Policies and Procedures Manual 2024 - 2025

10.17 - Internal Control over Compliance Policy

It is the policy of the University to establish and maintain effective internal control over Federal awards. Internal controls processes will be designed and implemented to provide reasonable assurance that the University’s objectives relating to compliance with the U.S. Constitution Federal statutes, regulations, and the terms and conditions of Federal awards will be achieved.

 

These internal controls will follow the guidance in the “2013 Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This framework includes 5 components and the 17 principles within those components:

 

Components of Internal Control

Principles

Control Environment

1. Demonstrate Commitment to Integrity and Ethical Values

2. Exercise Oversight Responsibility

3. Establish Structure, Responsibility, and Authority

4. Demonstrate Commitment to Competence

5. Enforce Accountability

Risk Assessment

6. Define Objectives and Risk Tolerances

7. Identify, Analyze, and Respond to Risks

8. Assess Fraud Risk

9. Identify, Analyze, and Respond to Change

Control Activities

10. Design Control Activities

11. Design Activities for the Information System

12. Implement Control Activities

Information and Communication

13. Use Quality Information

14. Communicate Internally

15. Communicate Externally

Monitoring

16. Perform Monitoring Activities

17. Evaluate Issues and Remediate Deficiencies

 

Internal Control Self-Assessment

The University will perform a self-assessment of internal controls on an as needed basis, or at least annually and include the following steps:

  • Obtain a clear understanding of the current program or administrative objectives and processes.
  • Obtain a clear understanding of the risks associated with such objectives and processes.
  • Determine which controls are the most critical in terms of achieving these objectives.
  • Determine whether there are any gaps or problems with existing controls.
  • Determine whether there have been additions or changes in certain processes which would affect the existing controls.

 

The internal control review should include these key areas:

 

Define Objectives and Risk Tolerances

  • Define objectives in specific and measurable terms to enable the design of internal control for related risks.
  • Define the acceptable level of variation in performance relative to the achievement of objectives.

     

    Identify, Analyze, and Respond to Risks

  • Analyze risks, including both inherent and residual risk, and consider internal and external risk factors.
  • Estimate the significance of the identified risks and their effect on achieving the defined objectives.
  • Define specific actions to respond to the analyzed risk.

 

Assess Fraud Risk

  • Consider the types of fraud that can occur (e.g., fraudulent financial reporting, misappropriation of assets, corruption), as well as other forms of misconduct (such as waste and abuse).
  • Considers fraud risk factors (incentive/pressure, opportunity, and attitude/rationalization) and use this information to identify fraud risk.
  • Perform a risk analysis to identify fraud risk and responds to fraud risk so they are effectively mitigated.

     

    Identify, Analyze, and Respond to Change

  • Identify significant changes to internal and external conditions that have already occurred, or are expected to occur, and that could significantly impact the internal control system.
  • Analyze and respond to identified changes and related risks in order to maintain an effective internal control system.

 

Based on the evaluation above, the University will determine whether adjustments should be made to existing controls. If an adjustment is deemed necessary, policies and procedures will be updated, and changes are communicated to affected staff and management in an appropriate manner.

 

Protected Personally Identifiable Information

The University will take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.

 

Protected Personally Identifiable Information (Protected PII) means an individual's first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical and financial records, educational transcripts. This does not include PII that is required by law to be disclosed.