10.17 - Internal Control over Compliance Policy
It is the policy of the University to establish and maintain effective internal control over Federal awards. Internal controls processes will be designed and implemented to provide reasonable assurance that the University’s objectives relating to compliance with the U.S. Constitution Federal statutes, regulations, and the terms and conditions of Federal awards will be achieved.
These internal controls will follow the guidance in the “2013 Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework includes 5 components and the 17 principles within those components:
Components of Internal Control
|
Principles
|
Control Environment
|
1. Demonstrate Commitment to Integrity and Ethical Values
2. Exercise Oversight Responsibility
3. Establish Structure, Responsibility, and Authority
4. Demonstrate Commitment to Competence
5. Enforce Accountability
|
Risk Assessment
|
6. Define Objectives and Risk Tolerances
7. Identify, Analyze, and Respond to Risks
8. Assess Fraud Risk
9. Identify, Analyze, and Respond to Change
|
Control Activities
|
10. Design Control Activities
11. Design Activities for the Information System
12. Implement Control Activities
|
Information and Communication
|
13. Use Quality Information
14. Communicate Internally
15. Communicate Externally
|
Monitoring
|
16. Perform Monitoring Activities
17. Evaluate Issues and Remediate Deficiencies
|
Internal Control Self-Assessment
The University will perform a self-assessment of internal controls on an as needed basis, or at least annually and include the following steps:
- Obtain a clear understanding of the current program or administrative objectives and processes.
- Obtain a clear understanding of the risks associated with such objectives and processes.
- Determine which controls are the most critical in terms of achieving these objectives.
- Determine whether there are any gaps or problems with existing controls.
- Determine whether there have been additions or changes in certain processes which would affect the existing controls.
The internal control review should include these key areas:
Define Objectives and Risk Tolerances
Assess Fraud Risk
Based on the evaluation above, the University will determine whether adjustments should be made to existing controls. If an adjustment is deemed necessary, policies and procedures will be updated, and changes are communicated to affected staff and management in an appropriate manner.
Protected Personally Identifiable Information
The University will take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.
Protected Personally Identifiable Information (Protected PII) means an individual's first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical and financial records, educational transcripts. This does not include PII that is required by law to be disclosed.