What Are Internal Controls?

Internal Controls define processes that insure that operations are appropriate, effective and efficient. Ideally, the processes are documented. (Some simple examples include individual job descriptions, organization charts, departmental operating manuals, the Upstate Policies and Procedures Manual, the Board of Trustees Policies, SUNYs Master Plan and the University Accounting System.)

The intent of the Internal Control program is to insure that the Campus is operating in accordance with these written documents, providing reasonable assurance that the goals of operating appropriately, effectively and efficiently are attained. Also, where controls are absent, written processes, approved by management, should be established.

SUNYs Internal Control Program Objectives (The CARES Model)

SUNY uses the CARES acronym to help define its internal control objectives. The Upstate Office of Internal Control has supplemented the acronym with some typical examples of internal controls that would apply:

  • Compliance with applicable laws and policies (HIPAA, Medicare, JCHO, Internal Revenue Service).
  • Accomplishment of the Campus Mission (Mission Statement)
  • Relevant and Reliable Data (Financial, Patient Information Systems and limited access thereto)
  • Economical and efficient use of resources (Budgetary Process)
  • Safeguard Assets (Purchasing, Payroll, Property Control, Cashiering and other Financial Systems)

The SUNY program requires the Campus to perform Risk Assessments. These assessments isolate those areas where there is a significant probability of a significant loss if internal controls are not in place. The Internal Control Committee can then focus its efforts on those areas of significant risk.

The following risk factors are identified by SUNY, as well as the related potential exposures (possible negative results):

  • access risk
  • business disruption risk
  • credit risk
  • customer service risk
  • data integrity risk
  • financial/external report misstatement risk
  • float risk
  • fraud risk
  • legal and regulatory risk
  • physical harm risk


  • financial loss
  • legal and regulatory violations/censorship
  • negative customer impact
  • loss of business opportunities
  • public embarrassment
  • inefficiencies in the business process.

Once areas of significant risk are identified, the Internal Control Committee can work to determine if:

  1. There are written controls/procedures in place to mitigate the risk.
  2. The controls/procedures are working.
  3. There are means in place to detect if controls are breaking down.

As a practical matter, a number of offices on the Upstate Campus, who are members of Internal Control Committee, perform risk assessment and testing of systems. These offices include:

Office Number
Institutional Compliance 464-4790
(Hotline 464-6444)
Institutional Privacy 464-6135
(Hotline 464-6444)
Environmental Health & Safety 464-5782
Risk Management 464-6177
IMT Systems Security 464-4093
Internal Audit 464-4692

Further, Management, in the promulgation of policies which direct campus activities, also evaluates risks and develops systems for internal control at Upstate.