Search for Keywords
- Introduction
Overview
Uniform Compliance Guidelines
The head of each agency must establish, implement, and maintain an effective system of internal control in accordance with state policy and financial management circulars. To provide additional guidance for state agencies, the State Examiner compiled internal control standards in this publication: Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies. Based on standards advocated by leading authorities in the field of internal control, these standards are considered uniform compliance guidelines of the State Board of Accounts. The internal control process will be evaluated accordingly in any audits of State and Quasi agencies that are performed by or on behalf of the SBOA.
Five Components of Internal Control
The five components of internal control are recognized as basic to any internal control system:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a framework that includes fundamental characteristics of these five components and three categories of generalized objectives. The U.S. Government Accountability Office has adapted these components and principles for the Federal government through its Standards for Internal Control in the Federal Government, otherwise known as the "Green Book." Accordingly, this SBOA publication is organized based on these conceptual frameworks.
Because state and quasi agencies vary in size and complexity, no single method or set of internal control policies and procedures universally applies. While this manual provides minimum requirements, other publications may be beneficial for tailoring controls to an agency's specific needs. We highly recommend using the "Green Book" as a companion guide: www.gao.gov/greenbook.
To keep informed about developments in the field of internal control, consult other professional literature, visit relevant web sites, join professional accountability organizations, and attend training programs on internal control.
Definition of Internal Control
By necessity, the definition of internal control is broad, serving as a conceptual process applied to a wide range of situations and environments. The purpose of the internal control process is to provide reasonable assurance that the mission and objectives of the state will be achieved. Namely, internal control –
- reduces risk associated with fraud and safeguards resources from loss due to waste, abuse, mismanagement, or errors.
- provides a check and balance system over operations, promoting operational effectiveness and efficiency.
- produces reliable financial and management data.
- ensures accuracy and timeliness in reporting.
- promotes compliance with laws. SBOA defines internal control as follows:
Internal control is a process executed by officials and employees designed to provide reasonable assurance that objectives will be achieved.
- It is a basic element fundamental to the state, rather than a list of added on tasks.
- It is an adaptable process that is a means to an end, not an end in itself.
- It is focused on the achievement of objectives.
- It is dependent on officials and employees for effective implementation.
Each of the five components of internal control must be present and functioning to form a complete internal control process. If any of the five components is missing, true internal control is not achieved. Additionally, each component encompasses several underlying principles. To have a complete component, the principles associated with each component must be present.
The internal control process is based on well‐established and widely recognized fundamental principles that operate as an integrated whole but are best understood when analyzed individually.
Cost Benefit of Internal Controls
Because internal controls are a means to an end, they must help, rather than prevent or delay, an agency in reaching its objectives. Before designing and implementing internal controls, managers should consider the following:
- Internal controls must benefit, rather than hinder, the agency.
- Internal controls must make sense within each agency's unique operating environment.
- Internal controls must be cost effective.
Why It Matters
There are many benefits of a well‐defined, relevant internal control process. Overall, Internal controls provide a process to help each agency fulfill its objectives and enhance accountability, transparency, efficiency, and effectiveness – all of which contribute to great government service.
- Accountability. An effective internal control system provides reasonable assurance that agencies will achieve objectives. Such objectives include, but are not limited to, utilizing public resources in compliance with laws, regulations, and budgetary limitations. An internal control system also provides reasonable assurance that financial reports are accurate, and it limits the opportunity for theft or unauthorized use of assets, including cash, inventory, and capital assets.
- Efficiency and Effectiveness. Internal control procedures encourage wise use of government time and resources through the establishment of baselines and other measurable goals. Measurable goals and objectives allow agencies to gauge success in the performance of missions and objectives and adjust when necessary. Internal control processes deliver the highest value and best outcome in the completion of operational, reporting, and compliance responsibilities.
- Sound Management Practices. Each agency exists to accomplish its mission and related objectives. Management works with leadership to design internal controls to reasonably ensure success. Internal control processes coordinate policies and procedures to safeguard assets, check the accuracy and reliability of data, promote operational efficiency, and encourage adherence to prescribed managerial policies. Management must develop, implement, monitor, and update an effective plan of internal controls. The plan developed will depend, in part, on management's estimation and judgment of the benefits and related costs of control procedures, as well as available resources.
Where to Start
Part Two of this manual follows the five components of internal control with recommendations and tools to evaluate and develop internal controls. Within each section is an overview of the component, why it matters, where to start, and recommended steps.
What are the key risks for my agency? The first step involves identifying, analyzing, and prioritizing risk through agency risk assessments. The Risk Assessment chapter contains recommendations and optional tools for evaluating and developing the agency risk assessment process.
What controls do we have now? The agency may have controls already in place to address key risks. Management evaluates current controls, starting with key risks and audit findings. Each chapter contains recommendations and optional tools for evaluating each component based on best practices.
Which controls need development or improvement? After prioritizing key risks and evaluating each component, management determines which controls should be developed or improved. Each chapter includes recommendations and an optional tool for the development of key internal controls for each component.
Who facilitates risk management activities? Each agency shall assign a person to the role of internal control officer as the single point of contact to facilitate and support risk management activities, including the agency risk assessment, internal control evaluation and development. The internal control officer must have the cooperation and commitment of agency leadership (agency/department/division heads) to be successful.
Documentation of the Internal Control Plan
An internal control plan is a high‐level agency‐wide summarization of the agency's risks and the controls designed to mitigate those risks. At a minimum, the internal control plan will address the five components of internal control for key objectives. Larger agencies may wish to develop an internal control plan for each major service area or department.
Documentation is a necessary part of effective internal control. Agency policies and procedures support the internal control plan by relating internal control procedures to the missions and objectives of the agency; solidifying expectations; and providing an effective way to communicate the process. For audit purposes, evidence must be maintained to show the performance of internal control procedures.
As a best practice, SBOA recommends the minimum documentation requirements found in the "Green Book." These Standards include minimum documentation requirements as follows:
- Management develops and maintains documentation of its internal control system.
- If management determines that a key internal control principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.
- Management documents in policies the internal control responsibilities of the agency.
- Management evaluates its operations and risks and documents its assessment of vulnerabilities.
- Management evaluates and documents the results of ongoing moni‐ toring and separate evaluations to identify internal control issues.
- Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.
- Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis.
- Part One: The Internal Control Guidelines
Overview
A strong internal control system yields success, making it relevant to all of us. Design and implementation take time, effort, and resources in con- junction with a foundational knowledge of internal control components and principles.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides a framework that includes fundamental characteristics of these five components and three categories of generalized objectives. The U.S. Government Accountability Office adapted these components and principles for the Federal government through its Standards for Internal Control in the Federal Government, otherwise known as the "Green Book." The State Board of Accounts Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies is organized based on these conceptual frameworks.
The five components of internal control must be successfully designed, implemented, and functioning for an effective internal control system. Seventeen principles accompany the five components, representing fundamental concepts associated with particular components within the system. All components and principles comprise an effective internal control system.
Points of focus support each principle, expressing important characteristics associated with the principles. While the components and principles are considered criteria for an effective internal control system, points of focus serve as guidance to assist management in designing, implementing, and assessing internal control. Management has latitude to determine suitability of the points of focus.
A system of internal control may be implemented in many ways. Because state and quasi agencies vary in purpose, size and complexity, no single method of internal control universally applies. However, the five internal control components and seventeen principles must be present and functioning, operating in an integrated manner. Some components may have principles implemented entity-wide, which impact the internal control system for all objectives, while other components may be specific to a given objective.
Description of Internal Control Guidelines
The internal control guidelines consist of the following five components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
Three categories of objectives focus on separate aspects of internal control.
- Operations – pertaining to effectiveness and efficiency of agency operations, including operational and financial performance goals, and safeguarding assets against loss.
- Reporting – relating to internal and external financial and non- financial reporting, encompassing reliability, timeliness, transparency, or other terms as set forth by regulators, standard setters, or agency policies.
- Compliance – dealing with adherence to laws and regulations.
Internal Control - Integrated Framework, ©2013 Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved.
Five Components of Internal Control:
Control Environment
The control environment is the basic commonality for all and comprises the integrity and ethical values of the agency established by leadership. The standards, processes, and structures which form the control environment pervasively impact the overall system of internal control. Leadership conveys expectations and overall tone which are reinforced by management throughout the agency and its departments. The control environment also contains the overall accountability structure for all employees through performance and reward measures. Within this structure, management demonstrates commitment by having a process for attracting, developing, and retaining competent individuals. This component is static in that its underpinnings do not generally change with a given objective.
Principles one through five must be implemented and effectively working together to achieve the control environment component. Five of the seventeen principles of internal control pertain to the control environment.
Principle One: The agency demonstrates a commitment to integrity and ethical values.
Points of Focus
- Sets the tone at the top. Management demonstrates, through policies, actions, and behaviors, the importance of integrity and ethical values to support the functioning of the internal control system.
- Establishes standards of conduct. The key elements of integrity and ethical values pervade defined standards of conduct and expectations understood at all levels by employees, contractors, and stake- holders. While it is management's responsibility to establish and communicate the values of the organization, it is everyone's responsibility to demonstrate integrity. In an organizational context, ethical values are the standards of behavior that form the framework for employee conduct, guiding employees in decision making.
- Evaluates adherence to standards of conduct. Processes exist to evaluate the performance of individuals and teams against expected standards of conduct.
- Addresses deviations in a timely manner. Deviations from expected standards of conduct are identified and remedied in a timely and consistent manner.
Principle Two: Agency leadership oversees the internal control system.
Points of Focus
- Establishes oversight responsibilities. Leadership identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
- Applies relevant expertise. Leadership defines, maintains, and peri- odically evaluates the skills and expertise of its members.
- Operates independently. Leadership works independently and objectively.
- Provides oversight for the internal control system. Leadership oversees management's design, implementation, and operation of the internal control system.
Principle Three: Management establishes an organizational structure, assigns responsibility, and delegates authority to achieve agency objectives.
Points of Focus
- Considers all structures of the entity. Structure supplies the framework to carry out the agency's plans. Management considers multiple structures to support the achievement of objectives, such as operational units and support.
- Establishes reporting lines. Lines of reporting to affect authorities, responsibilities, and communication guide management activities. Organizing authority and accountability relationships among various functions provides reasonable assurance that work activities are aligned with agency objectives. Responsibilities can generally be viewed as being within three lines of defense against the failure to achieve agency objectives:
- Management and other agency personnel provide the first line in their day-to-day activities, maintaining effective internal control over those activities.
- Support functions typically ensure the proper functioning of internal controls through the services provided as the second line of defense.
- Internal auditors, external auditors, and other independent parties provide the third line of defense by assessing and reporting on internal controls and recommending corrective actions or enhancements for management's consideration and implementation.
- Defines, assigns, and limits authorities and responsibilities. Management delegates authority, defines responsibilities, and uses appropriate processes and technology to segregate duties as necessary to various levels within the agency.
Principle Four: Management demonstrates a commitment to attract, develop, and retain competent individuals.
Points of Focus
- Establishes policies and practices. Policies and practices reflect expectations of competence necessary to support the achievement of objectives.
- Evaluates competence and addresses shortcomings. Management evaluates competence across the agency and in outsourced service providers in relation to policies and practices, acting as necessary to address shortcomings.
- Attracts, develops, and retains individuals. The agency provides the mentoring and training needed to attract, develop, and retain sufficient and competent staff to support the achievement of objectives.
- Plans and prepares for succession. Management develops contingency plans for assignment of responsibility important for internal control.
Principle Five: Management evaluates performance and holds individuals accountable for their internal control responsibilities.
Points of Focus
- Enforces accountability through structures, authorities, and responsibilities. Management establishes mechanisms to communicate and hold individuals responsible for performance of internal control processes, implementing corrective action as necessary.
- Establishes performance measures, incentives, and rewards. Management determines performance measures to evaluate achievement, providing incentives and rewards to drive performance.
- Evaluates performance measures, incentives, and rewards for ongoing relevance. Management aligns incentives and rewards with agency standards of conduct.
- Considers excessive pressures. Management evaluates and adjusts pressures associated with achievement of objectives as management assigns responsibilities, develops performance measures, and evaluates performance. Because goals and targets create pressure on staff, management may rebalance workloads or increase resources to reduce risk to the achievement of objectives.
- Evaluates performance and rewards or disciplines individuals. Standards of conduct and expected levels of performance are evaluated, considering rewards or disciplinary action as appropriate.
Risk Assessment
Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Each agency faces a variety of risks from external and internal sources. Having established an effective control environment, management assesses risk and sets risk tolerance levels through established procedures. Each risk is evaluated in terms of its impact and likelihood of occurrence. Overall, risk assessment provides a basis for how risk will be managed.
Principles six through nine must be implemented and effectively working together to achieve the risk assessment internal control component.
Principle Six: Management defines objectives clearly to enable the identification of risks and defines risk tolerances.
Points of Focus
Operations
- Reflects management choices. Objectives center around management's judgment, based on the nature of the services provided, stakeholder expectations, and other factors – each supported by specific criteria and measurement focus.
- Considers tolerance for risk. Management considers acceptable levels of variation in reaching objectives.
- Includes operations and financial performance goals. Within goals related to operations, management typically includes both desired levels of service delivery and corresponding financial measures.
- Forms a basis for committing resources. Management uses operations objectives to define the level of resources needed to attain desired outcomes.
External Financial Reporting Objectives
- Complies with applicable accounting standards. The agency includes objectives that are applicable to its circumstances.
- Considers materiality. Management judges materiality based on qualitative and quantitative aspects, the needs of financial report users, and the size or nature of a misstatement.
- Reflects agency activities. External reporting reflects applicable agency transactions and events to show qualitative characteristics.
External Non-Financial Reporting Objectives
- Complies with externally established standards and frameworks. Management establishes objectives consistent with laws or regulations, industry practice, or other recognized measurement tools.
- Considers the required level of precision. Management considers the level of precision or accuracy suitable for user needs based on established criteria.
- Reflects agency activities. Management determines objectives based on the underlying transactions and events with a range of acceptable limits.
Internal Reporting Objectives
- Reflects management's choices. Internal reporting provides, at management's discretion, accurate and complete information needed to sufficiently operate the agency.
- Considers the required level of precision. Management considers the level of precision or accuracy suitable for agency needs.
- Reflects agency activities. Management determines objectives based on the underlying transactions and events with a range of acceptable limits.
Compliance Objectives
- Reflects external laws and regulations. Laws, regulations, federal funding rules, and other authoritative guidance establish minimal standards of conduct the agency should integrate into compliance objectives.
- Considers tolerance for risk. Management considers the acceptable levels of variation relative to the achievement of compliance objectives.
Principle Seven: Management identifies, analyzes, and responds to risks related to achieving the defined objectives.
Points of Focus
- Includes agency-wide and subsidiary levels. The agency identifies and assesses risk at the agency and major service or program levels.
- Analyzes internal and external factors. Internal factors considered may include the complex nature of the programs, organizational structure, or new technology uses. External factors may include new or amended laws or economic instability.
- Involves appropriate levels of management. Management puts into place effective mechanisms to identify, assess, and respond to risk, involving appropriate personnel throughout the agency.
- Estimates significance of risks identified. Analysis of impact and likelihood helps management prioritize identified risks.
- Determines how to respond to risks. The risk assessment considers how the risk should be managed and whether to accept, avoid, reduce, or share the risk.
Principle Eight: Management considers the potential for fraud when identifying, analyzing, and responding to risks.
Points of Focus
- Considers types of fraud. The assessment considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways fraud and misconduct can occur.
- Assesses incentives and pressures. Management considers employee motives to commit fraud.
- Assesses opportunities. Assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of agency records, or committing other inappropriate acts.
- Assesses attitudes and rationalizations. The assessment considers how management and other personnel might engage in or justify inappropriate actions.
Principle Nine: Management identifies, analyzes, and responds to significant changes that could impact the internal control system.
Points of Focus
- Assesses changes in the external environment. Risk identification considers changes in the regulatory, economic, and physical environment in which the agency operates.
- Assesses changes in the business model. The agency considers if new business lines impact the nature of services the agency provides, changes in stakeholder expectations, and/or technology advancements that impact future operations.
- Assesses changes in leadership. The agency considers if changes in management or respective attitudes and philosophies impact the system of internal control.
Control Activities
Control activities are the actions and tools established through policies and procedures that help to detect, prevent, or reduce the identified risks that interfere with the achievement of objectives. Detection activities are designed to identify unfavorable events in a timely manner whereas prevention activities are designed to deter the occurrence of an unfavorable event. Examples of these activities include reconciliations, authorizations, approval processes, performance reviews, and verification processes. An integral part of the control activity component is segregation of duties.
Principles ten through twelve must be implemented and effectively working together to achieve the control activities internal control component.
Principle Ten: Management designs control activities to achieve objectives and respond to risks.
Points of Focus
- Integrates with risk assessment. Control activities align with risk assessment to ensure the risk response functions in an appropriate timely manner. Selecting control activities focuses on management decisions to reduce risk.
- Considers agency-specific factors. Management considers the business environment, complexity, scope of operations, and other characteristics which affect the selection and development of control activities.
- Determines relevant business processes and transaction level controls. Management considers all aspects of operations, including information technology (IT) and third-party service providers when determining the need for control activities.
- Evaluates a mix of control activity types. Management considers a range and variety of manual and automated controls, preventive, and detective controls. Examples of control activities include:
- Authorizations and approvals to confirm validity of actions.
- Verifications comparing two or more items with each other or against a policy for consistency.
- Physical controls to safeguard assets or information such as locked storage areas.
- Controls over standing data used to process transactions such as an approved vendor list.
- Reconciliations comparing two or more items to identify differences.
- Supervisory controls applicable in the circumstances.
- Considers whether the proper level of control activities is applied. To maximize the mitigation of risk, management ensures personnel at various levels perform control activities. Examples include analytical reviews to identify reasons when actual performance deviates from expected performance.
- Addresses segregation of duties. Management divides or segregates duties among different people to reduce the risk of error or fraudulent actions. For instance, different persons perform responsibilities for asset custody, recording transactions related to assets, approving transactions or reconciling results. If segregation is not practical management develops compensating controls to mitigate risk to an acceptable level.
Principle Eleven: Management designs the information system and related control activities to achieve objectives and respond to risks.
Points of Focus
- Determines dependency between the use of technology in business processes and technology general controls. Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls.
- Establishes relevant technology infrastructure control activities. Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
- Establishes relevant security management process control activities. Management selects and develops control activities designed and implemented to restrict technology access rights to authorized users commensurate with job responsibilities and to protect the assets from external threats.
- Establishes relevant technology acquisition, development, and maintenance process control activities. Management selects and develops control activities over the acquisition, development, and maintenance of technology and its infrastructure to achieve objectives.
Principle Twelve: Management implements control activities through policies.
Points of Focus
- Establishes policies and procedures to support deployment of management directives. Management establishes control activities built into business processes and day-to-day operations through policies and standard operating procedures to accomplish objectives.
- Establishes responsibility and accountability for executing policies and procedures. Management addresses responsibility to carry out policies and standard operating procedures, holding individuals accountable for carrying out management's directives.
- Performs in a timely manner. Standard operating procedures identify the timing of the control activity and necessary follow-up actions. Untimely procedures reduce control activity effectiveness.
- Takes corrective action. Responsible personnel investigate and act upon anomalies identified during control activity processes.
- Performs using competent personnel. An effective internal control activity depends on competent personnel with sufficient authority to perform the activity.
- Reassesses policies and procedures. The agency periodically evaluates the relevance and effectiveness of policies and standard operating procedures. Changes in personnel, processes, technology, and other variables may reduce effectiveness or make other control activities redundant.
Considerations for Designing and Implementing Control Activities
When designing and implementing control activities, management appraises the cost versus benefit of the activity with a goal to achieve the maximum benefit at the lowest possible cost. The cost of the control activity should not exceed the benefit derived from the control or the impact on the agency if the undesirable event occurred. To ensure maximum effectiveness, the agency will prioritize risks based on the impact and likelihood of the risks, and focus resources on the design and implementation of control activities based on the prioritization.
Information and Communication
Quality information from both internal and external sources supports the functioning of the other components of internal control. Continual communication processes provide, share, and obtain necessary information to achieve objectives. Internal communication sends a clear message to personnel about goals, objectives, standard operating procedures, and the importance of internal control responsibilities. External communication effectively conveys information to outside parties and internalizes information received from outside sources.
Principles thirteen through fifteen must be implemented and effectively working together to achieve the information and communication internal control component.
Principle Thirteen: Management uses quality information to achieve objectives.
Points of Focus
- Identifies information requirements. A process exists to identify the information required to support the functioning of internal control and achievement of objectives.
- Captures internal and external sources of data. Management con- siders a comprehensive scope of potential events or activities and determines the most relevant useful information and data sources.
- Processes relevant data into information. The agency develops information systems to source, capture, and process data into meaningful actionable information. Information systems include a combination of people, processes, data, and technology.
- Maintains quality throughout processing. Quality information may be described as accessible, available, complete, accurate, correct, current, protected, retained, sufficient, timely, valid, and verifiable.
- Considers cost and benefits. The nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives.
Principle Fourteen: Management internally communicates the necessary quality information to achieve agency objectives.
Points of Focus
- Communicates internal control information. A process exists to communicate required information to enable all agency personnel to understand and carry out internal control responsibilities. The type of information may take the form of policies and procedures, specified objectives, job duties and responsibilities, performance management competencies and performance factors, and many others.
- Communicates with leadership. Agency management communicates with leadership to ensure all parties have the information needed to fulfill roles and responsibilities.
- Provides separate communication lines. Communication channels, such as whistle-blower hotlines or similar mechanisms, exist to enable anonymous or confidential communications when the normal channels are inoperative or ineffective.
- Selects relevant method of communication. Management uses a variety of processes to ensure the clarity and effectiveness of communications. Communication can take the form of letters, emails, dashboards, presentations, social media postings, webcasts, face-to-face meetings, policies and procedures, performance evaluations, and others.
Principle Fifteen: Management externally communicates the necessary quality information to achieve agency objectives.
Points of Focus
- Communicates to external parties. Processes are in place to communicate relevant and timely information to external parties, including customers, regulators, federal cognizant agencies, and other stakeholders.
- Enables inbound communications. Open communication channels exist to solicit input from external stakeholders. Inbound communication aids with obtaining feedback on services, notice of new laws or regulations, results from audits, vendor questions, and a variety of other types of inbound information which assists the agency with assessing the functioning of internal control.
- Communicates with Leadership. Relevant information is provided to assist with fulfilling oversight responsibilities.
- Provides separate communication lines. Like internal channels, external channels exist to enable anonymous or confidential communications when the normal channels are inoperative or ineffective, for example whistle-blower hotlines or similar mechanisms.
- Selects relevant method of communication. The method by which management communicates externally affects the ability to obtain needed information as well as ensuring key messages are received and understood. Management considers and selects the appropriate method of communication, given the audience, nature of the message, timing, and other factors.
Monitoring
The monitoring component evaluates whether each of the five components of internal control is present and functioning. As a dynamic process, internal control must be continually adapted to the risks and changes the agency faces. Monitoring aligns the internal control system with changing objectives, environment, laws, resources, and risks. Internal control monitoring assesses the quality of performance over time and promptly resolves the findings of audits and other reviews. Improvements and corrective actions complement control activities in achieving objectives.
Principles sixteen and seventeen must be implemented and effectively working together to achieve the monitoring internal control component.
Principle Sixteen: Management establishes and operates monitoring activities to monitor the internal control system and evaluate the results.
Points of Focus
- Considers a mix of ongoing and separate evaluations. Ongoing evaluations performed through day-to-day operations in real time provide timely feedback for quick response. Separate evaluations conducted periodically vary in scope and frequency depending on risk assessment and the results of ongoing evaluations.
- Considers rate of change. The frequency of change in business processes or environment impact whether ongoing or periodic evaluations are most appropriate.
- Establishes baseline of understanding. The agency creates a baseline of information for use when developing ongoing and separate evaluations. Deviations from the baseline, noted during monitoring, may indicate areas of concern that need further assessment.
- Uses knowledgeable personnel. Persons involved with monitoring activities possess knowledge needed to understand the monitoring process.
- Integrates into business processes. Ongoing evaluations are built into business processes and adjusted to changing conditions, often using technology.
- Adjusts scope and frequency. The agency varies the scope and frequency of evaluations depending on risk.
- Objectively evaluates. Evaluations involve objective feedback to maximize effectiveness.
Principle Seventeen: Management remediates identified internal control deficiencies on a timely basis.
Points of Focus
- Assesses results. By assessing monitoring results, management may receive assurance that the internal control system is functioning properly or identify potential improvements for the internal control system.
- Communicates deficiencies. Management communicates potential improvements or deficiencies to appropriate personnel for remediation on a timely basis.
- Monitors corrective actions. Management tracks progress on the progress of improvements or resolution of deficiencies. Persons responsible for tracking corrective action should differ from those conducting the monitoring activities.
- Part Two: Evaluation and Development of the Agency Internal Control System
Section One: Control Environment
Overview
The control environment forms the foundation for a strong internal control system. Management sets the tone for a solid foundation by prioritizing internal controls and communicating the importance of internal controls throughout the agency.
Five principles are associated with the control environment:
Principle One: The agency demonstrates a commitment to integrity and ethical values.
Principle Two: Agency leadership oversees the internal control system. Principle Three: Management establishes an organizational structure, assigns responsibility, and delegates authority to achieve agency objectives.
Principle Four: The agency demonstrates a commitment to attract, develop, and retain competent individuals.
Principle Five: Management evaluates performance and holds individuals accountable for their internal control responsibilities.
A strong control environment calls for ongoing commitment, communication, and vigilance throughout the agency. Because it includes the overall attitude and actions of management regarding internal controls, the control environment does not generally change with a given objective.
Why It Matters
The control environment promotes a culture of integrity, ethics, and accountability which contributes to the long-term success of the agency's achievement of objectives. For instance, when management communicates a clear message about the importance of internal controls, ethics, and accountability, it –
- encourages employees to adopt agency values and expectations.
- provides employees with a framework to make decisions that align with agency values.
- reduces the likelihood of fraud, errors, and compliance issues by defining proper procedures.
- promotes accountability by documenting processes, responsibilities, and actions.
- provides a method for addressing and resolving issues.
Where to Start
Evaluating the agency control environment serves as the optimal starting point for developing a successful internal control system. After evaluation, additional controls may be developed by following suggested steps under "Developing the Control Environment" or other processes determined by management. To be effective, the internal control system must be documented.
Evaluating the Agency Control Environment
Does the agency have documented control environment policies and procedures? Internal Control evaluation involves conducting periodic assessments of the agency's internal controls to determine whether –
- The agency will likely achieve its objectives.
- Risks to the agency and opportunities for improvement are identified.
- The elements of the agency's internal control system are functioning effectively.
Evaluation presents an opportunity to discuss and document the control environment – and establish the tone at the top. Meaningful and successful evaluations combine input from leadership across the agency, including major department or program areas. During this process, the consideration of absent controls will strengthen the control environment and facilitate an action plan for the design and implementation of a full-bodied control environment.
Tools for Evaluation. Part Three contains optional tools for management to use in the evaluation of agency internal controls. Management may choose one of the available tools or consider other methods of evaluation based on the needs of the agency.
Control Environment Self Evaluation Questionnaire. A series of self- evaluation questions will guide management through major internal control considerations in a "yes or no" format, which will help management determine which areas need further development.
Control Environment Internal Control Evaluation Template. This spreadsheet identifies common best practices for the control environment. A series of open-ended self-evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent.
Based on the evaluation of the control environment, management may consider developing the control environment by following the recommended steps in "Developing the Control Environment."
Developing the Control Environment
A positive and supportive attitude toward internal control and conscientious management sets the tone for the control environment.
Through the evaluation process, management may decide that internal controls sufficiently address all principles or need further development.
A full-bodied internal control system addresses each internal control principle. The following steps, organized by principle, may be considered by management in the development of the control environment.
- Set the Tone at the Top
- Define and Communicate Standards of Conduct
- Evaluate Adherence to Standards of Conduct
- Establish Oversight Structure and Procedures for the Internal Control System
- Design Agency Organizational Structure
- Recruit, Develop, and Retain Competent Staff
- Create Succession and Contingency Plans
- Promote Accountability
Tools for Development. Part Three contains optional tools for management to use in developing the agency control environment. Management may choose one of the available tools or other method suitable for the agency's needs.
Control Environment Development Questionnaire. This document walks through the steps in "Developing the Control Environment" with examples of activities to improve the control environment and space to document controls or references to agency policies.
Control Environment Development Template. This template provides an abbreviated method for management to design control environment processes by following the steps in "Developing the Control Environment" and document controls or references to agency policies.
Principle One: The agency demonstrates a commitment to integrity and ethical values
- Set the Tone at the Top. Management's directives, attitudes, and behaviors reflect the integrity and ethical values expected through- out the agency and the state. The Agency Head and management set an appropriate tone at the top by demonstrating the importance of integrity and ethical values; leading by example; and reinforcing the commitment to do quality work.
Specific ways to set the tone at the top include –
- Discussing expected behaviors regularly at staff meetings.
- Formalizing expectations in agency and statewide documents, such as the agency mission statement, core values, and strategic plan.
- Placing importance on the State Ethics Code.
- Reinforcing expectations of compliance with State Personnel Policies.
- Define and Communicate Standards of Conduct. Part of the commitment to integrity and ethical values includes defining standards of conduct to inform employees about expected behaviors. Enterprise-wide policies and standards of conduct include –
- Indiana State Employee Handbook
- Indiana State Personnel Department Standardized Policies
- State Ethics Code
- Information Technology Resources Policy
Each agency also should consider its own policies and procedures to address expectations regarding business practices and ethical behavior, such as –
- Remote Work
- Continuing Professional Education requirements
- Dress Code
Once defined, standards of conduct must be communicated to employees, for example, through agency newsletter, regular staff meetings, training videos, one-on-one meetings, etc.
3. Evaluate Adherence to Standards of Conduct. Gauging adherence to standards of conduct addresses differences between actual performance and expected standards. For example –
- Regular evaluations with meaningful feedback.
- Clear consistent disciplinary policies and procedures.
- Established methods of reporting noncompliance, misconduct, or fraud without retribution.
- Agency channels for employees to report noncompliance, misconduct, or fraud.
- Indiana Office of Inspector General Hotline.
- State Board of Accounts Fraud Reporting Form.
Principle Two: Agency leadership oversees the internal control system.
4. Establish Oversight Structure and Procedures for the Internal Control System. For most agencies, the agency head, or a statutory board provides oversight of the internal control system. Oversight enables the agency to fulfill responsibilities in laws and regulations, government guidance, and feedback from key stakeholders. Specifically, leadership oversees the agency's operations and makes oversight decisions so that the agency achieves its objectives in alignment with integrity and ethical values.
Leadership oversees the design, implementation, operation, and monitoring of the internal control system, and provides input to resolve deficiencies. Procedures might be –
- Having periodic meetings and other communications with management.
- Maintaining appropriate documentation of meetings, including agendas and minutes.
- Reviewing management's internal control documentation.
- Reviewing management's corrective action plans.
- Following up to ensure deficiencies have been corrected, including audit findings.
- Completing the Internal Control Certification required by FMC 6.1.
- Ensuring performance of the Annual Risk Assessment per FMC 6.2.
- Ensuring response to OMB entity-wide risk self-assessment questionnaires.
Principle Three: Management establishes an organizational structure, assigns responsibility, and delegates authority to achieve agency objectives.
5. Design Agency Organizational Structure. Designing the organizational structure and assigning responsibility enables the agency to plan, execute, control, and assess the achievement of objectives. Examples include steps to –
- Establish, document, review, and update an organizational plan that clearly addresses the assignment of authority and responsibility, such as an organizational chart.
- Ensure that job descriptions clearly detail responsibilities.
- Delegate authority, assign responsibility, and design controls with proper segregation of duties or compensating controls.
- Develop standard operating procedures to communicate responsibilities to personnel and provide a method to monitor and evaluate controls.
Principle Four: Management demonstrates a commitment to attract, develop, and retain competent individuals.
6. Recruit, Develop, and Retain Competent Staff. Policies pertaining to recruitment, training, mentoring, and retention of personnel con- sider agency objectives and emphasize competency. Competency requires relevant knowledge, skills, and abilities gained from professional experience, training, and certifications to carry out assigned responsibilities and understand the importance of internal control. Incorporated practices –
- Reinforce basic minimum requirements in job descriptions, such educational prerequisites.
- Document expectations in personnel performance management documents.
- Evaluate employee performance of job responsibilities.
- Develop competencies appropriate for key roles.
- Mentor by guiding performance, aligning skills with agency objectives, and helping personnel adapt to an evolving environment.
- Motivate by reinforcing expected levels of performance and desired conduct, including training and credentialing. For example, State policies on training opportunities through SuccessFactors, LinkedIn Learning, Tuition Support, etc.
7. Create Succession and Contingency Plans. Over the long term, management defines plans relating to the replacement of personnel in key roles to enable the agency to achieve objectives through times of turnover and emergency. To do this, management may consider,
- Training succession candidates through job shadowing and cross training.
- Encouraging knowledge sharing.
- Maintaining written plan documents, including standard operating procedures.
Principle Five: Management evaluates performance and holds individuals accountable for their internal control responsibilities.
8. Promote Accountability. Tone at the top drives accountability. Individuals are held accountable for their internal control responsibilities through a recognized, understood structure which incorporates corrective action procedures. Methods include –
- Regular meetings to verify performance of internal control responsibilities.
- Formal performance appraisals and improvement plans.
- Assessment and rebalancing of excessive pressures and workload through regular meetings with staff.
- Maintaining appropriate documentation of meetings, including agendas and minutes.
Documenting the Agency Control Environment
The agency control environment must be documented. Documenting the agency's internal control system fosters communication and understanding of the internal control system. Benefits encompass the capability to –
- Communicate the design, implementation, and operating effectiveness of the internal control system to personnel.
- Retain organizational knowledge and mitigate the risk of having knowledge limited to a few personnel.
- Support the results of ongoing monitoring, identify internal control issues, and support the appropriate corrective actions.
- Provide tangible audit evidence to internal and external assurance providers. As part of the audit engagement, auditors will ask for written internal controls, and test those controls to determine the nature, timing, and extent of audit testing. Written internal controls must incorporate a process to maintain tangible evidence that the controls are functioning as intended. For example, auditors may review the organizational chart and standard operating procedures for assignment of responsibility.
Methods to document the internal control system include narratives, flowcharts, and standard operating procedures. Part Three contains optional tools to facilitate and document the evaluation and development of internal controls.
Section Two: Risk Assessment
Overview
What could go wrong? This question forms the basis for risk assessment. Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Management employs a risk assessment process to identify, analyze, and manage the potential risks that could hinder or prevent the achievement of objectives.
Risks vary in significance. A successful risk assessment prioritizes key activities and controls by combining input from leadership across the agency, including major department or program areas.
Principles six through nine correspond to the risk assessment component.
Principle Six: Management defines objectives clearly to enable the identification of risks and defines risk tolerances.
Principle Seven: Management identifies, analyzes, and responds to risks related to achieving the defined objectives.
Principle Eight: Management considers the potential for fraud when identifying, analyzing, and responding to risks.
Principle Nine: Management identifies, analyzes, and responds to significant changes that could impact the internal control system.
Why It Matters
Over the course of a day, a week, a month, or a year, situations occur which could hinder or prevent an agency from fulfilling responsibilities and meeting objectives. Because of this possibility, successful managers continually identify and analyze potential risks. Performing risk assessments assist managers in prioritizing the activities where controls are needed most. Management uses risk assessments to determine the potential for loss in programs and functions and to design the most cost- effective and productive internal controls. Risk assessment improves the agency in many ways by identifying events that may hinder operational, reporting, and compliance objectives. This results in –
- Improved decision making through sound planning and the systematic setting of objectives.
- Strengthened internal control for high-risk activities.
- Improvement in services and mitigation of potential disruptions.
- Alignment of processes with agency mission and objectives, increasing efficiency and effectiveness.
Where to Start
The first step in conducting a risk assessment involves reviewing the agency's mission and related objectives. Based on agency objectives, the risk assessment process identifies and prioritizes risks to agency objectives and decides on the proper response to the identified risks. "Conducting a Risk Assessment" in this section provides suggested steps.
Evaluating the Risk Assessment Process
After the risk assessment is completed, the management should evaluate the processes used. Internal control evaluation involves conducting periodic assessments of the agency's internal controls to determine whether –
- The agency will likely achieve its objectives.
- Risks to the agency and opportunities for improvement are identified.
- The elements of the agency's internal control system are functioning effectively.
Evaluation presents an opportunity to discuss and document the processes used to conduct the risk assessment. Meaningful and successful evaluations combine input from leadership across the agency, including major department or program areas. Evaluating the actual risk assessment process helps management make improvements which will best serve the needs of the agency. During this process, the consideration of absent controls will strengthen the component and facilitate an action plan for the design and implementation of a full-bodied risk assessment component.
Tool for Evaluation. Part Three contains an optional tool for management to use in the evaluation of the agency risk assessment process. Management may consider other methods of evaluation based on the needs of the agency.
Risk Assessment Internal Control Evaluation Template. This spreadsheet identifies common best practices for the risk assessment component. A series of open-ended self-evaluation questions will guide management through major risk assessment process considerations with the ability to designate current processes as sufficient, needing improvement, or nonexistent.
Management may follow the evaluation with implementation and documentation of improvements, if needed.
Conducting a Risk Assessment
Risk assessment involves an ongoing process to recognize potential problems (risks) and determine the best way to manage them.
A full-bodied internal control system addresses each internal control principle. The following steps, organized by principle, may be considered by management for conducting a risk assessment.
- Define the Agency's Mission Statement and Related Objectives
- Identify Risks to the Achievement of Objectives
- Prioritize Identified Risks
- Respond to the Identified Risks
- Consider the Potential for Fraud
- Identify and Assess Risk from Change
Tools for Conducting a Risk Assessment.
Part Three contains an optional tool for management to use in conducting a risk assessment. Management may choose other methods based on the needs of the agency.
Risk Assessment Template. The Risk Assessment Template provides a method for management to document risks to objectives and management's response to those risks. This template follows the outlined steps in "Conducting a Risk Assessment."
Example Objectives, Risks, Controls. This document provides examples of objectives, risks, and key controls for major transaction areas. Lists are not intended to be exhaustive or applicable to all agencies.
Each major transaction area may include some or all the following examples –
- Example Objectives and Risks.
- Minimum Internal Control Standards per the Accounting and Uniform Compliance Guidelines Manual for State and Quasi Agencies.
- Example Key Controls.
Principle Six: Management defines objectives clearly to enable the identification of risks and defines risk tolerances.
1. Define the Agency's Mission Statement and Related Objectives
Internal control focuses on the achievement of the agency mission and the underlying objectives associated with major service areas or transaction levels.
Agency Mission
To identify risks to agency-wide objectives, start with defining the agency mission statement. A mission statement broadly articulates the fundamental purpose and long-term vision, serving as the foundation for agency goals and objectives.
Major Service Area or Transaction-level Objectives
Objectives flow from the agency mission statement based on external requirements, such as laws, regulations and standards, and internal policies and expectations from the control environment. An objective is a specific, measurable, time-bound goal that answers the question: What specific, measurable outcome or result do we want to achieve?
By setting objectives at the major service areas and transaction levels, an agency can identify critical success factors - key things that must go right for the agency to meet objectives. During the risk assessment process, the agency determines critical activities to manage risks and ensure achievement of the agency mission and core business objectives.
Objectives fall into one of the three categories: Operations, Compliance, and Reporting.
Operations Objectives pertain to the effectiveness and efficiency of operations. Operations objectives will reflect the agency's mission, incorporating operations and financial performance goals.
As a starting point, management may identify key agency-wide objectives and critical major service areas or transaction level objectives. A brainstorming session with leadership and management together should bring key critical objectives to the forefront. Work through the risk assessment process for the most critical operations objective(s). Then work toward other significant operations objectives identified during the risk assessment process.
Compliance Objectives relate to compliance with applicable laws and regulations. Compliance objectives encompass requirements contained in federal laws, including Uniform Guidance (Title 2 CFR 200), Indiana Code, State Budget Agency Financial Management Circulars, State Board of Accounts Uniform Compliance Guidelines, or other authoritative sources.
For compliance objectives, management may wish to begin by assessing risks to compliance with major federal program requirements, unresolved audit findings, and management letter comments. Then, work toward other significant compliance requirements identified during the risk assessment process.
Reporting Objectives pertain to the reliability of reporting for internal or external purposes, such as financial statements, financial schedules, program reports, etc.
As a beginning point, identify an inventory of required financial reports. Start by focusing on the most significant reporting requirements, such as financial information for the ACFR (Annual Comprehensive Financial Report) and federal grants. Then work toward other significant reporting requirements identified during the risk assessment process.
Principle Seven: Management identifies, analyzes, and responds to risks related to achieving the defined objectives.
2. Identify Risks to the Achievement of Objectives
After defining objectives, the next step will identify risks that would threaten the accomplishment of each objective. This analysis considers the question, "What can go wrong?" And, it may also consider the question, "What opportunities are we missing?"
Risks can be internal, such as human error, fraud, and changes in technology; or external, like changes in legislation or program requirements, and public emergencies. Whether internal or external, risk assessment considers inherent risk, fraud risk, and change risk.
- Inherent Risk. Inherent risk is the level of risk that exists in a process or activity before actions to alter the risk's impact or likelihood. Activities with inherent risk have a greater potential for errors, loss, waste, unauthorized use, or misappropriation due to the nature of the activity or asset.
Examples of inherently risky activities include cash receipts, complex programs or activities, services provided through sub-recipients or vendors, direct third-party beneficiaries, and unresolved audit findings.
- Fraud Risk. Fraud risk considers risk of deceptive activities to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Waste and abuse would also be recognized as part of this category. Principle eight specifically addresses Fraud Risk.
- Change Risk. When change occurs, it often affects the control activities that were designed to prevent or reduce risk. Principle nine covers Change Risk.
3. Prioritize Identified Risks
To effectively allocate limited resources, management must gain a comprehensive understanding of the identified risks by prioritizing the risks in terms of likelihood and impact.
Likelihood
For each identified risk, management rates the likelihood of the event in terms of low, medium, or high.
- Low. The risk event is unlikely to occur.
- Medium. The risk event is more likely to occur than unlikely.
- High. The risk event is highly likely or reasonably expected to occur (or ongoing).
Impact
For each identified risk, management assesses the risk in terms of potential impact if the risk event were to occur. Impact addresses the question, "What are the consequences?"
Impact spans the categories of insignificant, minor, serious, disastrous, or catastrophic.
- Insignificant. The impact will not significantly affect the ability to achieve objectives. For example, the risk of immaterial noncompliance or immaterial errors.
- Minor. For example, immaterial misstatements to the financial statements.
- Serious. The impact could significantly affect the agency's ability to achieve objectives. For example, audit findings of noncompliance or lack of documentation to support financial reporting.
- Disastrous. For example, audit questioned costs, material misstatements to the financial statements.
- Catastrophic. The impact could preclude or highly impair the agency's ability to achieve objectives. For example, material loss of federal funding or failure to maintain financial records.
- Accept – Management acknowledges the risk but makes a deliberate decision to retain the risk, usually due to risk insignificance or costly mitigation.
- Avoid – Management eliminates the risk. For example, requiring customers to pay fees online to avoid the risks inherent to accepting cash or checks.
- Reduce – Management takes action to bring the risk down to a manageable level by designing internal controls to prevent or detect the risk event - for example segregation of duties, review, or authorization procedures.
- Share – Management shares the risk by transferring the risk to another party, for example the purchase of insurance.
- Fraudulent Financial Reporting occurs through intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. For example, intentional alteration of accounting records, misrepresentation of transactions, or intentional misapplication of accounting principles.
- Misappropriation of Assets includes theft of assets, embezzlement of receipts, or fraudulent payments.
- Corruption encompasses bribery and other illegal acts
Rating
The combination of the two factors of likelihood and impact provides management with a rating for each risk identified. Rank risks in a logical manner, from most significant (high impact) and most likely to occur (high likelihood) to the least significant (low impact) and least likely (low likelihood).
Documentation
Examples of documentation for likelihood and impact ratings would include relevant criteria such as financial projections, historical examples, expert opinions, statistical analysis. A narrative description might be used to summarize key points for each risk.
Management may decide to incorporate a risk matrix, heat map, or similar visual tool to assess and classify risks based on likelihood and impact.
4. Respond to the Identified Risks
After prioritizing risks, management next determines how to respond and manage those risks. For example, management may accept, avoid, reduce, or share the risk. Residual risk equals the remaining risk after management's response to the risk.
In many cases, management may already have controls in place to reduce the risk to an acceptable level. Key controls should be documented and evaluated on a regular basis for adequacy.
Retaining analysis and interpretation of the risk assessment information will facilitate periodic review of decisions to determine whether changes in conditions warrant a different approach to managing risk.
Principle Eight: Management considers the potential for fraud when identifying, analyzing, and responding to risks.
5. Consider the Potential for Fraud
As part of the risk assessment process, fraud must be considered - such as fraudulent financial reporting, misappropriation of assets, and illegal acts. In addition to fraud, assess the likelihood of other types of misconduct such as waste or abuse.
Once identified, management must prioritize and respond to fraud risks.
Fraud
The Green Book defines fraud as "obtaining something of value through willful misrepresentation." Intent distinguishes fraud from a weakness in internal control. Fraud risk assessment specifically identifies possibilities for intentional acts to misstate financial information, misappropriate assets, or engage in corruption.
Fraud can be internal or external. Internal fraud occurs when an employee, manager, or executive commits fraud against the agency. External fraud occurs when an outside party commits fraud against the agency. Fraud risks such as bribery and fraudulent reporting should be considered in relation to regulators, vendors, health care providers, regulated entities, grantees, subrecipients, and any other third parties.
Understanding why individuals commit fraud helps in assessing risk and establishing controls. Individuals generally commit fraud due to pressure, opportunity, and rationalization, commonly referred to as the fraud triangle.
- Pressure describes financial or emotional force pushing towards fraud. For example, a family member loses their job, their house forecloses, or medical bills pile up.
- Opportunity denotes the ability to execute fraud without being caught. Effective internal controls reduce opportunity.
- Rationalization comes through personal justification of dishonest actions. When seeing themselves as victims of unusual circumstances, individuals will develop an explanation making the illegal behavior acceptable.
Waste and Abuse
In addition to fraud risk, other forms of misconduct can occur, such as waste and abuse. Waste and abuse do not necessarily involve fraud or illegal acts.
Waste covers the act of using or expending resources carelessly, extravagantly, or for no purpose.
Abuse involves deficient or improper behavior when compared with the behavior a prudent person would consider reasonable and necessary in the circumstances. Abuse also includes the misuse of authority or position for personal gain or for the benefit of another.
Principle Nine: Management identifies, analyzes, and responds to significant changes that could impact the internal control system.
6. Identify and Assess Risk from Change
The risk to reaching objectives increases dramatically during a time of change. New threats, opportunities, technology, regulatory requirements, funding challenges, and personnel changes all effect stress on the internal control system. Identify and adjust for significant changes which could alter agency objectives.
As part of the risk assessment process, ask the question, "What has changed this year?"
Once identified, management must prioritize and respond to change risks. Examples of external and internal circumstances that expose an agency increased risk include –
- Changing economic and political conditions
- Changes in State or Federal Regulation or Requirement
- New technology
- New accounting standards
- Changes in personnel
- New or modified technology
- New programs or services
- Reorganization
- Rapid growth
- Increased delegation of spending authority
- Moving to a new location
Documenting the Risk Assessment Process
The Risk Assessment Process must be documented. Documenting the agency's internal control system fosters communication and understanding of the internal control system. Benefits encompass the capability to –
- Communicate the design, implementation, and operating effectiveness of the internal control system to personnel.
- Retain organizational knowledge and mitigate the risk of having knowledge limited to a few personnel.
- Support the results of ongoing monitoring, identify internal control issues, and support the appropriate corrective actions.
- Provide tangible audit evidence to internal and external assurance providers. As part of the audit engagement, auditors will ask for written internal controls, and test those controls to determine the nature, timing, and extent of audit testing. Written internal controls must incorporate a process to maintain tangible evidence that the controls are functioning as intended. For example, auditors may review the agency risk assessment for documented decisions related to prioritization and response to identified risks to the achievement of objectives.
Methods to document the internal control system include narratives, flowcharts, and standard operating procedures. Part Three contains optional tools to facilitate and document the evaluation and development of internal controls.
Section Three: Control Activities
Overview
Control activities detect, prevent, or reduce identified risks that interfere with the achievement of objectives. Control activities include segregation of duties, review and approval processes, reconciliations, verifications, and asset security.
The Control Activities component consists of three principles.
Principle Ten: Management designs control activities to achieve objectives and respond to risks.
Principle Eleven: Management designs the information system and related control activities to achieve objectives and respond to risks.
Principle Twelve: Management implements control activities through policies.
Why It Matters
Control activities drive the agency's overall success, helping to manage risk, ensure compliance, and encourage efficiency and accountability. Effective control activities –
- Promote orderly, economical, efficient, and effective operations.
- Produce quality products and services consistent with the agency mission.
- Safeguard resources against loss due to waste, abuse, mismanagement, errors, and fraud.
- Promote adherence to statutes, regulations, uniform compliance guidelines, and procedures.
- Develop and maintain reliable financial and management data, and accurately report that data in a timely manner.
- Reduce the risk of mistakes and inappropriate actions through segregation of duties.
- Help personnel perform assigned responsibilities through documented policies and procedures.
Where to Start
Evaluating the agency control activities serves as the optimal starting point for developing a successful internal control system. After evaluation, additional controls may be developed by following suggested steps in "Developing Agency Control Activities" or other processes determined by management. To be effective, the internal control system must be documented.
Evaluating the Agency Control Environment
Does the agency have documented control activity policies and procedures? Internal control evaluation involves conducting periodic assessments of the agency's internal controls to determine whether -
- The agency will likely achieve its objectives.
- Risks to the agency and opportunities for improvement are identified.
- The elements of the agency's internal control system are functioning effectively.
Evaluation presents an opportunity to discuss and document internal controls. Meaningful and successful evaluations combine input from leadership across the agency, including major department or program areas. During this process, the consideration of absent controls will strengthen control activities and facilitate an action plan for the design and implementation of a full-bodied internal control system.
Tools for Evaluation. Part Three contains an optional tool for management to use in the evaluation of agency control activities. Management may choose this tool or consider other methods of evaluation based on the needs of the agency.
Control Activities Internal Control Evaluation Template. This spreadsheet identifies common best practices for the control activities component. A series of open-ended self-evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent.
Based on the evaluation of control activities, management may consider developing additional control activities by following the recommended steps in "Developing Agency Control Activities."
Developing Agency Control Activities
After identifying and assessing risks, management develops methods to minimize key risks. Control activities are actions and tools established through policies and procedures that prevent or detect identified risks to the achievement of objectives.
Through the evaluation process, management may decide that internal controls need improvement.
A full-bodied internal control system addresses each internal control principle. The following steps, organized by principle, may be considered by management in the development of control activities.
- Respond to Risks
- Design Control Activities
- Specifically Address the Information System
- Document Control Activities
- Communicate Responsibility
- Review Policies and Procedures
Tools for Development. Part Three contains optional tools for management to use in developing agency control activities. Management may choose one tool or other method suitable for the agency's needs.
Control Development Questionnaire. This document walks through the steps outlined in "Developing Agency Control Activities" with examples of control activities and space to document controls or reference standard operating procedures.
Control Development Template. This spreadsheet provides an abbreviated method for management to design control activities which address specific risks identified through the risk assessment process. This template follows steps outlined in "Developing Agency Control Activities."
Example Objectives, Risks, Controls. This document provides examples of objectives, risks, and controls for major transaction areas. Lists are not intended to be exhaustive or applicable to all agencies.
Each major transaction area may include some or all the following examples –
- Example Objectives and Risks.
- Minimum Internal Control Standards per the Accounting and Uniform Compliance Guidelines Manual for State and Quasi Agencies.
- Example Key Controls.
Principle Ten: Management designs control activities to achieve objectives and respond to risks.
- Respond to Risks. Once risks are identified and assessed through the risk assessment process, management minimizes risks through control activities. When deciding the best response, management must use risk assessment information to identify the most effective and efficient control activities available for handling the risk. In addition to agency-specific factors, management should consider the following questions:
What is the priority of this risk? Use the prioritized list identified during the risk assessment process to decide how to allocate resources among the various control activities needed to reduce significant risks.
What is the cause of the risk? Consider reasons why the risk exists to identify control activities that could mitigate the risk.
What is the cost of the control versus the cost of the unfavorable event? Compare the cost of the risk's impact with the cost of the control activities to select the most cost-effective choice.
The Green Book identifies a list of control activity categories for management to consider in response to risk. Although not an exhaustive list, the Green Book categories are reproduced here for reference purposes:
- Top-level reviews of actual performance.
- Reviews by management at the functional or activity level.
- Management of Personnel.
- Controls over information processing.
- Physical control over vulnerable assets.
- Establishment and review of performance measures and indicators.
- Segregation of duties.
- Proper execution of transactions.
- Accurate and timely recording of transactions.
- Access restrictions to and accountability for resources and records.
- Appropriate documentation of transactions and internal control.
2. Design Control Activities. Control activities carry out management's response to identified risks. A sound internal control plan will combine both preventative and detective controls to mitigate risks, implemented through a variety of automated or manual methods.
- Preventative controls deter the occurrence of an undesirable event. Development involves anticipating potential problems and implementing ways to avoid them. Examples of preventative controls include segregation of duties, authorization, verification processes, and physical security over assets.
- Detective controls identify undesirable events that do occur and alert managers to take corrective action promptly. Examples of detective controls include reconciliations, report reviews, and performance reviews.
Automated controls might include validity and edit checks, sequential prenumbering of documents, or logical access security. Manual controls may include activities such as independent review, exception monitoring, and reconciliations.
Management must specifically address Segregation of Duties
Special emphasis must be placed on the segregation of duties because it reduces the risk of mistakes and inappropriate actions. The fundamental premise for segregated duties asserts that no one individual should control or perform all key aspects of a transaction or event – also known as incompatible duties when performed by the same individual.
No one employee should have job functions in more than one of the following three categories of duties:
- Custody of Assets. This involves having physical access to agency assets or exercising control over an asset. Asset examples include cash, accountable items, equipment, and supplies. Exercising control includes initiating a payment in the accounting system, setting up a new employee in the payroll system, placing an order for supplies, specifying where orders are to be delivered, and receiving purchases.
- Recordkeeping. This duty refers to the accounting or record keeping function, such as entering financial information into the accounting system.
- Approval. This duty belongs to persons with authority and responsibility to have others initiate and enter transactions. It also may involve reconciling and reviewing transactions for validity and reasonableness; periodic reviews and reconciliation of existing assets to recorded amounts; and comparisons at regular intervals and actions to resolve differences.
Examples of incompatible duties include –
- Managing both the operation of and record keeping for the same activity.
- Receiving cash or checks, preparing deposits, and reconciling deposits
- Entering new vendors and paying invoices
- Entering and approving expenses
- Managing custodial activities and record keeping for the same assets.
- Authorizing transactions and managing the custody or disposal of the related assets or records.
- Operating and programming a computer system.
Specific examples from the Accounting and Uniform Compliance Guidelines for State and Quasi-Agencies, chapter 2 include:
- Individuals responsible for data entry of payment vouchers should not be responsible for approving these documents.
- Individuals responsible for acknowledging the receipt of goods or services should also not be responsible for purchasing approvals or payment activities.
- Managers should review and approve payroll expenses and time sheets before data entry but should not be involved in preparing payroll transactions.
- Individuals performing physical inventory counts should not be involved in maintaining inventory records nor authorize withdrawals of items maintained in inventory.
- Individuals receiving cash into the office should not be involved in recording bank deposits in the accounting records.
- Individuals receiving revenue or making deposits should not be involved in reconciling the bank accounts.
A special note for smaller agencies . . .
As an integral part of the control activity component, segregation of duties is expected.
In small agencies, segregation of duties may not be practical. In this case, compensating activities must be implemented which may include additional levels of review for key operational processes, random and/or periodic review of selected transactions. These additional levels of review may take the form of managerial review of reports of detailed transactions, periodic review of performance of reconciliations, and periodic counts of assets and comparison to records. Document decisions to incorporate compensating controls to mitigate risks.
Management may consider going outside of the agency for help in implementing controls through the Centralized Accounting Division. The Centralized Accounting Division was established for small agencies to drive efficiencies by reducing overall state costs of back-office expenses because services are pooled using fewer employees and standardizes business processes across all business units. The Centralized Accounting Division provides various accounting functions, including accounts payable; accounts receivable; asset management; cashbook recon- ciliation; contract/grant agreement preparation and tracking through electronic signature process; general ledger; invoicing; payroll; payroll allocation; purchasing; project costing; federal draw; and travel arrangements. For more information, visit www.in.gov/sba/about- us/centralized-accounting/.
Management considers other types of Control Activities
While recognizing the expectation of segregation of duties, management must consider other types of control activities to address identified risks. When establishing control activities, consider all aspects of operations, including information technology systems and third-party service providers.
Examples of Control Activities include –
Review and Approval. Approval indicates the confirmation of employee decisions, events, or transactions based on a review before the transaction takes place. Management should clearly document approval procedures and ensure employees obtain approvals in all required situations. For example, a manager reviews a purchase request from an employee to determine whether the expense is warranted. The manager's sig- nature documents approval on the request.
Authorization. Authorization represents a control activity designed to ensure events or transactions are initiated and executed by those designated by management. Management should ensure that the conditions and terms of authorizations are clearly documented and communicated, and that significant transactions are approved and executed only by persons acting within the scope of their authority. For example, a manager may be authorized to approve purchase requests, but only up to a certain dollar amount.
Verification/Reconciliation. Verification enables management to ensure activities are being performed consistently in accordance with policies. Reconciliation compares two or more items to identify differences. Overall, verification and reconciliation processes confirm the complete- ness, accuracy, authenticity and/or validity of transactions, events, or information. Examples include:
- Reviewing vendor invoices for accuracy by comparing to purchase orders and contracts.
- Comparing cash receipts transactions to a cash receipts log and tracing to bank deposit records.
- Reviewing and verifying a participant's eligibility for State program services.
- Reconciling licenses issued to revenue received.
Supervision. Supervision describes ongoing oversight and guidance of an activity by designated employees to ensure the results of the control activity achieve established objectives. Supervisory responsibilities might include a duty to -
- Monitor, review, and approve the work of those performing the activity to ensure correctness.
- Provide guidance and training to minimize errors and ensure that employees understand management expectations.
- Communicate duties and responsibilities assigned to those performing the activities.
Documentation. Documentation of policies and procedures critically impacts the daily operations of an agency. Standard operating procedures set forth the fundamental framework and the underlying methods and processes all employees rely on to do their jobs and form the basis for decisions.
Principle Eleven: Management designs the information system and related control activities to achieve objectives and respond to risks.
3. Specifically Address the Information System. The use of an IT system can create risks to the internal control structure. For example, the procedures and calculations performed by the IT system must be checked for proper functioning. Reliance on the IT system to perform these functions without verification of the accuracy can result in inaccurate reports and information. In addition, the IT system must also be adequately protected from unauthorized use to avoid the recording of unauthorized transactions, unauthorized changes to existing data, or loss of data in the event of a failure of the IT system.
Information Technology controls support the completeness, accuracy, and validity of information processed; protect data and program integrity from error or malicious intent; and prevent unauthorized programs or inappropriate modifications to existing programs or files.
According to the Accounting and Uniform Compliance Guidelines Manual for State and Quasi-Agencies, management evaluates changes to systems and updates control activities. For example,
- Disaster Recovery ensures that critical accounting information will be processed in the event of interruption of computer processing capacity.
- Back-Up Processing provides for accounting information to be backed up on a periodic basis sufficient to allow restoration of the information in a timely manner.
- Physical Security protects the computer system and the associated telecommunications equipment from environmental damage and unauthorized access.
- Logical Security requires access to accounting information and processes be controlled by operating system software and by the computerized accounting application through user identification codes and passwords.
- Change Controls are internal controls over changes made to the accounting system's computer programs. Audit Trails allow for sufficient documentation to trace all transactions from the original source of entry into the system, through all system processes, and to the results produced by the system.
- Input Controls provide input edits and controls to assure that information entered into the system is accurate, that all appropriate information is entered into the system.
- Segregation of Duties can be achieved within information technology systems by appropriate assignment of security profiles that define the data the users can access and the functions they can perform.
- Output Controls are features that assure all accounting information is reported accurately and completely.
- Interface Controls allow for Information generated in one computer application system to be transferred to another computer application system accurately and completely.
- Internal Processing provides written verification procedures and actual verification results that document accurate calculating, summarizing, categorizing, and updating of accounting information on a periodic basis.
The State uses many different Information technology (IT) systems. These systems are an integral part of the internal control system. For example, the PeopleSoft accounting system provides many different internal controls over the financial reporting process:
- Permissions allow only certain users to perform certain tasks.
- Segregation of duties occurs by requiring duties to be completed by different users.
- The automation of processes and calculations enhances the internal control system by preventing errors.
- Authority to access different components of the software is limited to employees with duties specifically related to that component.
- User ID and password sharing between employees is prohibited.
- Restrictions limit the authority to correct or adjust records to key employees or management.
The Indiana Office of Technology (IOT) was created to consolidate IT organizations across Indiana state government. According to Indiana Code 4-13.1, IOT –
- Establishes the standards for the technology infrastructure of the state.
- Focuses state information technology services to improve service levels to citizens and lower the costs of providing information technology services.
- Brings the best and most appropriate technology solutions to bear on state technology applications.
- Improves and expand government services provided electronically.
- Provides for the technology and procedures for the state to do business with the greatest security possible.
For more information on IOT policies and services, visit www.in.gov/iot.
Principle Twelve: Management implements control activities through policies.
4. Document Control Activities. Control activities are deployed through policies that define responsibility for objectives, risks, and control activity design, implementation, and operating effectiveness. Standard operating procedures put those policies into action. Documentation may include written narratives and flowcharts. Policies must require a mechanism to provide tangible evidence that control activities were performed.
5. Communicate Responsibility. To help employees understand how and when to perform assigned responsibilities, policies and standard operating procedures must be communicated and available to employees in accordance with their duties. Management must ensure employees understand their responsibilities related to policies affecting their functions, including the responsibility to investigate and act upon discrepancies. Communication methods might include newsletters, staff meetings, or webinars.
6. Review Policies and Procedures. Management should periodically review policies, standard operating procedures, and related control activities for relevance and effectiveness in achieving objectives and addressing related risks. Review processes may include having discussions with personnel at defined time intervals, identifying significant changes affecting internal control activities, or coordinating an independent review of the design.
Documenting Control Activities
Control Activities must be documented. Documenting the agency's internal control system fosters communication and understanding of the internal control system. Benefits encompass the capability to –
- Communicate the design, implementation, and operating effective- ness of the internal control system to personnel.
- Retain organizational knowledge and mitigate the risk of having knowledge limited to a few personnel.
- Support the results of ongoing monitoring, identify internal control issues, and support the appropriate corrective actions.
- Provide tangible audit evidence to internal and external assurance providers. As part of the audit engagement, auditors will ask for written internal controls, and test those controls to determine the nature, timing, and extent of audit testing. Written internal controls must incorporate a process to maintain tangible evidence that the controls are functioning as intended. For example, if an internal control states that eligibility will be verified in accordance with an agency checklist by Person B, auditors will need to review evidence that Person B performed the verification process.
Methods to document the internal control system include narratives, flowcharts, and standard operating procedures. Part Three contains optional tools to facilitate and document the evaluation and development of internal controls.
Section Four: Information and Communication
Overview
Information and communication processes pervade all internal control components, making this component vital for an agency to achieve objectives. Quality information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities.
What is quality information? Quality information is relevant, reliable, and timely. High quality information must be conveyed both within the agency and to external parties.
Principles thirteen through fifteen apply to the Information and Communication component.
Principle Thirteen: Management uses quality information to achieve agency objectives.
Principle Fourteen: Management internally communicates the necessary quality information to achieve agency objectives.
Principle Fifteen: Management externally communicates the necessary quality information to achieve agency objectives.
Why It Matters
All aspects of a strong internal control system rely on quality information and effective communication methods.
Information is necessary to carry out internal control responsibilities and support the achievement of objectives, such as:
- Providing essential data and high-quality information for informed decision making.
- Facilitating efficient operations, cost savings, and improved productivity through streamlined communication processes.
- Promoting transparency and confidence in agency operations through readily accessible and trustworthy information.
- Preventing fraud by identifying suspicious activities and restricting sensitive information.
- Supporting collaboration, knowledge sharing, and the achievement of common goals.
- Identifying areas for improvement.
The Information and Communication component of internal control contributes to the overall success of the State and each agency. It not only supports daily operations but also adds to risk management, compliance, and strategic planning, all of which are essential for achieving organizational objectives.
Where to Start
Evaluating agency information and communication processes serves as the optimal starting point for developing a successful internal control system. After evaluation, additional controls may be developed by following recommended steps or other processes determined by management. To be effective, the internal control system must be documented.
Evaluating Agency Information and Communication Processes
Does the agency have documented information and communication policies and procedures? Internal Control evaluation involves conducting periodic assessments of the agency's internal controls to determine whether,
- The agency will likely achieve its objectives.
- Risks to the agency and opportunities for improvement are identified.
- The elements of the agency's internal control system are functioning effectively.
Evaluation presents an opportunity to discuss and document internal controls. Meaningful and successful evaluations combine input from leadership across the agency, including major department or program areas. During this process, the consideration of absent controls will strengthen information and communication processes and facilitate an action plan for the design and implementation of a full-bodied internal control system.
Tools for Evaluation. Part Three contains an optional tool for management to use in the evaluation of agency information and communication processes. Management may choose this tool or consider other methods of evaluation based on the needs of the agency.
Information and Communication Internal Control Evaluation Template. This spreadsheet identifies common best practices for the information and communication component. A series of open-ended self-evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent.
Based on the evaluation of information and communication processes, management may consider developing additional controls by following the recommended steps in "Developing Agency Information and Communication Processes."
Developing Agency Information and Communication Processes
Quality information enables management to support the internal control system, determine risks, and communicate policies. To be effective for the achievement of objectives, information must be current, accurate, appropriate in content, and available on a timely basis at all staff levels.
Through the evaluation process, management may decide that internal controls need improvement.
A full-bodied internal control system addresses each internal control principle. The following steps, organized by principle, may be considered by management in the development of information and communication processes.
- Identify Information Requirements
- Gather Quality Data
- Process the Information
- Establish Internal Communication Pathways
- Establish External Communication Channels
Tool for Development. Part Three contains optional tools for management to use in developing agency information and communication processes. Management may choose one tool or other method suitable for the agency's needs.
Control Development Questionnaire. This document walks through the steps outlined in "Developing Information and Communication Processes" with examples of information and communication processes, and space to document controls or reference standard operating procedures.
Control Development Template. This spreadsheet provides an abbreviated method for management to design information and communication processes to address specific risks identified through the risk assessment process. This template follows steps outlined in "Developing Agency Information and Communication Processes."
Example Objectives, Risks, Controls. This document provides examples of objectives, risks, and controls for major transaction areas. Lists are not intended to be exhaustive or applicable to all agencies.
Each major transaction area may include some or all the following examples –
- Example Objectives and Risks.
- Minimum Internal Control Standards per the Accounting and Uniform Compliance Guidelines Manual for State and Quasi Agencies.
- Example Key Controls.
Principle Thirteen: Management uses quality information to achieve agency objectives.
1. Identify Information Requirements. Information requirements consider the expectations of both internal and external users. When identifying information requirements, ask –
What information do we need to support the functioning of the internal control system and achievement of objectives?
As part of this process, management must identify the policies, procedures, data, and reports needed. Knowing agency objectives and related risks will help identify information needs. Information needed to support the functioning of the internal control system might include:
- Information needed for effective monitoring of events, activities, and transactions to allow prompt reaction. For example, managers need operational and financial data to evaluate performance and goals of accountability for effective and efficient use of resources.
- Operational information to determine whether programs comply with laws and regulations.
- Analytical information to help identify specific trends or actions needed.
2. Gather Quality Data. Quality information allows management to make informed decisions, address risks, and evaluate performance. When considering information requirements, ask –
Where do I get this information?
How do I know it is accurate and reliable?
Quality information contains the following attributes: accessible/ available, complete, accurate, correct, current, protected, retained, sufficient, timely, valid, and verifiable.
3. Process the Information. Pertinent information must be processed in sufficient detail, in the right form, and in the appropriate time to enable employees to carry out their duties and responsibilities. Questions to ask might include –
Who needs this information?
Is this information presented in a way that is useful? When is this information needed?
Examples of processed information include grant expenditure reports from accounting records or performance measures reports from statistical data.
Quality must be maintained to support the functioning of the internal control system and achievement of objectives. As part of this process, management should consider costs and benefits so that the nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives.
Principle Fourteen: Management internally communicates the necessary quality information to achieve agency objectives.
4. Establish Internal Communication Pathways. Internal communication channels information in all directions (across, up, and down the agency) to ensure employees, management, and leadership stay informed, resulting in coordinated, informed decision making. An agency must internally communicate information, including objectives and responsibilities for internal control, to support the functioning of all components of the internal control system.
Effective communication channels –
- provide timely information.
- address individual needs.
- inform employees of their duties and responsibilities.
- enable the reporting of sensitive matters.
- empower employees to provide suggestions for improvement.
- provide the information necessary for all employees to carry out their responsibilities effectively.
- help management evaluate the internal control system.
- convey top management's message on the importance of internal control responsibilities.
Examples of internal communication channels include –
- Microsoft Teams Meetings (or similar platform).
- Webinars.
- Dashboards.
- Newsletters.
- Emails.
- Policies and Standard Operating Procedures.
- Regular Staff Meetings.
- Inhouse Training Sessions.
Examples of quality information received and communicated through the agency may include job descriptions detailing internal control responsibilities; financial reports; and performance measures.
Principle Fifteen: Management externally communicates the necessary quality information to achieve agency objectives.
5. Establish External Communication Channels. External communication flows in two directions – enabling inbound communication of relevant external communication and providing outbound information to external parties in response to requirements and expectations.
Communication channels should receive information from external sources that will assist the agency with achieving its objectives. External Audit Reports, Hotlines, and Customer Surveys represent examples of external communication coming into the agency.
Communication channels from the agency to external receivers must provide information relevant to the requester's needs in the achievement of agency objectives. Examples of information going out from the agency include providing information to the public, federal grantor agencies, vendors, contractors, and subrecipients.
Conveying information externally involves many different layers of internal controls including the control environment, the risk assessment process, and control activities. Before information is released to an outside party, management must be confident about the accuracy of information, based on internal policies and procedures.
In establishing external communication channels, consider –
- Evaluating the reliability of information provided to and received from external parties.
- Ensuring only authorized individuals provide information to external parties.
- Safeguarding restricted information for authorized external parties.
- Communicating to employees the availability of separate reporting lines such as the Inspector General Hotline, or the State Board of Accounts Fraud Reporting Form.
Documenting Agency Information and Communication Processes
Information and Communication processes must be documented. Documenting the agency's internal control system fosters communication and understanding of the internal control system. Benefits encompass the capability to –
- Communicate the design, implementation, and operating effective- ness of the internal control system to personnel.
- Retain organizational knowledge and mitigate the risk of having knowledge limited to a few personnel.
- Support the results of ongoing monitoring, identify internal control issues, and support the appropriate corrective actions.
- Provide tangible audit evidence to internal and external assurance providers. As part of the audit engagement, auditors will ask for written internal controls, and test those controls to determine the nature, timing, and extent of audit testing. Written internal controls must incorporate a process to maintain tangible evidence that the controls are functioning as intended. For example, if eligibility for a service is based on the participant’s income, auditors may review agency processes to identify, gather, and communicate suitable information to appropriate program and finance staff.
Methods to document the internal control system include narratives, flowcharts, and standard operating procedures. Part Three contains optional tools to facilitate and document the evaluation and development of internal controls.
Section Five: Monitoring
Overview
How do I know that internal controls are working? By monitoring, or performing evaluations. Monitoring involves a process to select, develop, and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. Monitoring ensures that internal control aligns with changing objectives, environment, laws, resources, and risks.
Principles sixteen and seventeen apply to the monitoring component of internal control.
Principle Sixteen: Management establishes and operates monitoring activities to monitor the internal control system and evaluate the results.
Principle Seventeen: Management remediates identified internal control deficiencies on a timely basis.
Monitoring activities and control activities can be easily confused. Many of the control activities can also be used as monitoring activities with the only difference being the intent of the control. For example,
- Reviewing a reconcilement for accuracy and supporting documents is a control activity; reviewing a reconcilement to ensure that appropriate personnel completed and reviewed the reconcilement in accordance with internal control procedures is a monitoring activity.
- Reviewing a purchase request to determine whether the expense is warranted is a control activity; reviewing a purchase request to see that proper authorization was given in accordance with agency policy is a monitoring activity.
- Reviewing program eligibility for a program participant is a control activity; reviewing participant eligibility to ensure eligibility requirements were applied correctly and documented in accordance with internal control procedures is a monitoring activity.
When considering monitoring activities, understanding the purpose of the activity will help avoid confusion.
As a fundamental aspect of maintaining strong internal controls, monitoring helps agencies adapt to evolving risks and challenges. Monitoring is most effective and efficient when the agency prioritizes and allocates resources based on the importance of the control to meeting the agency mission and core business objectives.
Why It Matters
Controls left unmonitored tend to weaken with the passage of time. Monitoring, as defined in the COSO Internal Control Framework ensures "that internal control continues to operate effectively."
Effective design and implementation of monitoring leads to advantages for agencies by –
- Providing feedback for ongoing improvements in control systems and processes.
- Ensuring that an agency adheres to legal and regulatory requirements.
- Maintaining the integrity of financial information.
- Addressing weakness or vulnerability in agency operations, reducing risk.
- Determining whether enhancements to the internal control system are needed to ensure risks are continually mitigated to an acceptable level.
- Identifying improvements that can lead to cost savings and better resource allocation.
- Assessing the quality of performance over time.
- Resolving audit findings.
- Demonstrating a commitment to transparency and accountability.
- Streamlining the internal control assessment process.
- Providing a basis for annual internal control certification.
Over time, proactive monitoring can lead to enhanced organizational efficiency and cost reduction by identifying and addressing issues in advance, reducing the need for reactive measures.
Where to Start
Evaluating agency monitoring procedures serves as the optimal starting point for developing a successful internal control system. After evaluation, additional controls may be developed by following suggested steps in "Developing Agency Monitoring Procedures" or other processes determined by management. To be effective, the internal control system must be documented.
Evaluating Agency Monitoring Procedures
Does the agency have documented monitoring policies and procedures? Internal Control evaluation involves conducting periodic assessments of the agency's internal controls to determine whether,
- The agency will likely achieve its objectives.
- Risks to the agency and opportunities for improvement are identified.
- The elements of the agency's internal control system are functioning effectively.
Evaluation presents an opportunity to discuss and document internal controls. Meaningful and successful evaluations combine input from leadership across the agency, including major department or program areas. During this process, the consideration of absent controls will strengthen monitoring procedures and facilitate an action plan for the design and implementation of a full-bodied internal control system.
Tools for Evaluation. Part Three contains an optional tool for management to use in the evaluation of agency monitoring procedures. Management may choose this tool or consider other methods of evaluation based on the needs of the agency.
Monitoring Internal Control Evaluation Template. This spreadsheet identifies common best practices for the monitoring component. A series of open-ended self-evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent.
Based on the evaluation of monitoring procedures, management may consider developing additional controls by following the recommended steps in "Developing Agency Monitoring Procedures."
Developing Agency Monitoring Procedures
Monitoring internal controls involves a systematic process to determine whether controls in place are effective in achieving objectives.
A full-bodied internal control system addresses each internal control principle. The following steps, organized by principle, may be considered by management in the development of monitoring procedures.
- Define Key Controls
- Establish a Baseline
- Set Benchmarks
- Select Monitoring Methods
- Gather Information
- Assess Monitoring Results
- Implement Corrective Action
Tool for Development. Part Three contains optional tools for management to use in developing agency monitoring procedures. Management may choose one tool or other method suitable for the agency's needs.
Control Development Questionnaire. This document walks through the steps outlined in "Developing Agency Monitoring Procedures" with examples of monitoring procedures and space for management to document answers for designing controls to suit the needs of the agency.
Control Development Template. This spreadsheet provides an abbreviated method for management to design monitoring procedures to address specific risks identified through the risk assessment process. This template follows steps outlined in "Developing Agency Monitoring Procedures."
Example Objectives, Risks, Controls. This document provides examples of objectives, risks, and controls for major transaction areas. Lists are not intended to be exhaustive or applicable to all agencies.
Each major transaction area may include some or all the following examples –
- Example Objectives and Risks.
- Minimum Internal Control Standards per the Accounting and Uniform Compliance Guidelines Manual for State and Quasi Agencies.
- Example Key Controls.
Principle Sixteen: Management establishes and operates monitoring activities to monitor the internal control system and evaluate the results.
1. Define Key Controls. Monitoring is risk based, which enables evaluators to focus efforts on the key controls that address the most important risks. Key controls prevent or detect errors if all other controls fail. For example, controls which segregate duties for custody of assets, recordkeeping, and authorization are key controls.
When setting up monitoring activities, pinpoint key controls that mitigate significant risks. Key controls have one or both of the following characteristics:
- Operation of a key control prevents other control failures or detects such failures before they become material to the agency's objectives.
- Failure of a key control could materially affect the achievement of objectives and not be detected in a timely manner by other controls or monitoring procedures.
To get started, consider focusing monitoring efforts on –
- Key controls needed to resolve audit findings.
- Key controls to address the top risks identified by management.
- Significant changes to the agency's environment which may necessitate adjustments to internal controls.
Add other key controls in order of importance. Some factors to consider include:
- Size and Complexity, including complicated activities, regulatory requirements, services provided, sensitive transactions.
- Nature of Operations, including a high level of change in personnel, processes, or technology.
- Rate of Change, such as changes to programs or services provided, processes, and supporting technology.
- Importance of Controls to meeting agency mission and objectives.
2. Establish A Baseline. For key controls and risks identified, establish a baseline of known effective internal controls. This will be the foundation of ongoing monitoring and separate evaluations. Sources of baseline criteria include agency standard operating procedures, Accounting and Uniform Compliance Guidelines for State and Quasi Agencies, Financial Management Circulars, State policies and procedures, Indiana Code, Code of Federal Regulations, grantor requirements, best practices, and other authoritative sources.
3. Set Benchmarks. Once key controls are selected and a baseline established, form clear benchmarks to evaluate the effectiveness of controls. Benchmarks should be measurable and specific. For example, specific and measurable criteria to evaluate the effective- ness of a cash receipts reconciliation to accountable items could include accuracy; timeliness to complete the reconciliation; timeliness of discrepancy resolution; and sufficiency of documentation. Through a comparison of the monitoring results to the established baseline, management can assess the quality of internal controls over time and adjust, as necessary.
4. Select Monitoring Methods. Choose appropriate methods for monitoring. Monitoring may be performed on an ongoing basis and through separate evaluations to determine whether all five components of internal control are present and functioning.
Ongoing monitoring through day-to-day operations is the most timely and responsive to change. It occurs when the routine operations of the agency provide feedback through direct and indirect information to those responsible for the effectiveness of the internal control system. Examples include –
- Using automated tools.
- Performing regular management and supervisory activities.
- Preparing comparisons.
- Performing reconciliations.
Separate evaluations, apart from day-to-day operations, periodically assess whether controls effectively mitigate risks to an acceptable level. Separate evaluations vary in scope and frequency depending on risk assessment or results of ongoing evaluations. Examples include –
- Self-assessments.
- Reviews by staff or management independent of the performance of key controls.
- Audit results and other evaluations.
- Data Analysis and trend monitoring.
- Tests and Sampling.
The following table provides insight on how to determine the appropriate monitoring approach and appropriate type of information to use when monitoring internal controls.
Importance of
Control
Determining
Factors
Possible Monitoring
Approach
Highest
Controls that mitigate risks with high likelihood of
occurring (frequency), and
high impact (severity) to the department.
Ongoing monitoring activities using
direct and indirect information,
with periodic separate evaluations of direct
information.
Moderate with short-term duration
Controls that mitigate risks with low likelihood of
occurring (frequency), but
high impact (severity) to the department.
Ongoing monitoring using indirect information,
with periodic separate evaluations of direct
information.
Moderate with long-term duration
Controls that mitigate risks with high likelihood of
occurring (frequency), but
low impact (severity) to the department.
Ongoing monitoring using indirect, with less-
frequent, separate evaluations of direct
information.
Lowest
Controls that mitigate risks with low likelihood of
occurring (frequency), and
low impact (severity) to the department.
Senior management may not monitor or
may use infrequent separate evaluations.
Regardless of the method chosen, monitoring procedures will involve evaluators who are responsible for designing the monitoring activities, assessing monitoring results or information, and reaching conclusions regarding the effectiveness of internal control. Some evaluators may be responsible for overseeing processes or monitoring the operation of certain controls as part of their routine job functions.
Evaluators must be knowledgeable about the internal control system, how controls should operate, and what constitutes a control deficiency. Objectivity is also a crucial factor, but its extent may vary depending on the type of monitoring being conducted. For example, self-review is the least objective, peer/coworker review is somewhat objective; supervisory review is more objective than peer review; and impartial review is the most objective (review by staff from other departments or external parties).
Through a strong control environment, management must educate all personnel about their role in monitoring internal controls and establish a system to report identified issues.
5. Gather Information. Working information and communication processes facilitate the gathering of information for monitoring purposes. Effective monitoring requires management to evaluate sufficient "suitable information." Suitable information is relevant, reliable, and timely. Information that meets these conditions is defined as "persuasive" within the COSO Guidance on Monitoring Internal Control Systems.
- Relevant data logically connects with the information requirements; the sources of data can be operational, financial, or compliance related. Relevant data impacts management's decision–making process or the achievement of objectives.
- Reliable data will be complete and accurate, free from error and bias.
- Timely data allows for effective decision-making and monitoring.
Monitoring can include both direct and indirect information.
- Direct information comes by observing controls in operation, reperforming them, or otherwise evaluating their operation directly to ensure the control was performed. For example, reperforming a bank reconciliation; reviewing expense documentation for proper authorization; or reviewing an eligibility determination.
- Indirect information may include operating statistics, key risk indicators, key performance indicators, and comparative industry metrics that may indicate a change or failure in the operation of controls. For example, a trend analysis showing an unusual decline in revenue received or an atypical increase in program expenses.
The type of information gathered depends on the level of assurance desired. As part of the information gathering process, management will want to consider the desired level of assurance and methods needed to obtain that level of assurance. Examples include, from the least to the greatest level of assurance –
- Inquiries of appropriate personnel (inquiry alone is not sufficient support).
- Observations of operations.
- Inspections of relevant documentation.
- Reperformance of the application of a control (greatest level of assurance).
Principle Seventeen: Management remediates identified internal control deficiencies on a timely basis.
6. Assess Monitoring Results. Monitoring will confirm the sufficiency of internal controls or identify shortcomings. By assessing monitoring results, management may identify ways to improve the efficiency of internal control or areas where change may provide a greater likelihood the agency will achieve its objectives.
When deficiencies have been identified internally, management must determine whether identified issues require further evaluation and remediation. For example, management may conduct a risk assessment and evaluate the residual risk for impact and likelihood.
If the residual risk adversely impacts the achievement of a statewide goal, the agency's mission or core business objectives, management must consider a plan for resolution. A cost-benefit analysis should also be performed to determine the appropriate level of action.
7. Implement Corrective Action. Internal control deficiencies may be identified internally through monitoring or externally through audit reports, communication from grantor agencies, and other similar sources. Management addresses deficiencies through the development of corrective action plans. Management and leadership work together to ensure the corrective action plan is implemented and the resulting changes are effective in correcting internal control weaknesses. As part of this process, management must –
- Ensure that corrective actions address the root causes of the issues. These corrective actions include the resolution of audit findings.
- Communicate deficiencies to parties responsible for taking corrective action and persons identified in related policies and procedures.
- Delegate authority for completing corrective actions to appropriate personnel.
- Track corrective action plans to ensure deficiencies are remediated on a timely basis. Persons responsible for tracking corrective action should differ from those conducting the monitoring activities.
- Use the insights gained from monitoring to improve internal controls and processes. Update controls as necessary to address changing risks and circumstances.
Agency leadership must facilitate cooperation at all levels to develop comprehensive corrective action plans, including the following components:
- Specific action steps to correct the deficiency.
- Actions to address the root cause.
- Implementation time frames.
- Individual accountability for corrective action plan implementation.
Documenting Monitoring Procedures
Monitoring processes must be documented. Documenting the agency's internal control system fosters communication and understanding of the internal control system. Benefits encompass the capability to –
- Communicate the design, implementation, and operating effectiveness of the internal control system to personnel.
- Retain organizational knowledge and mitigate the risk of having knowledge limited to a few personnel.
- Support the results of ongoing monitoring, identify internal control issues, and support the appropriate corrective actions.
- Provide tangible audit evidence to internal and external assurance providers. As part of the audit engagement, auditors will ask for written internal controls, and test those controls to determine the nature, timing, and extent of audit testing. Written internal controls must incorporate a process to maintain tangible evidence that the controls are functioning as intended. For example, auditors may review agency procedures for reconciliation of revenue received to permits issued. If standard operating procedures state that a supervisor will monthly review reconciliation of revenue collected to permits issued and document the review via email, then auditors will need to review the supervisor’s email verifying the monthly review of reconciliations.
Methods to document the internal control system include narratives, flowcharts, and standard operating procedures. Part Three contains optional tools to facilitate and document the evaluation and development of internal controls.
- Part Three: Tools for Evaluation and Development of the Agency Internal Control System
Tools for Evaluation Overview
(Optional evaluation tools to be used in conjunction with Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies)
Tools and examples provided in this section may be used in conjunction with steps in the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies. Management may modify these tools or use other methods as deemed appropriate to evaluate, develop, and document the internal control system.
Control Environment
The control environment forms the foundation for a strong internal control system. Because it includes the overall attitude and actions of management regarding internal controls, the control environment does not generally change with a given objective.
Management may choose one of the available tools or consider other methods of evaluation based on the needs of the agency.
Control Environment Self Evaluation Questionnaire. A series of self‐evaluation questions will guide management through major internal control considerations in a "yes or no" format, which will help management determine which areas need further development. This section contains a copy of the questionnaire for reference.
Control Environment Internal Control Evaluation Template. This spreadsheet identifies common best practices for the control environment. A series of open‐ended self‐evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent. This section contains a copy of the spreadsheet for reference.
In conjunction with either tool, management may refer to Example Objectives, Risks, and Controls for ideas on objectives and risks related to the control environment.
Based on the evaluation of the control environment, management may consider opportunities for improving the control environment. Suggested steps to develop the control environment are in "Developing the Control Environment" in Part Two, Section One: Control Environment.
Risk Assessment
A successful risk assessment prioritizes key activities and controls by combining input from leadership across the agency, including major department or program areas. After conducting a risk assessment, management may use the Internal Control Evaluation template to evaluate processes used and make improvements if necessary.
Risk Assessment Internal Control Evaluation Template. This spreadsheet identifies common best practices for conducting a risk assessment. A series of open‐ended self‐evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent. This section contains a copy of the spreadsheet for reference.
In conjunction with the template, management may refer to Example Objectives, Risks, and Controls for ideas on related objectives, risks, and controls for major transaction areas.
Based on the evaluation of the risk assessment process, management may consider opportunities for improvement. Suggested steps to develop the risk assessment process are in "Conducting a Risk Assessment" in Part Two, Section Two: Risk Assessment.
Control Activities
Control activities are actions implemented through policies and procedures that prevent or detect identified risks to the achievement of objectives.
Control Activities Internal Control Evaluation Template. This spreadsheet identifies common best practices for control activities. A series of open‐ended self‐evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent. This section contains a copy of the spreadsheet for reference.
In conjunction with the template, management may refer to Example Objectives, Risks, and Controls for ideas on related objectives, risks, and controls for major transaction areas.
Based on the evaluation of control activities, management may consider opportunities for improvement. Suggested steps to develop control activities are in "Developing Agency Control Activities" in Part Two, Section Three: Control Activities.
Information and Communication
All aspects of a strong internal control system rely on quality information and effective communication methods.
Information and Communication Internal Control Evaluation Template. This spreadsheet identifies common best practices for the information and communication component. A series of open‐ended self-evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent. This section contains a copy of the spreadsheet for reference.
In conjunction with the template, management may refer to Example Objectives, Risks, and Controls for ideas on related objectives, risks, and controls for major transaction areas.
Based on the evaluation of information and communication processes, management may consider opportunities for improvement. Suggested steps to develop additional controls are in "Developing Agency Information and Communication Processes" in Part Two, Section Four: Information and Communication.
Monitoring
Monitoring ensures controls continue to operate effectively.
Monitoring Internal Control Evaluation Template. This spreadsheet identifies common best practices for the monitoring component. A series of open‐ended self‐evaluation questions will guide management through major internal control considerations with the ability to designate current controls as sufficient, needing improvement, or nonexistent. This section contains a copy of the spreadsheet for reference.
In conjunction with the template, management may refer to Example Objectives, Risks, and Controls for ideas on related objectives, risks, and controls for major transaction areas.
Based on the evaluation of monitoring procedures, management may consider opportunities for improvement. Suggested steps to develop additional controls are in "Developing Agency Monitoring Procedures" in Part Two, Section Five: Monitoring.
Internal Control Evaluation (ICE) Template Instructions
(ICE templates are optional tools to be used in conjunction with the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies)
Introduction
Evaluating current agency controls serves as the optimal starting point for developing a successful internal control system. Meaningful and successful evaluations combine input from leadership across the agency, including major department or program areas.
The Internal Control Evaluation (ICE) template incorporates analysis of the internal control system with best practices. Through the evaluation process, management will decide whether internal controls are sufficient or need improvement. If desired, management may use the Control Development Template (CDT) as a guide for developing internal controls.
How to use the ICE template
Best Practice Statements and Questions to Ask. The Best Practice Statements relate to internal control principles and lead up to the Questions to Ask. The questions help management consider the degree to which the system is functioning. The best practice statements and questions to ask are meant to be a flexible starting point for the evaluation of internal control, not an exhaustive list. Management is encouraged to consider additional evaluation questions as needed.
Rating Columns. Management may rate the responses to the Best Practice Statements and Questions to Ask based on the following guidelines:
Green: Controls are effective
Yellow: Controls need improvement or improvement is in progress
Red: Controls are not effective
N/A: Controls are not applicable
What Controls are currently in place? If controls receive a green or yellow rating, management may use this column to document what controls are currently in place. This could include references to a standard operating procedure, narrative, flowchart, policy, web page, etc.
Will controls be improved or implemented? If controls receive a yellow or red rating, management will need to decide if those controls will be improved (yellow) or implemented (red). Management will want to perform a risk assessment and cost‐benefit analysis to make this determination.
If no, document reason. Management may refer to the risk assessment, cost‐benefit analysis, or other information used to determine controls will not be improved or implemented.
If yes, how will this be accomplished? Management will need to consider steps to develop the control. Management may use the control development tool to document the process, or other desired method to document management's plan.
Responsible Person. Management should delegate responsibility to ensure implementation in accordance with management's plan.
Target Completion Date. Management should set a goal for implementation.
Documentation
A copy of the completed ICE, along with any supporting control documentation should be organized and retained electronically. Organizing this information in a logical manner will provide easy access for future updates, revisions, and handling requests from internal or external parties, such as internal or external auditors.
Documentation will vary by agency. The amount of documentation gathered to evidence this evaluation depends on an agency's size, complexity of organizational structure and business activities. Actual documentation may include mission statements, goals, objectives, organization charts, policies, and procedures, etc.
Tools for Development Overview
(Optional evaluation tools to be used in conjunction with the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies)
Tools and examples provided in this section may be used in conjunction with steps in the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies. Management may modify these tools or use other methods as deemed appropriate to evaluate, develop, and document the internal control system.
Control Environment
After evaluation, management may determine that improvements should be made to the control environment. The following optional tools follow steps provided in Part Two, Section One, "Developing the Control Environment." However, management may choose any method that best suits the needs of the agency. If using the tools provided, management will want to choose one of the following –
Control Environment Questionnaire. This document walks through the steps in "Developing the Control Environment" with examples of activities to improve the control environment and space to document controls or references to agency policies. The questionnaire may be downloaded for agency use at this link.
Control Environment Development Template. This spreadsheet provides an abbreviated method for management to design control environment processes by following the steps in "Developing the Control Environment" and document controls or references to agency policies. The template may be downloaded for agency use at this link.
In conjunction with either tool, management may refer to Example Objectives, Risks, and Controls for ideas on objectives and risks related to the control environment.
Conducting a Risk Assessment
Risk assessment involves an ongoing process to recognize potential problems (risks) and determine the best way to manage them. When considering ways to conduct a risk assessment, management may wish to consider the following tool, which follows the steps outlined in Part Two, Section Two, "Conducting a Risk Assessment."
Risk Assessment Template. The Risk Assessment Template provides a method for management to document risks to objectives and management's response to those risks. This template follows the outlined steps in "Conducting a Risk Assessment." The template may be downloaded for agency use at this link.
In conjunction with this tool, management may refer to Example Objectives, Risks, and Controls for ideas on objectives and risks for major transaction areas.
Control Activities, Information and Communication, and Monitoring
After conducting a risk assessment, management develops processes to mitigate identified risks by implementing control activities, information and communication, and monitoring processes. Management may choose one available tool or other method suitable for the agency's needs.
Control Development Template. This spreadsheet provides an abbreviated method for management to design and document control activities, information and communication, and monitoring processes to address specific risks identified through the risk assessment process. This template follows steps outlined in the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies for developing control activities, information and communication processes, and monitoring procedures. Several risks may be addressed on this template. The template may be downloaded for agency use at this link.
Control Development Questionnaire. This questionnaire walks through the steps outlined in the Uniform Compliance Guidelines on Internal Controls for State and Quasi Agencies for developing control activities, information and communication processes, and monitoring procedures. Space is provided to explain and document internal controls to mitigate the identified risk. The questionnaire may be downloaded for agency use at this link.
In conjunction with either tool, management may refer to Example Objectives, Risks, and Controls for ideas on objectives, risks, and controls for major transaction areas.