Internal Control Vulnerability Assessment (January 2011) Unit Name. Prepared by. Title. Reviewed by. Title. Reviewer s Comments

Similar documents
Chapter 7 Internal Controls

International Standards for the Professional Practice of Internal Auditing (Standards)

International Standards for the Professional Practice of Internal Auditing (Standards)

Policy Analysis: Internal Controls #1.11 1/2009

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Understanding Internal Controls Office of Internal Audit

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

Internal Audit Policy and Procedures Internal Audit Charter

DEPARTMENTAL CONTROL SELF-ASSESSMENT. Dept.: Date:

INTERNAL CONTROLS. Revision A

Internal Audit Appendix: IIA Standards

Internal Control in Higher Education

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Bank of Botswana Internal Audit Charter March 18, 2013 INTERNAL AUDIT CHARTER BANK OF BOTSWANA

GoldSRD Audit 101 Table of Contents & Resource Listing

I. Mission. II. Scope of the Work

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Department of Biology

PROJECT SUMMARY. Summary of Significant Results

3.6.2 Internal Audit Charter Adopted by the Board: November 12, 2013

Maryland Transportation Authority

Control Environment Toolkit: Internal Audit Function

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a AUDITING THEORY AUDIT PLANNING

Cost Control Systems. Conclusion. Is the District Using the Cost Control Systems Best Practices? Internal Auditing. Financial Auditing

Copyright 2009 Club Resources International. Disclaimer

GATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA

POLICY & PROCEDURES MEMORANDUM

Evaluation Tool. Revised January 2006 Internal Control Management and INTRODUCTION

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES For PEI Credit Unions

OPERATIONAL RISK EXAMINATION TECHNIQUES

CHAPTER 11 PERSONNEL MANAGEMENT EVALUATION SECTION 1 - GENERAL

Audit-Risk Committee. Board Approval: August 2018

Internal Controls. Presented by: Mark Payne, CPA Partner Rae Kerr, CPA Senior Manager. March 5, 2014

Internal Control Monitoring Tool

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Policy and Procedure Examples

Support Services Review Template

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

Florida Institute of Technology

International Standards for the Professional Practice of Internal Auditing

SIAAB Guidance #05. Conforming with FCIAA and Standards in Small Audit Functions in the State of Illinois. Adopted December 8, 2015

CIA Test Preparation Part I

Seattle Public Schools The Office of Internal Audit

General Government and Gainesville Regional Utilities Vendor Master File Audit

INTERNAL AUDIT POLICIES AND PROCEDURES OPERATING MANUAL

Kua O Ka La s Financial/Accounting Policies & Procedures

Policy and Procedures Date: November 5, 2017

Internal Audit Charter

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

Simply put, when we allocate resources to meet a legislative mandate or program objective, we must be mindful of two things:

Internal Control Evaluation

If an adequate segregation of duties does not exist, the following could occur:

Kentucky State University Office of Internal Audit

PROCEDURE CITY OF GRANDE PRAIRIE PURPOSE SCOPE PROHIBITIONS:

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

Internal Controls: Providing an Effective Control Environment. Why This Session Is Needed. Lesson Overview & Module Objectives

Internal Audit of the Democratic People s Republic of Korea (DPRK) Country Office

CSU COLLEGE REVIEWS. The California State University Office of Audit and Advisory Services. California State University, Northridge

e. inadequacy or ineffectiveness of the internal audit program and other monitoring activities;

This Questionnaire/Guide is intended to assist you in decision making, as well as in day-to-day operations. Best Regards,

Internal Control Questionnaire and Assessment

Purpose To establish the proper classification of faculty and staff positions.

Triple C Housing, Inc. Compliance Plan

Contents Introduction II. Ethics, Independence, and Confidentiality III. Professional Standards IV. Ensuring Internal Control

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

CERTIFIED ADMINISTRATOR OF SCHOOL FINANCE AND OPERATIONS

Control Self Assessment Questionnaire

University System of Maryland University of Baltimore

IAASB Main Agenda (December 2008) Page Agenda Item

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

S O C I AL W O R K S U P E R V I S O R Schematic Code ( )

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

University Internal Audit

Auditor GS Career Path Guide

QUALITY CONTROL FOR AUDIT WORK CONTENTS

Guide to Internal Controls

RIGHT FROM THE START: RESPONSIBILITIES of DIRECTORS of NOT-FOR-PROFIT CORPORATIONS

OFFICE OF INTERNAL CONTROLS

Version 1.0. The Contract Management Standard Final Edition. Version 1.0

Finance Code of Conduct

Ten Payment Fraud Protections

IAASB Main Agenda (July 2007) Page Agenda Item

How to Pass an ALGA Yellow Book Peer Review Training by the Association of Local Government Auditors (ALGA) Tampa, Florida September 20, 2013

UNITED STATES MARINE CORPS MARINE CORPS BASE 3250 CATLIN AVENUE QUANTICO VIRGINIA IN REPLY REFER TO: MCBO 5200.

Volume 1: Agency Standards Chapter 8: Agency Operations Section 2: Human Resource Practices Approved: 2001/01/16 Last Revised: 2011/01/06

SRI RESEARCH/RATING QUALITY STANDARD

Southwest Airlines Co. Code of Ethics

Job Description. Director of Finance

Version 1.0. The Contract Management Standard Final Edition. Version 1.0

IMMUNOGEN, INC. CORPORATE GOVERNANCE GUIDELINES OF THE BOARD OF DIRECTORS

CHAPTER 6 GOVERNMENT ACCOUNTABILITY

APES 320 QUALITY CONTROL FOR FIRMS

ONLINE PUBLIC CONSULTATION

Manager, Facilities Operations

Standards for Internal Control in New York State Government 2016 Update

STATE OF NORTH CAROLINA

AC C O U N T AN T Schematic Code ( )

Transcription:

Internal Control Vulnerability Assessment (January 2011) Division Unit Name Prepared by Date Title (For Internal Control Team Use Only) Reviewed by Date Title Reviewer s Comments Return completed assessment to Zhelin (Jolin) Huang in UNH 209 Questions: email Zhelin (Jolin) Huang at ichotline@uamail.albany.edu,

Factor 1: Management Attitude and General Control Environment Of key concern is management s recognition of the importance of, and commitment to, the establishment and maintenance of a strong system of internal control as communicated to employees through actions and words. 1. All managers within this unit establish high expectations for honesty, integrity, and ethical behavior in the operations of the office or department. 2. Unit management has the responsibility and necessary authority to develop, maintain, and evaluate the unit s internal control system, including applicable policies and procedures. 3. Unit management regularly reviews and tests the unit s policies and procedures to ensure that they are working as intended. 4. The unit has regular staff meetings involving all levels of employees. 5. All managers within the unit seek and receive feedback from each other as well as other employees regarding the operations of the unit. 6. Once identified, any instances of policy or procedure violations or other potential internal control weaknesses are resolved in a timely manner.

Factor 2: Purpose and Characteristics of the Unit The purpose of the unit s activity should be considered, noting any aspects that make the unit s activity susceptible to waste, fraud or abuse. Risks inherent in the unit s operations should be considered, as well as whether appropriate controls are in place to mitigate those risks. 1. The unit has a clear and concise mission statement, goals and objectives. 2. There is normally sufficient time to satisfactorily accomplish the unit s activity without taking shortcuts to meet severe time constraints. 3. The unit does NOT collect, use or store personal identifiable information. 4. None of the unit s functions involve the handling of cash receipts or collections of cash, negotiable instruments, or credit card payments. 5. No petty cash account is maintained in the unit. 6. None of the unit s functions involve cash disbursements. 7. This unit is NOT involved in the approval of applications, assignment of grades, or awarding of credit. 8. This unit is NOT involved in the production of transcripts, diplomas and/or certifications. 9. This unit is NOT involved in the assessment of and/or crediting or debiting of tuition or other charges.

Factor 3: Organizational Structure The organizational structure should be such that there are clearly defined units to perform the necessary functions and that appropriate reporting relationships have been established. 1. This unit s organizational chart is current and accurate, and clearly defines all reporting relationships within the unit. 2. The organization structure provides adequate supervision of all key functions and duties. 3. Responsibilities of this unit are clearly defined so as to avoid duplication, overlap, or conflicts both within the unit as well as with other units. 4. Sufficient flexibility exists in the unit s structure to deal with changing circumstances. 5. A succession plan is in place for the unit. 6. The unit has a business continuity and/or disaster recovery plan in place to help ensure that its operations may continue uninterrupted. 7. Unit management has the decision making authority necessary to operate effectively and efficiently.

Factor 4: Policies and Procedures Documented procedures communicate and guide the work of the unit and provide a basis for most internal control reviews and follow-up evaluations. The basic consideration is whether there are written procedures for employees to follow within the general rules, and how much discretion is allowed. Usually, the more discretion allowed, the more potential for abuse. 1. Operating procedures and standards for this unit are documented in writing and are readily available for examination. 2. The unit s policies and procedures are consistent with statutory and regulatory authority and SUNY guidelines. 3. The unit s policies and procedures are reviewed regularly and revised as necessary. 4. All employees are familiar with the policies and procedures of the unit as well as the expectation that they will adhere to those policies and procedures. 5. The documented procedures for the unit provide sufficient detail for all functions and processes to allow operations to continue uninterrupted if key employees leave or are absent for an extended time. 6. Employees feel free to report inefficiencies and/or make suggestions for improvement to the policies and procedures.

Factor 5: Personnel One of the most important factors in the successful operation of a system of internal controls is personnel. Operating personnel must be qualified and properly trained for the functions they perform in order for controls to operate in the manner intended. 1. Recruitment and hiring practices follow all University guidelines and are handled in a manner intended to ensure that the most qualified persons are hired. 2. Accurate and up-to-date position descriptions are available for all unit personnel. 3. Sufficient training opportunities are available to improve competency and update employees on new policies and procedures. 4. Managers and employees are cross-trained to provide coverage for all key duties during times of heavy workload or low staffing levels. 5. The unit s management periodically reviews employees performance and provides counseling as necessary. 6. Employees and managers are held accountable for satisfactory completion of performance expectations. 7. This unit has a low turnover rate. 8. This unit has adequate staffing to satisfactorily complete its functions and achieve its goals.

Factor 6: Delegation of Authority Appropriate delegation or limitation of authority should exist to provide assurance that responsibilities are effectively discharged. 1. Employees in the unit understand the limits of their authority. 2. Employees understand the goals and objectives of the unit and their individual responsibilities in helping to achieve those goals. 3. The delegation of authority grants employees sufficient authority to carry out their responsibilities. 4. Transactions and other significant functions within the unit are authorized and executed only by persons acting within the scope of their authority.

Factor 7: Organizational Checks and Balances Checks and balances are used so that authority for certain functions is diffused to minimize the potential for waste, fraud, abuse or mismanagement. 1. Checks and balances are in place for this unit, and are appropriate and adequate to protect resources from manipulation. 2. Key duties and responsibilities in authorizing, processing, recording and reviewing transactions are separated among individuals. 3. Transactions involving significant assets require multiple levels of authorization. 4. Checks and balances within the unit are evaluated regularly and necessary corrections are made in a timely manner.

Factor 8: Budget and Reporting Practices The establishment of budgetary and organization goals provide employees with benchmarks by which they can ensure accomplishments, and also set individual goals for personal accomplishment. When such goals are not established, reviewed periodically, updated and disseminated to employees, organizational success is less likely. Moreover, activities with large budgets are susceptible to greater amounts of waste, loss, unauthorized use, or misappropriation than activities with smaller budgets. 1. The unit s internal budgeting system is integrated with its planning process. 2. Unit plans and budgets are effectively communicated to key personnel within the unit. 3. Unit progress or performance reports show comparisons with planned performance, budget allowances, and/or past performance. 4. Reports are used as effective management tools and any problem areas are corrected promptly.

Factor 9: Procurement and Property Control Controls must be in place to minimize the potential for waste, loss or misappropriation of assets. State and SUNY procedures must be followed in all procurement activity to ensure that all purchases are appropriate, and all capital items must be properly recorded and safeguarded. 1. Key personnel are aware of and adhere to the current purchasing guidelines including the competitive bid or quote process. 2. Only key personnel who have completed the appropriate training have access to a procurement card. 3. Key personnel are aware of and adhere to the current property control guidelines (available from the Office of Equipment Management), including off-campus use of assets. 4. Procedures are in place to verify the existence and location of all items on the unit s equipment inventory. 5. This unit is NOT responsible for a significant complement of valuable property, supplies, equipment, or other resources that require safeguarding.

Factor 10: Information Security University business, academic, and research activities are highly dependent on information technology. The utility and value of information is directly related to its availability, integrity, and confidentiality. 1. The unit s computer systems are in compliance with applicable University configuration standards designed to promote useability, manageability, and security. 2. The unit's use of licensed software is in compliance with all applicable license agreements. 3. Information Technology services provided by 3 rd parties (e.g., Cloud storage, SaaS) are supplied in the context of a formal contract or agreement with the provider that has been reviewed and approved by Institutional Services and executed by an authorized University officer. 4. Access controls are in place to ensure that only authorized employees can access, view, modify, or otherwise use institutional information. 5. These access controls are periodically reviewed and adjusted to ensure that the level of access, particularly to regulated information, is appropriate for the employee s current position and responsibilities (i.e., principle of least privilege) 6. The unit keeps track of each collection of regulated data maintained by it noting the type of information it contains and where it is stored (e.g., grade lists, personal health records; file cabinets, departmental shares, centrally maintained systems). 7. The unit has adequate controls in place to assure compliance with all requirements governing the use of regulated data. 8. All employees understand and adhere to controls designed to ensure compliance with any applicable regulations governing data handled by the unit (e.g. FERPA for student data). 10. Unit personnel understand and adhere to basic information security controls such as maintaining the confidentiality of passwords, using password protected screen savers, storing sensitive documents and records on secure shares, and maintaining the physical security of the workspace. 9. Controls are in place to ensure that critical electronic data is backed up regularly. 11. The unit has assigned responsibility to an employee for compliance with the University's media sanitization requirements.

Factor 11: Potential for Conflicts of Interest The potential for conflicts of interest on the part of University administrators or employees within this unit must be carefully monitored, or the public may lose faith in the fair and impartial administration of the activity. 1. There is little potential for unit or senior management to experience pressures from external groups or individuals that intend to sway decisions regarding the unit and its operations. 2. The unit does NOT have significant interaction with the public or external entities. 3. Few members of the public are directly affected by changes in the unit or its operations. 4. Management and key personnel within the unit avoid actual or apparent conflicts of interest and operate in a manner which will not reflect adversely on the credibility, objectivity or fairness of the University.

Factor 12: Age and Life Expectancy of the Unit Units that are new (in existence for less than two years), changing (undergoing substantial modifications or reorganization), or phasing out (to be eliminated within two years) should be considered more susceptible to waste, loss, unauthorized use, or misappropriation than stable units. 1. This unit has NOT undergone reorganization or significant functional change in the last two years. 2. The unit is NOT expected to experience significant functional change or reorganization, nor to decline or phase-out within the next two years. 3. This unit has been in existence for more than two years. 4. This unit is considered a permanent function of the University.

Vulnerability or Risk Rating Calculation (to be completed by Internal Control Team) Sum of all answers (columns 1-5) Subtract number of N/A answers (column 6) from number of questions (72) Vulnerability Rating (Divide sum of answers by number of questions answered) 1.0 2.49 = Low Risk 2.5 3.49 = Moderate Risk 3.5 5.0 = High Risk

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback