10.17 - Internal Control over Compliance Policy

It is the policy of the University to establish and maintain effective internal control over Federal awards. Internal controls processes will be designed and implemented to provide reasonable assurance that the University’s objectives relating to compliance with the U.S. Constitution Federal statutes, regulations, and the terms and conditions of Federal awards will be achieved.

These internal controls will follow the guidance in the “2013 Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework includes 5 components and the 17 principles within those components:

Internal Control Self-Assessment

The University will perform a self-assessment of internal controls on an as needed basis, or at least annually and include the following steps:

• Obtain a clear understanding of the current program or administrative objectives and processes.
• Obtain a clear understanding of the risks associated with such objectives and processes.
• Determine which controls are the most critical in terms of achieving these objectives.
• Determine whether there are any gaps or problems with existing controls.
• Determine whether there have been additions or changes in certain processes which would affect the existing controls.

The internal control review should include these key areas:

Define Objectives and Risk Tolerances

• Define objectives in specific and measurable terms to enable the design of internal control for related risks.
• Define the acceptable level of variation in performance relative to the achievement of objectives.

   

  Identify, Analyze, and Respond to Risks

• Analyze risks, including both inherent and residual risk, and consider internal and external risk factors.
• Estimate the significance of the identified risks and their effect on achieving the defined objectives.
• Define specific actions to respond to the analyzed risk.

Assess Fraud Risk

• Consider the types of fraud that can occur (e.g., fraudulent financial reporting, misappropriation of assets, corruption), as well as other forms of misconduct (such as waste and abuse).
• Considers fraud risk factors (incentive/pressure, opportunity, and attitude/rationalization) and use this information to identify fraud risk.
• Perform a risk analysis to identify fraud risk and responds to fraud risk so they are effectively mitigated.

   

  Identify, Analyze, and Respond to Change

• Identify significant changes to internal and external conditions that have already occurred, or are expected to occur, and that could significantly impact the internal control system.
• Analyze and respond to identified changes and related risks in order to maintain an effective internal control system.

Based on the evaluation above, the University will determine whether adjustments should be made to existing controls. If an adjustment is deemed necessary, policies and procedures will be updated, and changes are communicated to affected staff and management in an appropriate manner.

Protected Personally Identifiable Information

The University will take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.