Skip to main content


Go Search
Policies > Wiki Pages > Internal Control Plan  

Internal Control Plan


Worcester State University

Internal Control Plan




To define and communicate the Internal Control of the University and to insure that WSU can meet its specific Internal Control goals and objectives by establishing the appropriate policies, procedures, and environment to effectively minimize risk.


Internal Controls are the activities designed to ensure:


1.      Programs achieve their intended results;

2.      Resources are used effectively and efficiently;

3.      Programs and resources are protected from waste, fraud, and mismanagement;

4.      Laws and regulations are followed;

5.     Reliable and timely information is obtained, maintained, and reported.


It is the intent of Worcester State University to comply with the Office of the State Comptroller’s mandates per MGL Chapter 647 Acts of 1989 and the Office of the State Comptroller Memorandum FY 2001-28; June 29, 2001

1.       Internal Control Systems for the  various departments of the Commonwealth shall be developed in accordance with internal control guidelines established by the Office of the State ComptrollerMGL Chapter 647 Acts of 1989


2.       A departmental control plan is a high level summarization on a departmental-wide basis, of the department’s risk (as the result of a risk assessment) and of the controls used by the department to mitigate those risks.  This high level summary must be supported by lower level detail i.e. departmental policies and procedures.  We would expect this summary to be from approx. pages depending upon the size and complexity of the department …….. A departmental risk assessment is the identification and analysis of the risks that could prevent the department from reaching its goals and objectives.  This identification and analysis forms the basis for determining how the risks should be managed.” Office of the State Comptroller Memorandum FY2001-28; June 29, 2001.


Furthermore, the WSU Internal Control Plan is directly aligned with our organization’s mission statement, goals and objectives. 



Mission Statement


Worcester State University, a public metropolitan institution of higher learning located in a culturally vibrant region of the Commonwealth, affirms the principles of liberal learning as the foundation for all advanced programs of study.


WSU offers programs in the traditional liberal arts and sciences disciplines, while maintaining its historical focus on teacher education. It has expanded its offerings with professional degree programs in biomedical sciences, business, and the health professions. Through its curricula, WSU addresses the intellectual and career needs of the increasingly diverse citizenry of central Massachusetts.


Worcester State University is dedicated to offering high quality, affordable undergraduate and graduate academic programs and to promoting the lifelong intellectual growth, global awareness, and career opportunities of its students.


To this end, WSU values teaching excellence rooted in scholarship and community service; cooperates with the business, social and cultural resources of Worcester County; collaborates with other institutions of higher learning in the region; and develops new programs responsive to emerging community needs.


A WSU Strategic Planning process for 2010-2014, with wide representation from the University community, succeeded in adopting action plans for strategic priorities and goals which were presented to the Board of Trustees in January 2010 and has officially taken effect for FY 2011. A link to Worcester State University Strategic Plan 2010-2014 - .


Appointment of Internal Control Officer


In accordance with the requirement and obligations of Chapter 647 of the Massachusetts General Laws of 1989 and in accordance with the internal control guideline established by the Massachusetts Office of the State Comptroller, the President of the University has the responsibility of appointing an Internal Control Officer. To comply with this requirement, the Associate Vice President of Administration and Finance has been appointed as the College’s Internal Control Officer, effective July 1, 2004.


Internal Controls

Internal controls consist of five interrelated components from the 1994 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Report, as well as its framework for Enterprise Risk Management (ERM) which was released in 2004.  They are as follows: control environment; risk assessment; control activities; information and communication; and monitoring. 


1.      Summary of the Control Environment within Worcester State University - The control environment sets the tone of an organization, providing discipline and structure and influencing the effectiveness of internal controls. ***In Fiscal 2012, the University President web page will include a statement of the importance of good internal controls.***


Control environment factors include:


Integrity and Ethical Values – As a higher educational institution, integrity and ethical behavior are essential elements of the control environment. The Worcester State University Human Resources Employee Handbook depicts several ethics-related policies (ie. Sexual Harassment, Conflicts of Interest, Key Employee Qualities, etc.) and provides a link to the state website -


Management Philosophy and Operating Style – As stewards of public funds and the education of our citizens, it is the responsibility of Worcester State University to ensure that we are as efficient and effective as possible within the confines of existing laws, policies and procedures. In that way, we will meet our Internal Control responsibilities, and will be promoting our primary goal of student success.


Staff Competencies and Training – WSU has formal hiring committees and processes ( to seek out candidates that demonstrate position and personal competencies for the required duty. Additionally, WSU ensures that employees are adequately trained:  A combination of formal training offered via the State Comptrollers’ Office – (Ex. Introduction to State Finance MMARS Navigation, Fraud Awareness and Prevention, Risk Management, Warehouse Queries, etc.) and on-the-job training is essential to ensure that University employees are properly prepared to perform their duties.


Worcester State University, in conjunction with Central Links (QCC, MWCC, FSU & WSU) will be hosting a series of Group Intermediate Warehouse Query/ Federal Grants trainings in Fiscal 2012 geared exclusively to Higher Education.  Our goal is to improve productivity, promote cross-training, and share skills within and amongst the various state and community colleges. 


Professional development workshops are also offered to Worcester State University staff via the Faculty Development Committee and Human Resources Training Committee at the Worcester Consortium.


The Worcester State University Grant Coordinator offers professinal Grant workshops to Faculty ("How to Administer a Grant at WSU") with a sharp focus on compliance.


Assigning of Authority and Responsibility - WSU authority and responsibility is assigned by the Board

of Trustees to the President and the Executive Leadership Board, (ELT).  The assignment of 

this authority and responsibilities are such that they ensure the daily operating practices and procedures

to sufficiently minimize the possibility of operational failure, overspending or other actions inconsistent

with policy or in violation of the law. The inclusion of a current organizational chart further illustrates the

lines of authority within the major Divisions of the College.


Compliance with Section 1553 of the ARRA - WSU has posted notices regarding Whistleblowers and Knowing Your Rights under ARRA which prohibits all non-federal contractors of ARRA funds from discharging, demoting or otherwise discriminating against an employee for disclosures by the employee that the employee reasonably believes are evidence of:

·         Gross mismanagement of a contract relating to ARRA funds;

·         A gross waste of ARRA funds;

·         A substantial and specific danger to public health or safety related to the implementation or use of ARRA funds;

·         An abuse of authority related to implementation or use of ARRA funds;

·         A violation of law, rule, or regulation related to an agency contract.


WSU will post and notify subcontractors of posting notice of the rights and remedies available to employees under Section 1553 of Title XV of Division A of the ARRA.


Worcester State University shall promptly refer to an appropriate federal inspector general any credible evidence that a principal, employee, agent, subcontractor or other person has committed a false claim under the False Claims Act or has committed a criminal or civil violation of laws pertaining to fraud, conflict of interest, bribery, gratuity, or similar misconduct involving those funds.


2.      Enterprise Risk Assessment, a process managed by the Internal Control Officer and the Executive Leadership Team, is designed to identify activities affecting risk to the University, and forms a basis for determining how those risks should be managed as they relate to the strategies and mission of the College.


The Internal Control Officer and ELT meet at least annually to discuss and monitor the most relevant risks affecting the College. Collectively they decide whether to: (1) accept and monitor those risks, (2) avoid the risks by eliminating them, (3) reduce the risks by instituting controls, or (4) share the risks by partnering or entering into a strategic alliance with another higher education institution. The assessment of risk is monitored through ongoing activities and corrective actions are taken when necessary.


Additionally, a Fraud Risk Assessment shall be conducted annually to identify where fraud may occur. A fraud risk assessment should consider relevant fraud schemes and scenarios and map them to mitigating controls. Fraud risks should be included in the enterprise risk assessment conducted as part of our Internal Control Plan development. COSO’s Enterprise Risk Management–Integrated Framework describes the essential ERM components, principles, and concepts for all organizations, regardless of size. A section of the ERM dedicated to ARRA has been incorporated in FY’11 due to compliance requirements. See also Commonwealth of massachusetts ARRA Fraud Waste and Abuse Awareness Training from KPMG, LLP and audit/advisory firm,



The Inspector General has issued an updated guide on developing fraud prevention policies and programs - Select Toolkit for Departments to Combat Fraud .

See also: Knowing Your Risks - A Fraud Risks Brainstorming Workshop from KPMG, LLP and audit/advisory firm,



3.      Control Activities are the means by which risks, policies, and procedures are established by the Institution and shared with members of the organization.  Policies are adopted in order to control the various risks identified in the University departments risk assessment review and in some cases to be in conformance with various laws, rules and regulations.


The University’s departments have developed procedures to ensure that the policies of the University are followed. The internal controls will combine both preventative and detective controls to mitigate risks. Preventive controls can be time consuming and costly, and should be cost beneficial. Detective controls will identify when a problem occurs. Policies can be viewed currently either via the University’s Teamsites or WIKI site (a transition is currently taking place moving policies to the Teamsites location), while access to procedures will be assigned according to appropriate departmental security.  Departments are strongly encouraged throughout the Risk Assessment process to update policies and procedures at least annually and/or when significant changes take place. 


The following is a list of some, but not all of the preventive control activities that take place at Worcester State University.


Approvals & Authorizations 


·         Transactions in MMARS are approved by a department budget manager, who is an authorized signatory approved by the College Budget Manager. Transactions $20,000 and over, must be approved by Vice-President of Finance and Administration. All purchase orders and blanket orders are approved by the Director of Procurement. Occasional reimbursement may be paid by non-purchase order (e.g., utilities) by the department budget manager or additionally by the Vice-President of Fiscal Affairs if the amount is $20,000 and over.


      ****Plans are underway to tighten up the Procurement and Accounts Payable approval process for MMARS and non-MMARS expenditures within the Colleague system. Electronic approvals for Direct PO's, Blanket Orders, and when encumbrances increase $20,000 and over, will tighten up any loopholes and will therefore strenghten internal controls.*****


·         In order to obtain access to Colleague (the WSU Financial System), an individual must fill out and sign a request form for access and have the department head sign as well as the Vice President of Fiscal Affairs.



Procurement /Accounts Payable


·         Pursuant to Section 1606 of the ARRA, related to the Davis-Bacon Act of 1931, both Worcester State College and its subcontractors shall fully comply with the provision of ARRA that all laborers and mechanics employed by contractors and sub-contractors on projects funded by ARRA shall be paid wages at rates not less than those prevailing on projects of a character similar in the locality, as determined by the United States Secretary of Labor in accordance with subchapter IV of Chapter 31 of Title 40 of the United States Code. Prevailing wages applicable in the State of Massachusetts are located at: or at


·         Pursuant to Section 1605 of the ARRA, the “Buy American Act”,  neither Worcester State University or its subcontractors will use ARRA funds for a project for the construction, alteration, maintenance, or repair of a public building or public work unless all of the iron, steel and manufactured goods used in the project are produced in the United States in a manner consistent with United States obligations under international agreements, unless waived by the applicable federal agency as set out in ARRA.


Segregation of Duties


·         Segregation of Duties defines authority and responsibility over the activity and use of College resources. The fundamental premise of segregation is that an individual should not be in a position to initiate, approve, undertake, and review the same action. These are called incompatible duties when performed by the same individual.  In cases where segregation may not be possible due to limited staffing, additional management oversight or other alternative management procedures (additional sign-offs) may be necessary.

·         All invoices must be approved by either the Department Head, Budget Manager or senior management in Administration & Finance, such as the Grants Manager or Vice-President of Administration & Finance.

·         Capital transactions (encumbrance $20K and over) must be reviewed by at least two layers of approval authorizations, including the Vice-President of Administration & Finance.

·         Separating the functions of authorizing, awarding, and disbursing Federally Funded Student Financial Aid (FSA) is required for participation in Federally Funded Student Financial Aid programs.



Segregation of Duties/Verifications


·         WSU’s Security Officer (DSO) and Backup DSP verify that current employees have only one active User Access Identification (UAID) in the Massachusetts Management Accounting and Reporting System, (MMARS), and that terminated employees are inactivated as soon as notified.

·         Department Heads - Annual Security Review & Approval - The DSO annually reviews and verifies employee access to MMARS in the Commonwealth Information Warehouse (CIW), Human Resource Compensation Management System, (HRCMS) and In Tempo as dictated by the Massachusetts Office of the Comptroller’s Security Administration. WSU’s Department Head, (the University president) submits the Department Head Annual Approval of Statewide Enterprise Systems Security Form either as an email from their account or as a hard copy with the Department Head's signature by June 30th. *This document will also be updated with the new University President's signature within 30 days of appointment (July 2012).


·    The Office of the Comptroller also requires that a Department Head MMARS Security Certification be on file for the department. Designation of key contacts is a distinct activity, different from the annual certification of enterprise systems security access. The Department Head, not a designee, must sign this certification. When the Department Head changes, the new Department Head must update this form and list any changes to key contacts for the department. *This document will also be updated with the new University President's signature within 30 days of appointment ( July 2012). , See also


The following is a list of some, but not all of the relevant changes.  Also included are other important topics discussed in the Annual Department Security Officer Briefing:


·         Updated to reflect current practices (UDOC/UDOCPR) and removes references to outdated Security Request Form (departmental internal use only!)

·         Clearly defines responsibility of each control agency, Department Head, and DSO

·         Outlines process for annual review by Department Head and DSO

·         Provides high level guidance on selecting roles for MMARS, HR/CMS, and CIW

·         Access to Security Reports can be granted to Dept. Heads, CFOs and Primary DSO (Granting access to SEC reports is DSO responsibility)


·         Further defines Dept. Head Responsibilities – Approves CHANGES TO Department Head Signature Authorization (DHSA), tracked in MMARS


·         Quality Assurance Bureau – Importance of Internal Controls:


o   Should reflect security

o   Must be updated annually or as needed

o   Never share UAIDS and passwords

o   Use hard to guess passwords

o   Segregation of duties – (Ex. Can an employee encumber and make payments)

o   DHSA


·         Training – Risk Management and Fraud Awareness and Prevention – The WSU Internal Control Officer continues to “encourage” (semi-mandated) all Administration & Finance and other areas of the University to attend this important training.  Several employees are slated to attend over the next couple of months.  Staff meetings have also included discussion and training utilizing the KPMG presentations, “Knowing Your Risks – A Fraud Risks Brainstorming Workshop” and “Commonwealth of Massachusetts ARRA Fraud Waste and Abuse Awareness Training”.


·         Executive Order 504 Legal Refresher – All agencies must :


o   Develop a written “Information Security Program” (ISP), including an Electronic Security Plan” (ESP)

o   Manage vendors/contractors – Verify all vendors/contractors have acceptable security controls to prevent data breaches (Follow ITD standards for verifying competence and integrity of contractors and subcontractors

o   Incorporate required certifications into contracts

o   Have University President certify all programs, plans, self-audits, and reports

o   Appoint an Information “Security” Officer (ISO) who reports directly to Agency head (or dual reporting relationship)

o   Coordinate’s Agency’s compliance with several rules/regulations (privacy and security) re. security, confidentiality, and integrity of personal information and personal data.

o   ISP/ESP/ - Develop and implement written information security programs that include all personal information (not restricted to electronic information)

o   Electronic personal data must be addressed in a subset of the Information Security Program (ISP) called an “electronic security plan” (ESP)

o   Submit certified agency ISP and ESP to ITD

o   Self audit ISPs and ESPs annually

o   Have all employees attend mandatory information security training – simply writing a policy with employee sign-off does not meet this mandate.  Training must be interactive for ALL employees.

o   Fully cooperate with ITD to fulfill ITD responsibilities


ITD, with the approval of the Executive Office of Administration & Finance will determine remedial action for agencies in violation and will impose terms and conditions on agency IT funding. ***Worcester State University is currently working towards compliance: IT personnel attending training in May 2011; discussion amongst CIO groups; ELT - upper level management notified of affiliated mandate; etc.***                          


The following is a list of some, but not all of the detective control activities that take place at Worcester State University.


Accounts Receivable


The Accounts Receivable sub-ledger is reconciled to the corresponding balances in the General Ledger.


Bank Accounts


A monthly reconciliation is maintained between WSU’s financial records and bank accounts. The operating account is reconciled after the 5th of the month when WSU uploads the reconciled check list from Sovereign. The reconciliation is complete within 10 days after the upload. The reconciliation of the Long and Short Term investments are performed prior to the close of the fiscal year. Reconciliations are reviewed, dated and approved by the Manager of Financial Accounts with the approval being the reconciliation document.




Reconciliation is done between the various balances and the MMARS cumulative balances in Colleague, WSU’s financial system. This includes all salaries and payroll deductions. Documentation confirming these reconciliations and all salary adjustment approvals is maintained in WSU financial files.




The Director of Procurement administers centralized purchasing control for all areas of the College. The Director coordinates procurement, delivery, and receiving on campus. In order to effectively accomplish these goals, the Director adheres to Commonwealth of Massachusetts’ procurement regulations, including competitive bidding, monitoring of contracts, and inclusion of minority and women owned businesses. Adherence to the rules and regulations of Chapter 149 and 30, section 39M are mandated for vertical or horizontal construction.




The Registrar in conjunction with the Director of Budget, Planning, and Policy Development are currently refining a policy (procedures/process currently exists) see, that adequately addresses the fiscal 2010 Single Audit report qualification for reporting student status changes. The policy will not only effectively address the frequency  and timing, but also the verification and monitoring of reporting enrollment status to the NSLDS via the NSC.




Data is generally provided to the WSU’s financial records from multiple external sources which may include Human Resources/Payroll, Student Information and Cash Receipts Systems. The College requires periodic (monthly) reconciliation of these systems to balances maintained in the financial records of the college.


Security of Assets


WSU Senior Managers are responsible for the physical control of assets, capital or non-capital tangible items which meet the Inventory Control threshold of $1,000 or more and or Professional Development materials with no dollar amount.


Safeguards have been implemented, such as a system of barcodes for all physical assets which are tracked and reconciled on the Colleague Data System, which assists management in understanding the assets managed by WSU and for aiding in future capital planning activities. [1] (See - Select Administration and Finance, and then select Facilities – Asset Management.)


Security of Institutional Technology


Data and information are backed-up and stored as part of disaster recovery planning, which ensures that College wide and local information can be restored in the event of a building, system or infrastructure failure. Measures are taken to ensure our locations are kept secure and environmentally safe, preventing losses due to theft or physical catastrophe. Additionally, security procedures limiting user access to system software, password confidentiality, periodic password changes, selected system access and updating virus protection have implemented and are constantly updated.


Segregation of Funds


Pursuant to ARRA, Pub. L. 111-5, WSU shall segregate obligations and expenditures of Recovery Act Funds from other funding in WSU Financial/Accounting Reporting System, Colleague. No part of funds made available under ARRA will be used for a purpose other than that of making payments for costs allowable under ARRA. (( Pages/Home.aspx – Select Administration and Finance, then select ARRA Policy from site.)


Pursuant to the Federal Student Aid  Handbook (Processing Aid & Managing Federal Student Aid Funds – Fiscal Management: Activity 2, Maintaining & Accounting for Funds, 668.163), WSU maintains General Ledger source accounts that identify each Title IV, HEA program transactions from all other institutional financial activity.



Information and Communication is the means by which risks, policies and procedures are shared with members of the College. Information systems produce reports containing operational, financial and compliance related information that make it possible to run and control the College.


The following is a list of some, but not all of the reports and other information that are used to maintain operational controls.


        Management Reports


·         Operating Reports –personnel, inventory, revenue and billing (e.g. open jobs).

·         Student reports on tuition, fee, financial aid, Mass PIRG.

·         Exception reporting and/or incident reporting.

·         A comprehensive monitoring plan that pulls together all related action items from the

strategic plan:  The monitoring plan will include metrics for assessment against goals and historical trends and data for forecasting and projection; Areas of reporting and accountability will be clearly defined. (


       Financial Reports


       Financial reporting consists of methods and records established to identify, capture, and exchange information in a form and time frame that enables the staff to carry out their responsibilities effectively, and to maintain accountability for the related assets and liabilities. Colleague, the College’s financial reporting system, produces reports containing operational, financial and compliance related information that supports the Internal Controls of Worcester State University.


·         Transaction Reports including General Ledger Detail

·         Year-to-Date summaries and variance to budgets

·         Projects Accounting Reports

·         Budget and Forecast Reports

·         Maintain current registration in the ANF-Federal Stimulus Platform database to collect data to report to the government no later than ten calendar days after the end of each calendar quarter on ARRA funded contracts and grants.



       Other Information


·         An employee handbook which includes personnel policies, employee responsibilities, ethics and possible disciplinary action to take when standards are violated.

·         Blackboard – a primary data center providing emergency communications to the campus

·         Annual Financial Report

·         Vendor Reports

·         Payroll Reports

·         PBX under maintenance contract with six hour response time; exploring short-term recovery options (i.e., cell phones), long-term options (VoIP); emergency communication plan implemented.

·         Effective July 15, 2010, the College has evaluated and addressed emergency protocol to ensure continuity of functions in the event or emergency or disaster.  Cross references will be made to the college's emergency management plan.  Staffing and system access from remote locations will be evaluated and plans will be put in place to address basic business functions with depth of staff. Policies and procedures will be documented and posted for reference by the college community.

       Effective communication must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system and have a means of communicating significant information upstream. There also needs to be effective communication with external parties such as students, suppliers, regulators and the public.


The following is a list of some, but not all of the communication vehicles within the organization:


Downward in the Organization


·         Annual Meetings

·         Board of Trustees meetings

·         Policies Distributions (with signatures required)

·         Staff Meetings – including Fraud Prevention Training

·         Performance Review Process


Across the Organization


·         Internal Website containing policies and procedures and other information to assist staff.

·         Broad email announcements are used for communications.

·         Human Resources Informational Meetings

·         FACSTAFF


Upward in the Organization


·         Management Team Meeting

·         Recognition and award luncheons

·         College President’s Opening Day Meeting




5.       In monitoring the effectiveness of internal controls, the Internal Control Officer in conjunction with the Executive Leadership Team, plays a critical role in overseeing an enterprise-wide approach to risk management.


Once a year, the internal control plan is reviewed and a determination made as to the areas to amend. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Follow up procedures are then established to control deficiencies and make sure controls are working as intended.


The College’s internal financial control systems and procedures are tested and reviewed annually by an independent auditing/public accounting firm as part of its annual independent financial audit in accordance with Generally Accepted Auditing Standards (GAAS).


Roles and Responsibilities of Management

The Internal Control Officer as assigned by the College President is ultimately responsible for the oversight and coordination of the written documentation of internal controls to achieve the objectives of effective and efficient operations, reliable financial reporting, and compliance with laws and regulations. ELT is the vehicle by which management applies the internal control standards to meet each of the internal control objectives and to assess internal control effectiveness through policies and procedures; security access audited monthly; implemented application logout; staged secondary Colleague server for restoration; definition of critical user group.


Roles and Responsibilities of Other Personnel


Internal control is, to some degree, the responsibility of every employee in this organization and, therefore, should be an explicit or implicit part of established job descriptions.  In addition, all personnel are responsible for communicating to upper management material problems in operations; noncompliance with the WSU Fraud Policy and WSU Misconduct in Science Policy; other College policy violations and/ or illegal actions.







Links – United States Office of Management and Budget

·         Circular A-21 – relocated to 2 CFR Part 215 and 220 in the Federal Register

·         Circular A-87 – relocated to 2 CFR Part 225 in the Federal Register

·         Circular A-122 – relocated to 2 CFR Part 230 in the Federal Register

·         Circular A-133

-- March 2009 Compliance Supplement
March 2008 Compliance Supplement
March 2007 Compliance Supplement
Appendix A: Data Collection Form (Form SF-SAC)

·         American Recovery and Reinvestment Act of 2009

Links – Commonwealth of Massachusetts – Office of the Comptroller

·         Comptroller of the Commonwealth - Reinvestment and Recovery (ARRA) Guidance

·         The Conflict of Interest Law governed by M.G.L. c.268A.

[1] Refer to WSC Policy, “Asset Management-Inventory Control Procedures”.

Last modified at 4/25/2011 3:11 PM  by Polakowski, Renee