SUNY Optometry’s Internal Control and Enterprise Risk Management Program is based upon existing internal controls which are a part of our everyday operations. SUNY Optometry’s Internal Control and Enterprise Risk Management Program provides us with a formal mechanism to help identify existing controls and evaluate their effectiveness.

There are 5 specific objectives to SUNY Optometry’s Internal Control and Enterprise Risk Management Program.  CARES stands for these objectives as described below:

  1. Compliance with applicable laws and policies
  2. Accomplishment of the campus mission
  3. Relevant and reliable data
  4. Economical and efficient use of resources
  5. Safeguard assets

Internal Control Foundations

The foundation of SUNY Optometry’s internal control systems are the various policies and procedures applicable to its daily operations. Below is a sample of basic foundations that affect all employees of SUNY Optometry:

  • Personnel Handbook
  • SUNY Procedures Manual
  • Public Officers Law
  • Campus Purchasing Procedures
  • Time and Attendance Policy
  • Policy Handbook
  • Hiring Practices


The first step in the Internal Control Process is to segment the organization. Segmentation is the process of identifying the program and administrative functions necessary for the campus to carry out its mission. Functions identified through this process are called “assessable units” and provide the framework for the Internal Control and Enterprise Risk Management Program.

Risk Assessment

After the campus is segmented into assessable units, each unit’s risk is assessed. This process may be done through a self-assessment survey or a one-on-one discussion with the unit manager and the Internal Control Officer. By means of this evaluation, the campus evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. Some of the factors examined in the risk assessment are: inherent risk of the unit, management’s attitude toward internal controls, physical location, frequency of review and the rate of personnel turnover.

Upon completing a risk assessment, a rating of low, average or high risk is assigned to the assessable unit. These ratings are considered when scheduling internal control reviews.

Internal Control Review

The internal control review analyzes procedures and policies to ensure they are functioning as intended and that they assist the unit in meeting its goals and objectives. Examples of procedures and policies that may be reviewed include planning activities, program evaluations, the budget cycle, personnel transactions, information systems, cash activities, contract management and capital programs.

Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting or changing internal controls or procedures for the unit. If recommendations are made, a timetable for implementation is agreed upon.


The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.