20.all-Internal Control and Audit tracking
Description
20.10.10 20.10 Internal Control & Audit Tracking Policies 20.10.10 The purpose of this chapter This chapter provides agency heads and directors, internal control officers, internal auditors, and other agency staff with a background and approach to establishing and maintaining an effective system of internal control and audit so as to reasonably assure that they are meeting their respective missions and objectives. The Internal Control Guide developed by the Office of the State Controller provides specific guidance to meet the requirements of Title 5, Chapter 143, Section 1541, Subsection10 – A. The internal control policies are based on the report issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), standards adopted by enactment of Chapter 451, Public Laws of 2003, a comprehensive policy and procedures manual issued by the State Controller in September of 2003, and standards recently adopted by the American Institute of Certified Public Accountants and the federal Office of Management and Budget. The policies on internal auditing are derived from the Institute of Internal Auditors and the federal General Accounting Office. 20.10.20 Authority for these policies The authority for these policies is Title 5, Chapter 143, Section 1541, Subsection 10-A. 20.10.30 Applicability This chapter is applicable to and binding on all agencies of state government, unless otherwise exempted by ...
Informations
| Publié par | Zikes |
| Nombre de lectures | 27 |
| Langue | English |
Extrait
20.10.10
20.10.20 20.10.30
20.10.10
20.10 Internal Control & Audit Tracking Policies
The purpose of this chapter
This chapter provides agency heads and directors, internal control officers, internal auditors, and other agency staff with a background and approach to establishing and maintaining an effective system of internal control and audit so as to reasonably assure that they are meeting their respective missions and objectives. The Internal Control Guide developed by the Office of the State Controller provides specific guidance to meet the requirements of Title 5, Chapter 143, Section 1541, Subsection10 A. The internal control policies are based on the report issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), standards adopted by enactment of Chapter 451, Public Laws of 2003, a comprehensive policy and procedures manual issued by the State Controller in September of 2003, and standards recently adopted by the American Institute of Certified Public Accountants and the federal Office of Management and Budget. The policies on internal auditing are derived from the Institute of Internal Auditors and the federal General Accounting Office. Authority for these policies
The authority for these policies is Title 5, Chapter 143, Section 1541, Subsection 10-A. Applicability
This chapter is applicable to and binding on all agencies of state government, unless otherwise exempted by statute.
State Administrative & Accounting Manual
Issued by: Office of the State Controller 1
20.20.10
20.20.10
20.20.20 20.20.20.a 20.20.20.b
20.20.20.c
20 Internal Control and Audit Tracking
20.20 Internal Control Policies What is internal control?
Internal control is a management process for keeping an entity (agency, board, commission, department, division, institution, or program) on course in achieving its organizational objectives. A management control system, including comprehensive internal controls, should provide reasonable assurance that entity objectives are being met. Entity objectives fall into the following three separate but related categories: • Effectiveness and efficiency of operations, • Reliability of financial reporting, • Compliance with applicable laws and regulations. Control objectives focus the management control system toward those control activities designed to minimize the risks of not achieving entity objectives. Safeguarding of assets is an example of a control objective that, when in place and effective, aids in the achievement of all three entity objective categories . What are the basic internal control requirements?
Each agency is responsible for establishing and maintaining an effective system of internal control throughout the organization as required by Title 5, Chapter 143, Section 1541, Subsection 10-A. An internal control system should provide reasonable assurance that an organization will accomplish its objectives. The concept of reasonable assurance recognizes that the cost of an internal control activity should not exceed the benefit derived therefrom. Reasonable assurance equates to a satisfactory level of confidence given considerations of costs, benefits, and risks. Agency management must identify and analyze the risks to achieving entity objectives and then determine how those risks should be managed. Management defines the level of risk that the organization is willing to accept and strives to maintain risks within those levels.
State Administrative & Accounting Manual 2 Issued by: Office of the State Controller
20.20.20.d 20.20.30 20.20.30.a
20.20.30.b
20 Internal Control and Audit Tracking
20.20.30
Each agency is to adopt methods to assess risk and review control activities. The methods developed should address the specific needs of the agency. What are the agency's responsibilities toward minimizing risk? The internal control officer has the ultimate responsibility for establishing, maintaining, and reviewing the system of internal control in the agency. The agency director should designate one individual, with sufficient authority to carry out assigned responsibilities, as the internal control officer. (Normally, this would be a senior agency manager who does not serve in the internal audit function.) The internal control officer has the responsibility for coordinating and scheduling the overall agency-wide effort of evaluating and reporting on reviews and improving control activities in conformance with this policy. This person is to provide assurance to the agency director that the agency has performed the required risk assessments and the necessary evaluative processes. This communication may be ongoing, but at least once per year, this assurance must be made in writing to the State Controller. The manager of each organizational unit and any other components within an agency is responsible for internal control in that unit. Management should make it clear that agency staff have explicit or implicit control activity duties including delivery of services to the public; producing information for the management control system; maintaining financial information; and inspecting or maintaining physical assets. In addition, agency management should encourage agency staffs open communication with higher levels within the agency regarding problems in operations, non-compliance with codes of conduct, violations of policy, and illegal acts. Agencies have the flexibility to assign appropriate staff to complete the risk assessments and internal review of control activities required by this policy. This staffing may include those directly responsible for the system from first line supervisor on up, and also may include the internal auditor or other similarly qualified individual or contractor. All agencies, regardless of size, are to make adequate provision for periodic risk assessments and, as applicable, reviews of control activity procedures. State Administrative & Accounting Manual 3 Issued by: Office of the State Controller
20.20.30.c 20.20.30.d
20.20.30.e
20.20.40
20.20.40
20.20.50
20.20.60
20 Internal Control and Audit Tracking
An agency internal auditor, if available or the Bureau of Accounts and Controls Internal Control Specialists may provide technical assistance to the manager of an organizational unit in developing appropriate procedures to conduct risk assessments and internal reviews of control activities. Annual certification of compliance is required
Annually, each agency director and chief financial officer shall sign and submit a Financial Disclosure Certificate to the Office of the State Controller. This certificate will report the results of the agencys compliance with this policy, including an attached summary description of material internal control weaknesses, if any, and a brief corrective action plan. This certificate is provided to agencies annually in the Fiscal Year End Supplemental Reporting subsection located in Chapter 90 of this manual. It is due each year by the date specified in those instructions. What internal control documentation is required?
Agencies are to maintain adequate written documentation for activities conducted in connection with risk assessments, internal review of control activities and follow-up actions. These activities, as completed, should be documented no later than June 30, 2004 as required by Title 5, Chapter 143, Section 1541, Subsection 10 A.. The risk assessment methods documented should address at minimum: identification, review, and management of risks that affect entity objectives including control objectives such as safeguarding state assets and resources. This documentation includes any checklists and methods used to complete these activities. The internal control officer is responsible for ensuring that the required documentation is maintained and available for review by agency management, the State Auditor, the State Controller, and the Commissioner of Administrative and Financial Services. Please refer to the Internal Control Guide to help with complying with the documentation requirements. Answers to some common questions about internal control Answers to some common questions about internal control are presented
State Administrative & Accounting Manual 4 Issued by: Office of the State Controller
20.20.60.a
20.20.60.b
20.20.60.c
20 Internal Control and Audit Tracking
20.20.60
below. What is a risk assessment? A risk assessment is an ongoing process to identify, analyze, and manage risk. An agency needs a plan to identify both external and internal risks. The plan will help management understand how those risks affect their activities, assess their significance, manage their effect, and provide for continuous monitoring. Risk identification can often be integrated with an organizations planning activities. • External risks arise from activities outside the agency. Technological developments, changing public expectations, legislative directives, natural catastrophes and economic changes all have the potential for creating external risks in an agency. • Internal risks are less predictable and arise from activities inside the agency. Disruption of the central computer system or telephone system causes obvious operational problems. When a new agency director is appointed, changes in management style can affect internal control objectives. How does an agency identify risks? Identification of risks can start from existing systems. The budget process, audits, strategic planning, and other chapters included in this manual all provide opportunities for managers to conduct quantitative and qualitative reviews and to identify and prioritize risks. More informal opportunities include senior management planning meetings, meetings with management analysts or auditors, and everyday interaction with staff. More important than the specific method used to identify risks is managements careful consideration of factors unique to the agency. Some key factors, such as an agencys past experience in failing to meet objectives, staff quality, statutory framework, or the significance and complexity of activities in relation to the agencys mission, should receive managements careful consideration. By analyzing organizational activities, managers apply risk assessment to functions. Successfully managing risk at the activity level is integral to maintaining an acceptable level of risk for the organization. What is risk analysis? Risk analysis involves a careful, rational process of estimating the significance of a risk, assessing the likelihood of its occurrence and
State Administrative & Accounting Manual 5 Issued by: Office of the State Controller
20.20.60
20.20.60.d
20 Internal Control and Audit Tracking
considering what actions and controls need to be taken to manage it. Risk analysis also involves estimating the cost to the agency if something does go wrong. That analysis is based on the agencys assumptions about the risk and costs associated with reducing it. Sometimes an actual risk may appear to require one set of actions, but the perceived risk coupled with media reaction to that risk, requires a more expensive set of actions. It is also important to recognize the distinction between risk assessment (a part of a management control system) and actually managing risk (part of an organizations operations). Limitations on resources will define the level to which risks can be managed. How does an agency control or minimize risk? Control of risk starts with management deciding on the actions necessary to reduce the potential occurrence and significance and then monitoring conditions to remain aware of changing circumstances. Management tools for an early warning system include information systems and ensuring appropriate data are captured, processed, and reported. If an agency builds the components of a management control system into its planning efforts as well as its daily activities, it is more likely to avoid unnecessary costs; make quick responses as needs arise; and adapt to decreasing resources and changing political and economic climates. The five components of good internal controls within a management control system are: • Control Environment The control environment sets the tone of an organization. It influences the control consciousness of its people and it is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entitys staff; managements philosophy and operating style; the way management assigns authority and responsibility; the way management organizes and develops its staff; and the attention and direction provided by the legislature, board, committee, commission, authority, etc. • Risk Assessment Every entity faces a variety of risks from external and internal sources, all of which must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achieving the objectives and forms a basis for determining how the risks should be managed. Because economic, industry, regulatory, and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks State Administrative & Accounting Manual 6 Issued by: Office of the State Controller
20.20.60.e
20 Internal Control and Audit Tracking
20.20.60
associated with change. • Control Activities Control activities are the internal policies and procedures that help ensure management directives are carried out. They help ensure necessary actions are taken to address risks to achieving the entitys objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliation, review of operating performance, security of assets, and segregation of duties. (Refer also to Subsection 20.20.70.) • Information and Communication - Pertinent information must be identified, captured, and communicated in a form and time frame that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information, making it possible to run and control the entity. Information systems deal not only with internally generated data, but also with information about external events, activities, and conditions necessary to both informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across, and up the organization. All personnel must receive from top management a clear message that control responsibilities must be taken seriously. Also, all personnel must understand their own role in the management control system, as well as how individual activities relate to the work of others. Additionally, staff members must have a means of communicating significant information upstream. Effective communication is also essential with external parties, such as customers, suppliers, regulators, and stakeholders. • Monitoring - Management systems and internal activities need to be monitored to assess the quality of their performance over time. Assessment is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations, including regular management and supervisory activities and other action personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Deficiencies should be reported upstream, with serious matters reported to top management. Do control activities increase staffing requirements?
State Administrative & Accounting Manual 7 Issued by: Office of the State Controller
20.20.70
20.20.70
20.20.70.a
20 Internal Control and Audit Tracking
Although control activity procedures are not intended to increase staffing levels, acceptable procedures are to be established and followed which may require changes in existing workloads and/or additional staff position(s). However, a periodic thorough internal review of control activities may identify policies and procedures that are no longer required. It is recognized that some small to medium size operations may not be able to institute internal control procedures on the same level as larger, more complex agencies. In those cases where staffing may prohibit or restrict the appropriate segregation of duties, management must either have more active oversight of operations or utilize personnel from other organizational units to the extent possible as compensating controls. More about control activities
The control activities presented in this subsection are intended to provide agency directors, internal control officers, internal auditors, and other agency staff with an overview. This subsection does not place any requirements or expectations on the agency. Comprehensive information and guidance may be found in the Bureaus Internal Control Guide. Control activities are actions taken to minimize risk. The need for a control activity is established in the risk assessment process. When the assessment has identified a significant risk to the achievement of an objective, a corresponding control activity should be determined. If control activities are in place for each significant agency operation and if management makes sure those activities are carried out properly, staff can be reasonably confident the management control system will provide the necessary assurances. Control activities and procedures should be considered to ensure the organization is in compliance with the State Administrative & Accounting Manual , Title 5, and other applicable accounting standards. Generally, these activities and procedures may be categorized into one of the following areas and completed by personnel at various levels: • Direct functional or activity management reviews - reviews should assess specific functions or activities. The reviews may focus on compliance, financial, or operational issues. State Administrative & Accounting Manual 8 Issued by: Office of the State Controller
20.20.70.b
20 Internal Control and Audit Tracking
20.20.70
• Information processing - A variety of control activities should be performed to check the accuracy and completeness of information as well as the authorization of transactions. Development of new systems, and changes to existing ones should be controlled. Additionally, access to programs and data should be restricted. • Physical controls - Equipment, inventories, securities, cash, and other assets should be secured physically, and periodically counted and compared with amounts shown on control records. • Operating Indicators - Certain operating results can be anticipated. By investigating unexpected results or unusual trends, circumstances that jeopardize the achievement of objectives can be identified. • Segregation of duties - Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate actions. For example, responsibilities for authorizing transactions, recording them, and handling the related assets should be separated. What are some potential limitations of control activities? Control activities, no matter how well designed and executed, can provide only reasonable assurance regarding achievement of objectives. The likelihood of achievement is affected by limitations inherent in all control systems. These limitations include the following: • Judgment - The effectiveness of controls will be limited by the fact that decisions must be made with human judgment in the time available, based on information at hand, and under the pressures to conduct business. • Breakdowns - Even if control activities are well designed, they can break down. Personnel may misunderstand instructions or simply make mistakes. Errors may also stem from new technology and the complexity of computerized information systems. • Management override - Even in effectively controlled organizations, high level personnel may be able to override prescribed policies or procedures for personal gain or advantage. This should not be confused with management intervention, which represents management actions to depart from prescribed policies or procedures for legitimate purposes.
State Administrative & Accounting Manual 9 Issued by: Office of the State Controller
20.20.70
20 Internal Control and Audit Tracking
• Collusion - Collusion between two or more individuals can result in control failures. Individuals acting collectively often can alter financial data or other management information in a manner that cannot be identified by the control system. • Costs versus benefits - In determining whether a particular control activity should be established, the risk of failure and the potential effect must be considered along with the cost of establishing the control. Excessive control is costly and counterproductive. Too little control presents undue risk. Agencies should make a conscious effort to strike an appropriate balance.
State Administrative & Accounting Manual
10
Issued by: Office of the State Controller
20.30.10
20.30.20 20.30.20.a 20.30.20.b
20 Internal Control and Audit Tracking
20.30 Suspected Losses of Public Funds or Property
Why loss procedures are important
20.30.10
In the event of the suspected loss of public funds or property, it is important that correct procedures are followed in order to: • Minimize the loss; • Ensure that investigations are facilitated and not impeded; • Ensure that only prudent settlements are made; • Ensure that bond claims are protected; • Ensure that only appropriate personnel actions are taken; • Comply with Title 5, Chapter 11, Section 244-A to report losses to the State Auditor. • Comply with Title 5, Chapter 143, Section 1541, Subsection 10-A to report losses to the State Controller. What are the procedures an agency should follow upon suspicion of a loss? Each agency should follow the appropriate procedures outlined in this section. Additionally, each agency should establish formal procedures to notify appropriate agency personnel when someone suspects a loss of public funds or property. Appropriate personnel not involved in the suspected loss should be notified prior to contacting the outside agencies. This may include the agency head or deputies, chief financial officer or internal auditor depending upon the circumstances. The agency's Assistant Attorney General (AAG) should be consulted on incidents involving the loss of public funds or property, when the nature or facts of the incident warrant such discussion for the purpose of acquiring legal advice. It is best to establish, in advance and in writing, with the agency's assigned AAG appropriate general procedures to follow upon learning of a loss of public funds or property.
State Administrative & Accounting Manual 11 Issued by: Office of the State Controller
© 2010-2024 YouScribe