Worcester State University
Internal Control Plan
To define and communicate the Internal Control of the University and to insure that WSU can meet its specific Internal Control goals and objectives by establishing the appropriate policies, procedures, and environment to effectively minimize risk.
Internal Controls are the activities designed to ensure:
1. Programs achieve their intended results;
2. Resources are used effectively and efficiently;
3. Programs and resources are protected from waste, fraud, and mismanagement;
4. Laws and regulations are followed;
5. Reliable and timely information is obtained, maintained, and reported.
It is the intent of Worcester State University to comply with the Office of the State Comptroller’s mandates per MGL Chapter 647 Acts of 1989 and the Office of the State Comptroller Memorandum FY 2001-28; June 29, 2001
1. “Internal Control Systems for the various departments of the Commonwealth shall be developed in accordance with internal control guidelines established by the Office of the State Comptroller” MGL Chapter 647 Acts of 1989
2. “A departmental control plan is a high level summarization on a departmental-wide basis, of the department’s risk (as the result of a risk assessment) and of the controls used by the department to mitigate those risks. This high level summary must be supported by lower level detail i.e. departmental policies and procedures. We would expect this summary to be from approx. pages depending upon the size and complexity of the department …….. A departmental risk assessment is the identification and analysis of the risks that could prevent the department from reaching its goals and objectives. This identification and analysis forms the basis for determining how the risks should be managed.” Office of the State Comptroller Memorandum FY2001-28; June 29, 2001.
Furthermore, the WSU Internal Control Plan is directly aligned with our organization’s mission statement, goals and objectives.
Worcester State University, a public metropolitan institution of higher learning located in a culturally vibrant region of the Commonwealth, affirms the principles of liberal learning as the foundation for all advanced programs of study.
WSU offers programs in the traditional liberal arts and sciences disciplines, while maintaining its historical focus on teacher education. It has expanded its offerings with professional degree programs in biomedical sciences, business, and the health professions. Through its curricula, WSU addresses the intellectual and career needs of the increasingly diverse citizenry of central Massachusetts.
Worcester State University is dedicated to offering high quality, affordable undergraduate and graduate academic programs and to promoting the lifelong intellectual growth, global awareness, and career opportunities of its students.
To this end, WSU values teaching excellence rooted in scholarship and community service; cooperates with the business, social and cultural resources of Worcester County; collaborates with other institutions of higher learning in the region; and develops new programs responsive to emerging community needs.
A WSU Strategic Planning process for 2010-2014, with wide representation from the University community, succeeded in adopting action plans for strategic priorities and goals which were presented to the Board of Trustees in January 2010 and has officially taken effect for FY 2011. A link to Worcester State University Strategic Plan 2010-2014 - http://www.worcester.edu/StrategicPlanning/default.aspx .
Appointment of Internal Control Officer
In accordance with the requirement and obligations of Chapter 647 of the Massachusetts General Laws of 1989 and in accordance with the internal control guideline established by the Massachusetts Office of the State Comptroller, the President of the University has the responsibility of appointing an Internal Control Officer. To comply with this requirement, the Associate Vice President of Administration and Finance has been appointed as the College’s Internal Control Officer, effective July 1, 2004.
Internal controls consist of five interrelated components from the 1994 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Report, as well as its framework for Enterprise Risk Management (ERM) which was released in 2004. They are as follows: control environment; risk assessment; control activities; information and communication; and monitoring.
1. Summary of the Control Environment within Worcester State University - The control environment sets the tone of an organization, providing discipline and structure and influencing the effectiveness of internal controls. ***In Fiscal 2012, the University President web page will include a statement of the importance of good internal controls.***
Control environment factors include:
Integrity and Ethical Values – As a higher educational institution, integrity and ethical behavior are essential elements of the control environment. The Worcester State University Human Resources Employee Handbook depicts several ethics-related policies (ie. Sexual Harassment, Conflicts of Interest, Key Employee Qualities, etc.) and provides a link to the state website - www.mass.gov/ethics.
Management Philosophy and Operating Style – As stewards of public funds and the education of our citizens, it is the responsibility of Worcester State University to ensure that we are as efficient and effective as possible within the confines of existing laws, policies and procedures. In that way, we will meet our Internal Control responsibilities, and will be promoting our primary goal of student success.
Staff Competencies and Training – WSU has formal hiring committees and processes (http://www.worcester.edu/hr/Shared%20Documents/EmployeeProcess.aspx) to seek out candidates that demonstrate position and personal competencies for the required duty. Additionally, WSU ensures that employees are adequately trained: A combination of formal training offered via the State Comptrollers’ Office – (Ex. Introduction to State Finance MMARS Navigation, Fraud Awareness and Prevention, Risk Management, Warehouse Queries, etc.) and on-the-job training is essential to ensure that University employees are properly prepared to perform their duties.
Worcester State University, in conjunction with Central Links (QCC, MWCC, FSU & WSU) will be hosting a series of Group Intermediate Warehouse Query/ Federal Grants trainings in Fiscal 2012 geared exclusively to Higher Education. Our goal is to improve productivity, promote cross-training, and share skills within and amongst the various state and community colleges.
Professional development workshops are also offered to Worcester State University staff via the Faculty Development Committee and Human Resources Training Committee at the Worcester Consortium.
The Worcester State University Grant Coordinator offers professinal Grant workshops to Faculty ("How to Administer a Grant at WSU") with a sharp focus on compliance.
Assigning of Authority and Responsibility - WSU authority and responsibility is assigned by the Board
of Trustees to the President and the Executive Leadership Board, (ELT). The assignment of
this authority and responsibilities are such that they ensure the daily operating practices and procedures
to sufficiently minimize the possibility of operational failure, overspending or other actions inconsistent
with policy or in violation of the law. The inclusion of a current organizational chart further illustrates the
lines of authority within the major Divisions of the College.
Compliance with Section 1553 of the ARRA - WSU has posted notices regarding Whistleblowers and Knowing Your Rights under ARRA which prohibits all non-federal contractors of ARRA funds from discharging, demoting or otherwise discriminating against an employee for disclosures by the employee that the employee reasonably believes are evidence of:
· Gross mismanagement of a contract relating to ARRA funds;
· A gross waste of ARRA funds;
· A substantial and specific danger to public health or safety related to the implementation or use of ARRA funds;
· An abuse of authority related to implementation or use of ARRA funds;
· A violation of law, rule, or regulation related to an agency contract.
WSU will post and notify subcontractors of posting notice of the rights and remedies available to employees under Section 1553 of Title XV of Division A of the ARRA. http://www.worcester.edu/teamsites/Policies/Wiki%20Pages/ARRA%20Policy.aspx.
Worcester State University shall promptly refer to an appropriate federal inspector general any credible evidence that a principal, employee, agent, subcontractor or other person has committed a false claim under the False Claims Act or has committed a criminal or civil violation of laws pertaining to fraud, conflict of interest, bribery, gratuity, or similar misconduct involving those funds.
2. Enterprise Risk Assessment, a process managed by the Internal Control Officer and the Executive Leadership Team, is designed to identify activities affecting risk to the University, and forms a basis for determining how those risks should be managed as they relate to the strategies and mission of the College.
The Internal Control Officer and ELT meet at least annually to discuss and monitor the most relevant risks affecting the College. Collectively they decide whether to: (1) accept and monitor those risks, (2) avoid the risks by eliminating them, (3) reduce the risks by instituting controls, or (4) share the risks by partnering or entering into a strategic alliance with another higher education institution. The assessment of risk is monitored through ongoing activities and corrective actions are taken when necessary. http://www.worcester.edu/teamsites/Policies/Wiki%20Pages/Enterprise%20Risk%20Assessment%20Combined%202010-2011.aspx
Additionally, a Fraud Risk Assessment shall be conducted annually to identify where fraud may occur. A fraud risk assessment should consider relevant fraud schemes and scenarios and map them to mitigating controls. Fraud risks should be included in the enterprise risk assessment conducted as part of our Internal Control Plan development. COSO’s Enterprise Risk Management–Integrated Framework describes the essential ERM components, principles, and concepts for all organizations, regardless of size. A section of the ERM dedicated to ARRA has been incorporated in FY’11 due to compliance requirements. http://www.worcester.edu/teamsites/Policies/Wiki%20Pages/Enterprise%20Risk%20Assessment%20-%20ARRA%20Fraud.aspx. See also Commonwealth of massachusetts ARRA Fraud Waste and Abuse Awareness Training from KPMG, LLP and audit/advisory firm,
The Inspector General has issued an updated guide on developing fraud prevention policies and programs - Select Toolkit for Departments to Combat Fraud http://www.mass.gov/Eoaf/docs/arra/fraud_waste_abuse_training_bklet_final.pdf .
See also: Knowing Your Risks - A Fraud Risks Brainstorming Workshop from KPMG, LLP and audit/advisory firm, http://www.mass.gov/Aosc/docs/comptroller_events/cfo_conference/2009/fraud_pres.pdf.
3. Control Activities are the means by which risks, policies, and procedures are established by the Institution and shared with members of the organization. Policies are adopted in order to control the various risks identified in the University departments risk assessment review and in some cases to be in conformance with various laws, rules and regulations.
The University’s departments have developed procedures to ensure that the policies of the University are followed. The internal controls will combine both preventative and detective controls to mitigate risks. Preventive controls can be time consuming and costly, and should be cost beneficial. Detective controls will identify when a problem occurs. Policies can be viewed currently either via the University’s Teamsites or WIKI site (a transition is currently taking place moving policies to the Teamsites location), while access to procedures will be assigned according to appropriate departmental security. Departments are strongly encouraged throughout the Risk Assessment process to update policies and procedures at least annually and/or when significant changes take place.
The following is a list of some, but not all of the preventive control activities that take place at Worcester State University.
Approvals & Authorizations
· Transactions in MMARS are approved by a department budget manager, who is an authorized signatory approved by the College Budget Manager. Transactions $20,000 and over, must be approved by Vice-President of Finance and Administration. All purchase orders and blanket orders are approved by the Director of Procurement. Occasional reimbursement may be paid by non-purchase order (e.g., utilities) by the department budget manager or additionally by the Vice-President of Fiscal Affairs if the amount is $20,000 and over.
****Plans are underway to tighten up the Procurement and Accounts Payable approval process for MMARS and non-MMARS expenditures within the Colleague system. Electronic approvals for Direct PO's, Blanket Orders, and when encumbrances increase $20,000 and over, will tighten up any loopholes and will therefore strenghten internal controls.*****
· In order to obtain access to Colleague (the WSU Financial System), an individual must fill out and sign a request form for access and have the department head sign as well as the Vice President of Fiscal Affairs.
Procurement /Accounts Payable
· Pursuant to Section 1606 of the ARRA, related to the Davis-Bacon Act of 1931, both Worcester State College and its subcontractors shall fully comply with the provision of ARRA that all laborers and mechanics employed by contractors and sub-contractors on projects funded by ARRA shall be paid wages at rates not less than those prevailing on projects of a character similar in the locality, as determined by the United States Secretary of Labor in accordance with subchapter IV of Chapter 31 of Title 40 of the United States Code. Prevailing wages applicable in the State of Massachusetts are located at: www.access.gpo.gov/davisbacon or at http://www.mass.gov/?pageID=elwdagencylanding&L=4&L0=Home&L1=Workers+and+Unions&L2=Wage+and+Employment+Related+Programs&L3=Prevailing+Wage+Program&sid=Elwd
· Pursuant to Section 1605 of the ARRA, the “Buy American Act”, neither Worcester State University or its subcontractors will use ARRA funds for a project for the construction, alteration, maintenance, or repair of a public building or public work unless all of the iron, steel and manufactured goods used in the project are produced in the United States in a manner consistent with United States obligations under international agreements, unless waived by the applicable federal agency as set out in ARRA.
Segregation of Duties
· Segregation of Duties defines authority and responsibility over the activity and use of College resources. The fundamental premise of segregation is that an individual should not be in a position to initiate, approve, undertake, and review the same action. These are called incompatible duties when performed by the same individual. In cases where segregation may not be possible due to limited staffing, additional management oversight or other alternative management procedures (additional sign-offs) may be necessary.
· All invoices must be approved by either the Department Head, Budget Manager or senior management in Administration & Finance, such as the Grants Manager or Vice-President of Administration & Finance.
· Capital transactions (encumbrance $20K and over) must be reviewed by at least two layers of approval authorizations, including the Vice-President of Administration & Finance.
· Separating the functions of authorizing, awarding, and disbursing Federally Funded Student Financial Aid (FSA) is required for participation in Federally Funded Student Financial Aid programs.
Segregation of Duties/Verifications
· WSU’s Security Officer (DSO) and Backup DSP verify that current employees have only one active User Access Identification (UAID) in the Massachusetts Management Accounting and Reporting System, (MMARS), and that terminated employees are inactivated as soon as notified.
· Department Heads - Annual Security Review & Approval - The DSO annually reviews and verifies employee access to MMARS in the Commonwealth Information Warehouse (CIW), Human Resource Compensation Management System, (HRCMS) and In Tempo as dictated by the Massachusetts Office of the Comptroller’s Security Administration. WSU’s Department Head, (the University president) submits the Department Head Annual Approval of Statewide Enterprise Systems Security Form either as an email from their account or as a hard copy with the Department Head's signature by June 30th. *This document will also be updated with the new University President's signature within 30 days of appointment (July 2012).
· The Office of the Comptroller also requires that a Department Head MMARS Security Certification be on file for the department. Designation of key contacts is a distinct activity, different from the annual certification of enterprise systems security access. The Department Head, not a designee, must sign this certification. When the Department Head changes, the new Department Head must update this form and list any changes to key contacts for the department. *This document will also be updated with the new University President's signature within 30 days of appointment ( July 2012). http://www.mass.gov/Aosc/docs/policies_procedures/security/po_sec_enterprise_sys_security.pdf , See also http://www.mass.gov/Aosc/docs/comptroller_events/sec_ofc_brief/sec_ofc_apr2011.pdf.