to implement the provisions of the New York State Governmental Accountability, Audit and Internal Control Act, Chapter 814 of the Laws of 1987.


Internal controls are an integral part of any organization’s financial and business policies and procedures. Internal controls consist of all the measures taken by the organization for the purposes of:

  • Protecting its resources against waste, fraud and inefficiency;
  • Ensuring accuracy and reliability of accounting and operating data;
  • Ensuring compliance with the policies of the organization and applicable laws and external regulations;
  • Evaluating the level of performance in all organizational units of the organization.

    Internal controls are the steps taken by the University to provide reasonable assurance that it functions in an efficient and appropriate manner consistent with its policy and programmatic objectives and applicable laws and regulations. Internal controls encompass the operating practices, reporting relationships and procedures that Stony Brook adopts to achieve management's policy goals and objectives and to avoid loss or misuse of assets.

    Internal controls are the methods used to successfully organize and manage the University’s daily operations – in effect, its standard operating procedures. Internal controls are an integral part of the operating procedures management uses to reach its objectives and prevent undesired actions. Therefore, internal controls are the ultimate responsibility of management.

    Examples of internal controls within the University include: procedures used to adequately receive, record and deposit revenue, payroll practices to prevent the processing of fradulent paychecks; security measures to prevent unauthorized access to buildings, property, files or information systems; accounting systems and data processing procedures used to accurately record information; and the University’s decision-making structure to assure appropriate levels of policy review and approval. The intent of internal controls is to minimize the potential loss, misuse or unauthorized use of the University’s assets, resources or equipment.

    Important concepts concerning internal controls are:
  • Internal control is a process. It is a means to an end, not an end itself.
  • Internal control is effected by people. It is not merely policy manuals and forms, but people functioning at every level of the institution.
  • Internal control is geared to the achievement of objectives in several overlapping categories.
  • Internal control only provides reasonable assurance to an institution’s leaders regarding achievement of operational, financial reporting and compliance objectives.

To put it simply, internal controls are exercise of common sense. You are practicing good internal controls when you:

  • Balance your checkbook
  • Save for a car or retirement
  • Keep copies of your tax return
  • Compare your monthly credit card statement to the credit card receipts
  • Lock your car doors

Internal control consists of the following five interrelated components:

Control Environment- The control environment sets the tone of an organization, influencing the control conscience of its employees. Control environment factors include the integrity, ethical values and competence of the employee; management’s philosophy and operating style; the manner by which management assigns authority and responsibility, and organizes and develops its employees; and the attention and direction provide by the University. Remember the core of any educational institution is its people.

Risk Assessment- Management must be able to identify, analyze and manage any risk that prevents them from achieving their objectives. Basically you should ask yourself what could go wrong and what assets do we need to protect. Risk will increase during a time of change (i.e. personnel turnover and adding a new service).
Control Activities- These are the policies and procedures that help to ensure that actions necessary to achieve the University’s objectives are effectively carried out. These policies and procedures should be formalized and communicated to employees. Examples of controls are documentation, separation of duties, authorization and approval, verification, review of operating performance, physical control, reconciliation, training and guidance and monitoring. Remember that when determining whether a particular control should be implemented, the risk of failure and the potential effect must be considered along with the cost of establishing the control. Excessive control is costly and counterproductive. Too little control presents undue risk. There should be a conscious effort to arrive at an appropriate balance.

Information and Communication- These allow the University’s employees to identify, capture and exchange pertinent information in a form and timeframe that enable people to perform their duties. This not only includes information systems reports but it also includes the day-to-day communication among employees, supervisors and senior management. Remember information and communication must flow up and down the organization and flow across departments and divisions.

Monitoring- Controls put in place must be periodically reviewed and assessed to ensure that they are effective and adequate. This is done through ongoing monitoring and separate evaluations of internal controls.


The New York State Governmental Accountability, Audit and Internal Control Act of 1987 was designed to create a process by which internal controls for public state bodies are reviewed and modified as needed and to ensure that such bodies have available the capacity to conduct internal audits to verify that these controls have been properly implemented and followed.

The Act requires State agencies to perform the following internal control responsibilities:

A. Establish and maintain for the campus/college guidelines for a system of internal controls.

Stony Brook University’s system of internal control integrates the activities, plans, attitudes, policies, skills and efforts of its employees working together to provide reasonable assurance that the University will achieve its objectives and mission.

The effectiveness of the University’s system of internal control in assuring the achievement of goals depends upon clearly articulating and communicating Stony Brook’s mission and objectives to employees as well as providing employees with the direction and information that allow them to understand their individual responsibilities and priorities and how they relate to that mission. Essentially, they need to know what the University’s goals are, what the University expects of them in their position and the appropriate means for achieving it, and how their performance will be measured and evaluated.

Stony Brook articulates its mission and objectives in several key documents, including: the University’s Mission Statement and the University’s Five-Year Plan. The annual Accomplishments Report on the Five Year Plan ensures accountability for completing the initiatives contained in the Plan, providing assurance that the University is moving towards its goals. Stony Brook communicates these goals and accomplishments to employees through a variety of mechanisms, including new employee orientation, publications and campus wide events such as the President’s State of the University Address. These documents are readily available on the University’s Website.

New employees attend a general orientation session intended to provide them with information concerning the University’s missions, goals, policies and practices. As part of this general orientation, employees receive a brochure containing information on the University's internal control program. The brochure also contains a letter from the President that emphasizes the importance of and the University’s commitment to internal controls and the responsibility of each officer and employee for effective internal controls.

In addition, employees receive a departmental orientation and ongoing training that provide them with more specific information concerning their responsibilities, priorities and the basis for measuring performance. The university has implemented a several training programs that assist managers in this area.

B. Establish and maintain for the campus/college a system of internal controls and a program of internal control review. The program of internal control review shall be designed to identify internal control weaknesses and identify actions needed to correct these weaknesses.

Stony Brook University maintains a system of internal controls consistent with the requirements of external agencies and guidelines developed internally to ensure proper safeguard of University assets, effective and efficient performance of campus programs and activities, achievement of objectives and attainment of its mission.

Stony Brook has established an organizational structure, and a system of policies, procedures and internal controls intended to govern the effective conduct of University business and protect campus assets from loss due to wasteful practices, fraud and abuse.

There are a number of key documents that contain policies, procedures and practices that govern the operation and conduct of Stony Brook and its employees. In addition, various functional areas on campus have specific documents that more narrowly focus on internal controls relating to key aspects of their operation. Taken together, these documents are an integral part of the internal control system (administrative controls) that governs the operation of individual departments throughout the campus.

  • Policies of the Board of Trustees of SUNY
  • SUNY Administrative Procedures Manual
  • Policy Handbook - Chancellor - SUNY
  • Stony Brook Mission Statement
  • Stony Brook Five-Year Plan
  • Stony Brook Policy and Procedures Manual
  • NYS Public Officers Law, Sections 73, 73a, 74, 75, 76,77 and 78
  • Collective Bargaining Agreements (e.g., UUP, CSEA, PEF, Council 82)
  • Stony Brook Faculty/Staff Digest

Managerial policies and standards for the performance of specific functions are articulated in administrative manuals, employee handbooks, job descriptions, and applicable policy and procedure manuals. Employees are informed of the existence, importance and location of the applicable policies and procedures and are provided with reasonable and convenient access to such materials.

There are other important documents that should be available to those managers whose activities involve the Research Foundation and the Hospital (University Hospital Administrative Policies and Procedures Manual).

The University expects operating managers to develop and continuously assess internal procedures that ensure proper internal control and management of their day-to-day operations. In summary, management is responsible for:

  • Acknowledging that utilization of internal controls is an inherent part of a manager’s responsibility, not a new or additional function.
  • Assuring that internal controls are supportive of and consistent with the operating mandate and philosophy of the University at Stony Brook.
  • Developing goals and objectives that are consistent with those established for Stony Brook. Each manager’s action should be coordinated as part of the overall University at Stony Brook internal control effort.
  • Continuously monitoring the environment within which her/his program operates to identify required adjustments in Stony Brook's internal controls.

C. Make available to each officer and employee of the campus/college a clear and concise statement of the generally applicable management policies and standards with which the officer or employee of the campus/college shall be expected to comply.

A key aspect of internal control is providing staff with clear directions and information relating to “what is expected of them”. Specifically, they need to know their individual responsibilities, priorities and how their performance will be measured and evaluated. In addition, people need a sense of understanding of the organization’s missions, specific goals, policies and practices.

New employees attend a general orientation session intended to provide them with information concerning the University’s missions, goals, policies and practices. As part of this general orientation, employees receive a letter from the campus President that identifies the generally accepted management policies and standards pertinent to the employee and makes specific reference to the following:

  • Job description of the employee’s position
  • Employee’s performance program, if applicable
  • The Public Officers Law (relevant sections)
  • Policies of the Board of Trustees, where applicable
  • Pertinent collective bargaining agreement, where applicable
  • Other policies generally applicable to all employees

The letter emphasizes the importance of effective internal controls and the responsibility of each officer and employee for effective internal controls.

D. Designate an internal control officer, who shall report to the head of the campus or to their designee within the executive office, to implement and review the internal control responsibilities established by the Act. The designation of the internal control officer should also be communicated to employees.

Since internal control systems should be ingrained into the fabric of the University’s operations, those individuals responsible for day-to-day operations and management decisions must assume the continuous responsibility for assuring the adequacy of the internal controls. At the same time, each manager’s internal control responsibilities should be coordinated as part of the University’s overall internal control effort. To facilitate this coordination, the Act requires the University to appoint an Internal Control Officer.

The Internal Control Officer is not solely responsible for carrying the University’s Internal Control Program but coordinates responsibilities among appropriate campus personnel the agency, oversees those activities as part of an overall internal control effort and ensures that the Program meets the requirements of the Act.

Activities to be coordinated through the Internal Control Officer include, but need not be limited to:

  • Organizing and coordinating the internal control program;
  • Compiling an inventory of existing internal controls;
  • Identifying internal control weaknesses and implementing necessary corrective actions, including the findings and recommendations of internal and external audits;
  • Updating, revising, and preparing internal controls to reflect current programs, procedures, and policies;
  • Compiling statements of management policies and standards;
  • Identifying internal control training requirements; and,
  • Conducting vulnerability assessments and internal control reviews

Stony Brook University has designated a campus Internal Control Officer, who reports directly to the campus President and is an individual with sufficient authority to act on behalf of the President in implementing and reviewing the University's Internal Control Program. This individual has a broad knowledge of agency operations, personnel, and policy objectives.

To protect the integrity of the internal audit function, the internal control officer is not organizationally assigned to the audit department, does not conduct internal audits and does not act in the capacity of an internal auditor.

E. Implement education and training efforts to ensure that officers and employees of the campus/college have achieved adequate awareness and understanding of internal controls and, as appropriate, evaluation techniques.

Stony Brook recognizes that a an effective system of internal control requires the organization to have competent staff with the skills and knowledge necessary to accomplish their assigned duties.

The University engages in continuing efforts to provide training, professional and personal development opportunities to University employees. Stony Brook’s training and development programs are under the direction of a training manager within the Office of Human Resource Services. Specific training initiatives include: implementation of the “Connections” program focused on improving customer service, development of a performance management program aimed at improving employee/manager communications and enhancing the quality of written performance programs and evaluations and the continuation, expansion and refinement of the “Getting Things Done at Stony Brook” training program.

F. Periodically evaluate the need for an internal audit function.

The University at Stony Brook has long recognized the importance of the internal audit function as a means of safeguarding Stony Brook’s assets and reducing the risk that assets are lost due to wasteful practices, fraud and abuse.

The University has established an internal audit function. The University Internal Audit Department conducts an ongoing program of audits of University activities to monitor, test and report on Stony Brook’s internal controls. The Director of Internal Audit reports directly to the campus President.


A general principle applicable to all managers and employees is that they are to have personal and professional integrity. They are to maintain a level of competence that allows them to accomplish their assigned duties as well as to understand the importance of developing and implementing cost effective internal controls.

Management Responsibilities

Managers play a critical role in planning and executing the activities and programs at the University at Stony Brook. It is to their credit that Stony Brook has achieved an outstanding international reputation in education, research and health care since opening in 1957. While managers' specific responsibilities may vary at different levels of the organization, the basic principle remains, that all managers are responsible for the successful execution of Stony Brook's internal control program.

Senior Management is responsible for providing the overall direction and priorities that guide the efforts of managers throughout the organization in the formulation of their plans and execution of their programs and organized activities. Senior management is also responsible for providing appropriate organizational structure that ensures internal controls protect the organization’s assets from waste, fraud and abuse without impeding the University’s ability to meet its overall goals and objectives. Finally, senior management is responsible for developing systems and tools that support managers' efforts to achieve their approved goals and objectives.

Department managers and unit heads have the day-to-day responsibility for executing the varied programs and activities at Stony Brook. They must translate Stony Brook's overall goals and objectives into goals and objectives suited to the specific missions of their units and must clearly communicate these goals and objectives to the personnel in their units. These managers are also responsible for creating an environment supportive of effective internal controls and are responsible for continuously assessing the effectiveness of the internal controls that apply to their area and suggesting and implementing changes when controls are found to be inadequate to protect University assets or to be wasteful through the creation of bureaucratic obstacles to effective performance.

In summary, management is responsible for:

  • Acknowledging that utilization of internal controls is an inherent part of a manager’s responsibility, not a new or additional function.
  • Assuring that internal controls are supportive of and consistent with the operating mandate and philosophy of the University at Stony Brook.
  • Developing goals and objectives that are consistent with those established for Stony Brook. Each manager’s action should be coordinated as part of the overall University at Stony Brook internal control effort.
  • Continuously monitoring the environment within which her/his program operates to identify required adjustments in Stony Brook's internal controls.

Employee Responsibilities

Each employee is responsible for adhering to those performance programs, policies, procedures, guidelines and internal control standards established to guide the operation of the University at Stony Brook.

Monitoring and testing Stony Brook’s internal controls requires an independent body with the requisite skills and knowledge of the organization’s purpose and internal controls that regulate it. This body is Stony Brook’s Internal Audit Department. In general, the purpose of the audits they perform is to:

"Provide a needed level of assurance that conditions actually encountered in the subject audit conform to some established concept, standard, or expectation. The need arises because of an interest in the subject by persons who are either not directly involved or are not in a position obtain assurances directly."

To provide a useful service, internal auditors require an agreed framework within which to measure and interpret deviations of actual conditions from expectations. Expectations cannot be open to interpretation but must have a common basis for agreement; the specifications of internal controls provide this basis. Internal auditors must be independent, having no stake in the subject areas they report on; otherwise, their findings and conclusions could be suspect.

As in areas of scientific inquiry, auditing requires maintaining detailed documentation of data collected and computation techniques employed and setting forth the basis upon which conclusions were drawn. One measure against which to measure the reliability of an audit is that reasonable persons provided with the same data should agree on the conclusions drawn.

Scope of Internal Audits

Two primary types of audits provide different but equally important forms of feedback to management. These are financial/compliance audits and performance (management) audits.

Financial Audits- The financial or compliance audit focus on determining whether the financial transactions of the University have been properly reported and classified, whether internal controls are sufficient to justify confidence in the reported data and whether legal requirements have been complied with. These audits provide managers with useful insights into where procedures can be improved and control processes tightened.

Performance Audits- Performance audits focus on determining whether: operations are economical and/or efficient; resources are used effectively; good management practices are followed and whether programmatic goals are achieved. Included in the scope of these audits is the manner in which work is organized and how this affects the efficiency and effectiveness of the organization.

Relationship Between Internal Controls and Internal Audit

The starting point for an audit is the expectation of management and other interested parties regarding how the organization operates. This expectation is embodied in the organization’s internal controls. Therefore, it is incumbent on management and other interested parties to ensure that all levels of the organization understand the internal controls and that the internal controls established are sufficient to properly regulate the organization’s performance.