Vulnerability Assessments

The SUNY Geneseo Internal Control Program operates on a three-year planning cycle and incorporates the following processes:


Segmentation is the process of identifying the program and administrative functions necessary for the College to carry out its mission. Functions identified through this process are called “assessable units” and provide the framework for the implementation of the College’s Internal Control Program.

Vulnerability Assessment Surveys

Through the use of vulnerability assessment surveys, the College monitors and evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies.

Completed surveys are evaluated and a rating of low, moderately low, moderate, moderately high, or high risk is assigned to each assessable unit. These ratings are considered when scheduling internal control reviews.

Internal Control Reviews

An internal control review analyzes procedures and polices to ensure they are functioning as intended and that they assist the units in meeting its objectives and goals. Examples of procedures and policies which may be reviewed include planning activities, program evaluations, the budget cycle, personnel transactions, information systems, cash activities, contract management, and capital programs.


The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.