Return to CHAPTER 20


state seal 20.15
Internal Control Basics

20.15.10

July 1, 2017

Internal control definition
 

Internal control is a process, effected by those charged with governance, management, and other employees, designed to provide reasonable assurance regarding the achievement of the entity’s objectives relating to operations, reporting, and compliance.

For purposes of Chapter 20, the state’s internal control objectives are defined as the need for each agency to:

  • Safeguard its assets.
  • Check the accuracy and reliability of its accounting data.
  • Promote operational efficiency.
  • Encourage adherence to policies for accounting and financial controls.

 

The definition of internal control emphasizes that internal control is:

  • Geared to the achievement of objectives in one or more separate but overlapping categories – operations, reporting, and compliance.
  • A process consisting of ongoing tasks and activities – a means to an end, not an end in itself.
  • Effected by people – not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to effect internal control.
  • Able to provide reasonable assurance – but not absolute assurance, to an entity’s management.
  • Adaptable to the entity structure or size – flexible in application for the entire entity or for a subset of an entity.
This definition of internal control is intentionally broad. It incorporates concepts that are fundamental to how entities design, implement, and operate a system of internal control and assess its effectiveness.

20.15.20

July 1, 2017

Roles and responsibilities
 

Agency management is responsible for the agency’s operations, compliance and financial reporting objectives. Therefore, the adequacy of internal control to provide reasonable assurance of achieving these objectives is also the responsibility of management. That said, every state employee has a role in effecting internal control. Roles vary in responsibility and level of involvement, as discussed below.

Given agency structure and size, individuals may assume multiple roles. However, care should be taken to address the increased risk that may result from the concentration of responsibilities.

20.15.20.a

Those charged with governance are responsible for overseeing the strategic direction of the agency and obligations related to the agency’s accountability. This includes overseeing the design, implementation, and operation of an effective internal control system. For most agencies, those charged with governance include the agency head and members of agency senior management. For agencies with a governing board, the board may appoint individuals to fulfill this function.

20.15.20.b

The agency head is ultimately responsible for identifying risks and establishing, maintaining, and monitoring the agency’s system of internal control. If the agency head delegates this responsibility, the designated person should have sufficient authority to carry out these responsibilities. The agency head together with those charged with governance and agency management set the tone at the top that affects the control environment in particular and all other components of internal control. The agency head signs the annual Financial Disclosure Certification and, if applicable, the Federal Assistance Certification.

20.15.20.c

The internal control officer (ICO) is responsible for coordinating the agency-wide effort of evaluating internal control using the guidance in this chapter. The ICO coordinates the agency’s required risk assessment and internal control monitoring activities and annually provides written assurance to the agency head as required in Subsection 20.15.30. While each agency is required to have an ICO, the ICO may perform these duties on a full-time basis or on a part-time basis as long as other duties performed are not incompatible with the ICO duties.

20.15.20.d

Agency management at all levels is responsible for internal control under their span of control. Management is responsible to communicate to agency employees their explicit or implicit control activity duties. In addition, agency management should provide channels outside normal reporting lines so agency employees can report noncompliance, problems in operations, and illegal acts.

Management is also responsible to convey the importance of internal control to all employees both by what they say and what they do. If management is willing to override controls, then the message that internal control is not important will be conveyed to employees.

20.15.20.e Each agency employee is responsible to be aware of and attentive to risk management and other internal control issues, to consider limitations and key risk areas, to document decisions. To be most effective, employees need to understand the agency’s mission, objectives, responsibilities, and their own role in managing risk. Each employee is also responsible to report to management (and through channels outside normal reporting lines when necessary) noncompliance, problems in operations, and illegal acts.

20.15.20.f Other professionals (internal or external to the agency) may provide assurance and advisory support to management in areas such as developing appropriate procedures to conduct risk assessments and internal reviews of control activities.

20.15.20.g

External auditors are not part of an agency’s internal control system and cannot be a replacement for or supplement to an adequate system of internal control. The role of the external auditor is to provide independent accountability and assurance to the public and external stakeholders. However, this independent assurance is also valuable feedback to those charged with governance and agency management.

20.15.30

July 1, 2017

Annual requirements for agencies related to statewide reporting
  The Office of Financial Management (OFM) prepares the state’s Comprehensive Annual Financial Report (CAFR) annually. While OFM has final responsibility for the contents of the CAFR, the data in the financial statements and many of the notes to the financial statements are generated from Agency Financial Reporting System (AFRS) transactions input by agencies. Because agencies are in control of transactions entered into AFRS, OFM relies on agency internal control systems and the monitoring of those systems to assert in writing that the CAFR is correct and complete.

 

Additionally, OFM prepares the Statewide Single Audit Report annually. Because federal programs are administered at the agency level, OFM relies on agencies to establish and maintain effective systems of internal control over federal program compliance. OFM relies on agency internal control systems and the monitoring of those systems to assert in writing that the state has materially complied with the provisions of federal programs in order to comply with the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.

20.15.30.a

Risk assessment and internal control monitoring

At a minimum, agencies are required to document risk assessment and internal control monitoring activities for objectives related to financial reporting and federal program compliance. These activities may be done agency-wide at one time or by sections of the agency over a period of time. The agency should consider significance when planning the focus of the risk assessment activities. Likewise, agencies should consider the results of the risk assessment when planning the focus of the monitoring activities. An overall agency plan for risk assessment and internal control monitoring should strive to address high risk areas at least once a biennium.

20.15.30.b

Required written annual assurance by the internal control officer

The risk assessment and associated internal control monitoring plan should be designed to provide management with reasonable assurance that controls are operating as expected. The plan should also be used to determine if internal control modifications are needed by considering events that have occurred, processes or procedures that have changed, new projects or programs that are being planned or implemented, and other changes within the agency that may have additional risks. If the plan uncovers internal control weaknesses or if prior weaknesses still exist, they should be documented and addressed in a timely manner.

The internal control officer is to communicate to the agency head the results of the agency’s required risk assessment and associated internal control monitoring process. The communication is to include a summary of all known weaknesses in internal control that could have a material effect on financial reporting and federal program compliance along with the related corrective action or recommendations. This communication may be ongoing and informal, but at least once per year, this assurance must be made in writing to the agency head.

The internal control officer is responsible for ensuring that the plan is followed and that required documentation of the risk assessment and monitoring conclusions is maintained and available for review by agency management, the State Auditor's Office, and OFM.

20.15.30.c

Required annual certifications signed by the agency head and CFO

As evidence that OFM can rely on each agency’s internal control systems for statewide reporting purposes, every agency head and chief financial officer (CFO) is required to annually sign and submit a Financial Disclosure Certification and, if applicable, a Federal Assistance Certification, to OFM’s Accounting Division. By signing the certification(s), the agency head and CFO certify that:

  • We are responsible for and have established and maintained an effective system of internal controls as prescribed by SAAM Chapter 20. Our agency's system of internal controls incorporates adequate procedures and controls to safeguard our assets, check the accuracy and reliability of our accounting data, promote operational efficiency, and encourage adherence to policies for accounting and financial controls. If there are significant deficiencies in internal control, a summary of the deficiencies and corrective action is attached to this state certification.
  • We are responsible for the design and implementation of programs and controls to prevent and detect fraud. We have disclosed all known instances and allegations of fraud or suspected fraud involving management and employees who have significant roles in internal control. We have also disclosed on this state certification any known instances and allegations of fraud or suspected fraud involving others where the fraud could have a material effect on the financial statements.
  • If applicable, we are responsible for and have established and maintained an effective system of internal control over federal program compliance, providing reasonable assurance that federal awards are managed in compliance with laws, regulations, and the provisions of contracts and grant agreements that could have a material effect on those programs. If there are significant deficiencies in internal control, a summary of the deficiencies and corrective action is attached to this federal certification.

There can be a variety of evidence that an agency head and CFO use as support backup for signing the certifications referred to above, including the required annual assurance.

20.15.40

July 1, 2017

Internal control components and principles
 

The following five components and 17 principles together represent a comprehensive system of internal control. This subsection presents a summary of each of the five components and the principles relating to each component. For further details, refer to each component’s section.

20.15.40.a

Control environment

The control environment is the set of standards, processes, and structures that provide the foundation for carrying out internal control across the agency. The agency head together with those charged with governance and agency management set the tone at the top regarding the importance of internal control and expected standards of conduct.

 

There are five principles relating to the control environment.

  1. The agency head together with those charged with governance and agency management demonstrate commitment to integrity and ethical values.
  1. Those charged with governance oversee the development and performance of internal control.
  1. Management establishes structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives.
  1. Management demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
  1. Management holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

20.15.40.b

Risk assessment

Risk assessment involves a dynamic and iterative process for identifying and analyzing risks to achieving the agency’s objectives, analyzing the risks, and using that information to decide how to respond to the risks.

 

There are four principles relating to risk assessment.

  1. Management specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to its objectives.
  1. Management identifies and analyzes risks to the achievement of its objectives and uses that as a basis for determining how the risks should be managed.
  1. Management considers the potential for fraud in assessing risks to the achievement of its objectives.
  1. Management identifies, analyzes, and responds to changes that could significantly impact its system of internal control.

20.15.40.c

Control activities

Control activities are policies, procedures, techniques, and mechanisms that help ensure that risks to the achievement of an agency’s objectives are mitigated. Control activities are performed at all levels of the agency, at various stages within business processes, and over the technology environment.

 

There are three principles relating to control activities.

  1. Management designs control activities to achieve its objectives and respond to risks.
  1. Management designs its information systems and related control activities to achieve its objectives and respond to risks.
  1. The agency implements control activities through policies and procedures.

20.15.40.d

Information and communication

Information and communication are necessary for an agency to carry out its internal control responsibilities to support the achievement of its objectives.

 

There are three principles relating to information and communication.

  1. The agency obtains or generates and uses relevant, quality information to support the functioning of internal control.
  1. The agency internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  1. The agency communicates with external parties regarding matters affecting the functioning of internal control.

20.15.40.e

Monitoring Activities

Monitoring is the process of evaluating the quality of internal control performance over time and promptly addressing internal control deficiencies.

 

There are two principles relating to monitoring activities.

  1. Management establishes and performs activities to monitor the internal control system and evaluate the results.
  1. The agency evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action.

20.15.50

July 1, 2017

Limitations of internal control
  No matter how well designed, implemented, and conducted, internal control can provide only reasonable assurance that objectives will be achieved due to limitations inherent to any system. These limitations include the following:

20.15.50.a

Judgment – The effectiveness of controls is limited by the fact decisions must be made with human judgment based on the person’s experience and qualifications, in the time available, the information available, and pressures to conduct business.

Clear written policies and instructions, redundant controls, and effective monitoring may address this limitation in some instances.

20.15.50.b

External events – Achieving operational objectives may be limited by factors outside the agency’s control, such as federal regulations, responsiveness of customers or program partners, and natural disasters. However, internal control should at least allow the agency to be informed of progress, or lack thereof, toward achieving such objectives. 

Effective risk assessment may address this limitation in some instances.

20.15.50.c

Breakdowns – A well-designed system of internal control can break down due to misunderstanding instructions, obsolete technology, faulty assumptions, mistakes due to carelessness, distraction, or being asked to focus on too many tasks.

Effective risk assessment and monitoring, automated controls and redundant controls may address this limitation in some instances.

20.15.50.d

Management override – Even in an agency with an effective system of internal control, high-level employees may be able to override prescribed policies or procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies or procedures for legitimate purposes.

An internal audit function reporting to those charged with governance or a communication channel to allow anonymous or confidential communication, such as the statewide whistleblower program, may address this limitation in some instances.

20.15.50.e

Collusion – Collusion between two or more individuals can result in control failures. Individuals acting collectively often can alter financial data or other management information in a manner that cannot be identified by the control system.

Effective monitoring and redundant controls may address this limitation in some instances.

20.15.50.f

Resource limitations – Every agency must prioritize efforts to implement or improve controls within resource limitations.

 

20.15.60

July 1, 2017

Other considerations
 

There are many ways to achieve effective internal control. Management must use judgment in determining the specific combination of controls and how such controls are implemented, based on the agency’s statutory purposes, regulations, programs, size, organizational structure, program structure, technology, staffing, and policies. Thus, while all agencies must have sufficient internal control, the specific controls in place will vary.

20.15.60.a

Large versus small agencies – All components and principles apply to both large and small agencies. However, smaller agencies may have different implementation approaches than larger agencies. Smaller agencies typically have unique advantages, which can contribute to an effective internal control system. These may include a higher level of involvement by management in operational processes and direct interaction with employees.

A smaller agency, however, may face greater challenges in segregating duties because of its concentration of responsibilities and authorities in the organizational structure. Management, however, can respond to this increased risk through the design of the internal control system, such as by adding additional levels of review for key operational processes, reviewing randomly selected transactions and related supporting documentation, taking periodic asset counts, or checking supervisor reconciliations.

20.15.60.b

Benefits and costs of internal controls – When designing internal controls, management should balance the cost of different control approaches with expected benefits. The allocation of resources should address the areas of greatest risk, complexity, or other factors relevant to achieving the agency’s objectives.

20.15.60.c

Service organizations – Management may engage external third parties to perform certain operational processes for the agency, such as accounting and payroll processing, security services, or social service and health care claims processing. These external third parties are referred to as service organizations. Management, however, retains responsibility for the performance of processes assigned to service organizations. Internal control over contracted processes may be attained either with controls performed by the agency, reliance on controls performed by the service organization, or a combination of both. To the extent the agency relies on controls performed by the service organization, the agency needs to obtain appropriate written assurance from the service organization and to arrange for periodic independent review of these controls.

20.15.60.d

Documentation – Documentation is a necessary part of a system of internal control.  Management must determine the level and nature of documentation that is needed to assess the effectiveness of internal control. Documentation should be sufficient to allow the agency to:

  • Assess the overall soundness of the system of internal control.
  • Be aware of the existence of internal control weaknesses, if any.
  • Formulate the agency’s plan of action for addressing internal control weaknesses and improving the internal control where necessary.

 

Click here if you would like to print a PDF Version of this document.
Return to CHAPTER 20