- Section I Internal Control Overview
- Chapter One: Introduction
- Chapter Two: Title 5, Chapter 143, Section 1541, subsection 10-A
- Chapter Three: Five Components of Internal Control
- Chapter Four: Internal Control Activities
- Chapter Five: Evaluating Internal Controls
- Chapter Six: Other Resources
What does the Guide discuss?
The Internal Control Guide for Managers discusses internal controls and the role of managers in developing, implementing, and monitoring them.
Section I, Internal Control Overview, provides general information about the components of internal control; how department heads and other managers can evaluate the internal controls within their areas of responsibility, modify, if necessary, and then document them. This documentation is what we refer to as an Internal Control Plan.
Section II, Management Controls provides specialized information relating to specific business practices in which the Office of the State Controller is involved, for example revenue and payroll. These chapters should be useful to nearly all managers at every level. The second section also provides information about internal controls for specialized units whose main function involves these and other business activities.
Who should read the Guide?
Internal control is the responsibility of every state manager. We do not suggest, however, that this Guide is all-inclusive. Managers should view it as a starting point and make their own decisions about the internal controls necessary within the programs or activities that they manage. We have, accordingly, prepared this document to assist all state managers in fulfilling their responsibilities relating to internal controls.
SECTION I Overview
In plain English, internal controls are exercise of good old common sense practices. More formally, internal control is broadly defined as a process, affected by an entity's management, other personnel, and/or a board of directors designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Internal controls are tools that help managers be effective and efficient while avoiding serious problems such as overspending, operational failures, and violations of law. Internal controls are the structure, policies, and procedures put in place to provide reasonable assurance that management meets its objectives and fulfills its responsibilities. Management responsibilities for internal controls are met when:
- Programs and functions achieve their intended results (effective)
- Resource use is consistent with the agency mission (efficient)
- Laws and regulations are followed(compliance)
- Accurate and timely information is prepared (reliable reporting)
Effective internal control begins with written goals and objectives including:
- Operational objectives
- Financial reporting objectives
- Compliance objectives
It is understood that the principals of effective internal control include the following:
- Internal controls benefit rather than encumber management.
- Internal controls must make sense within each organization's unique operating environment.
- Internal controls are not stand-alone practices.
- They are woven into day to day responsibilities of managers.
- Internal structures and controls should be cost effective.
After assessing risk, internal controls are developed and implemented to help provide reasonable assurance that policies are in place that:
- Provide accountability
- Encourage sound management practices
- Encourage proper resource management
- Facilitate preparation for auditors
The Committee of Sponsoring Organization of the Treadway Commission (COSO) model is recognized throughout the world as a significant standard for discussing internal control. COSO identifies three categories of control objectives. The Standards addresses five primary objectives of internal control. While there are variations in terminology, the Standards and the COSO report essentially encompass the same broad internal control objectives; including: establishing an appropriate control environment, assessing risk, implementing control activities, communicating information, and monitoring.
Everyone in the work place has a role in making sure that internal controls are working. It is up to mangers to set them up and check that they are working, but unless every employee is aware of his/her responsibilities in the process, state government's control system will not be completely functional.
The Five Components of Effective Internal Controls
Internal Control Environment
Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. If management views controls as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be communicated. Despite policies to the contrary, employees will then view internal controls as "red tape" to be "cut through" to get the job done. An effective internal control environment:
- Sets the tone of an organization influencing the control consciousness of its people.
- Is an intangible factor that is the foundation for all other components of internal control, providing discipline and structure.
- Describes "organizational culture".
- Includes a commitment to hire, train, and retain qualified staff.
- Encompasses both technical competence and ethical commitment.
A risk is anything that endangers the achievement of an objective. Always ask: What could go wrong? What assets do we need to protect?
- Risk assessment is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives.
- Risk increases during a time of change, for example, turnover in personnel, rapid growth, or establishment of new services.
- Other potential high risk factors include complex programs or activities, cash receipts, direct third party beneficiaries, and prior problems.
Internal Control Activities
Organizations establish policies and procedures so that identified risks do not prevent an organization from reaching its objectives.
- Clearly identified activities minimize risk and enhance effectiveness.
- Internal control activities are nothing more than policies, procedures, and the organizational structure of an organization.
- Can be either preventive, for example, requiring supervisory sign off, or detective, for example reconciling reports.
- Avoid excessive controls, which are as harmful as excessive risk and result in increased bureaucracy and reduced productivity.
Information and Communication
Information must be reliable to be of use and it must be communicated to those who need it. For example, supervisors must communicate duties and responsibilities to the employees that report to them and employees must be able to alert management to potential problems.
- Information must be communicated both within the organization and externally to those outside, for example, vendors, recipients, and other
- Communication must be ongoing both within and between various levels and activities of the agency.
After internal controls are put in place, their effectiveness needs to be periodically monitored to ensure that controls continue to be adequate and continue to function properly. Management must also monitor previously identified problems to ensure that they are corrected.
Section I: Internal Control Overview
A. Purpose of the Internal Control Guide
The four basic functions of management are usually described as planning, organizing, directing, and controlling. Internal control is what we mean when we discuss the fourth function, controlling. Adequate internal controls allow managers to delegate responsibilities to subordinate staff and contractors with reasonable assurance that what they expect to happen, actually does. Managers must develop internal controls for each activity for which they are responsible. The internal controls exercised over individual activities, when taken collectively, become the internal controls of the program or administrative function of which they are a part. The documented internal controls for each of a department's programs and administrative functions, when combined with overall department controls, comprise the department's internal control documentation. This documentation is required by Title 5, MRSA §1541, §10-A. We refer to this documentation, or a high level overview describing, referencing and summarizing the documentation as a department's Internal Control Plan.
No system of internal control functions properly without the knowledge and support of management at all levels. The Internal Control Guide for Managers stresses the essential role of managers at all levels in developing and monitoring departmental internal controls.
Because departmentsin state government vary in size, complexity, and degree of centralization, no single method of internal controls is universally applicable. Managers should use this guide as a framework for developing their internal control systems, consistent with their department's operations and agency mission.
The Internal Control Law.
Title 5, Chapter 143, §1541, §10-A requires that departments develop internal control systems "...in accordance with the following internal control guidelines established by the State Controller." This document, the Internal Control Guide for Managers is that guideline.
The Guide refers to each manager's area of responsibility as his or her unit. Used here, the term unit includes department, division, bureau, program, and other administrative unit.
B. Organization of the Guide
The Internal Control Guide is organized into two sections. This first section is an overview of the internal control concept. The second section describes required and suggested control-related policies and procedures for those administrative areas where the Controller's Office has oversight responsibility. This section offers specific policies and procedures for managers with internal control responsibilities for business areas where the Controller's Office has responsibility. Department heads and their designees should use both sections to develop centralized policies and procedures for incorporation into their department's Internal Control Plan.
Section I, Internal Control Overview, explains basic internal control concepts. This section provides an overview of the internal control process including definitions, statutory requirements, components of the internal control framework, and methods of developing, implementing and monitoring internal controls. Chapter One, "Introduction", provides an overview of internal control and explains how to use this manual. Chapter Two, explains the content of the Internal Control Law. Chapter Three, "Five Components of Internal Control", describes the five components of the internal control framework. Chapter Four, "Internal Control Activities", describes activities that organizations frequently use in developing their internal control policies and procedures. Chapter Five, "Evaluating Internal Controls", suggests an approach for evaluating and periodically reassessing internal controls.
Section II, Management Controls, describes internal control activities relating to specific administrative topics. Managers should find this section useful because it describes internal control responsibilities for business areas that affect almost all state managers in one way or another, such as purchasing and payroll. This section should also be useful to managers with department-wide internal control responsibilities. Managers for business areas such as payroll, accounting, inventory, or MFASIS data entry, for example, should refer to those chapters.
C. What is Management's Role?
An organization is a group of individuals working together to achieve a common purpose. Each person employed by a department or agency works for an organization that is a part of a larger organization, the State Of Maine. Maine's constitution explains the purpose or goals of our state. Because goals tend to be broad and general, organizations usually divide them into more specific targets or objectives. Legislation and other documents describe the goals and objectives of the many state agencies and departments.
Management's role is to provide the leadership that the organization needs to achieve its goals and objectives. Internal control is a technique used by managers to help an organization achieve these objectives. Internal controls are the structure, policies, and procedures used to ensure that management accomplishes its objectives and meets its responsibilities.
Any discussion of fundamental management responsibilities would include effectiveness, efficiency, compliance with laws and regulations, and accuracy in reporting. Effectiveness measures whether an organizational unit achieves its objectives. Efficiency measures how well managers make use of available resources in achieving these objectives. While effectively and efficiently achieving the organization's objectives, managers must also comply with applicable rules, regulations, and laws. Finally, in order to make sound decisions and comply with oversight requirements, managers must receive accurate information and prepare accurate reports. Internal controls can then be defined as a coordinated set of policies and procedures used by managers to ensure that their agencies, programs, or functions operate efficiently and effectively in conformance with applicable laws and regulations.
D. What are Internal Controls?
The current official definition of internal control was developed by the Committee of Sponsoring Organization (COSO) of the Treadway Commission. In its influential report, Internal Control - Integrated Framework, the Commission defines internal control as follows:
"Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
This definition reflects certain fundamental concepts:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is effected by people.
- It is not policy manuals and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories."
A less technical definition might state that:
Internal controls are tools that help managers be effective and efficient while avoiding serious problems such as overspending, operational failures, and violations of law.
Internal control has been further defined as consisting of five interrelated components. The COSO Report identifies these as control environment, risk assessment, control activities, information and communication, and monitoring. The Internal Control Guide discusses these five components in Chapter Three, "Five Components of Internal Control".
The process of internal control also incorporates four basic principles. Because internal controls are a means to an end, they must help, rather than prevent or delay, an organization from reaching its objectives. Before designing and implementing internal controls, managers should consider the following:
- Internal controls must benefit, rather than hinder, the organization.
- Internal controls must make sense within each organization's unique operating environment.
- Internal controls are not stand-alone practices. They are woven into the day-to-day responsibilities of managers and their staff.
- Internal controls should be cost effective.
Consider internal controls as a continuous series of decisions affected by changing circumstances that will require periodic review and modification, rather than as a static system. When managers evaluate their internal controls, they must first determine whether they are functioning as designed and still applicable given current operations. Managers should then analyze potential risks. Based on the results of the review, managers determine what changes are necessary. Managers need to review internal controls and internal control plans regularly. We recommend that this review occur at least annually, more frequently if warranted.
E. Why Do We Need Internal Controls?
Public sector managers are responsible for managing the resources entrusted to them to carry out government programs. A major factor in fulfilling this responsibility is ensuring that adequate controls exist.
Public officials, legislators, and taxpayers are entitled to know whether government agencies are properly handling funds and complying with laws and regulations. They need to know whether government organizations, programs, and services are achieving the purposes for which they were authorized and funded. Officials and employees who manage programs must be accountable to the public. Frequently specified by law, this concept of accountability is intrinsic to the governing process of this state.
Encourage Sound Management Practices
As stated earlier, organizations exist to accomplish a goal. Managers are responsible for providing the leadership to reach this goal. That responsibility encompasses both identifying applicable laws and regulations and establishing internal control policies and procedures designed to provide reasonable assurance that the entity complies with those laws and regulations. Internal controls coordinates a department's policies and procedures to safeguard its assets, check the accuracy and reliability of its data, promote operational efficiency, and encourage adherence to prescribed managerial policies. Department managers must develop, implement, monitor, and update an effective plan of internal controls. The exact plan developed will depend, in part, on management's estimation and judgment of the benefits and related costs of control procedures, as well as on available resources.
One department in another state assigned staff to review their internal control plan against recommended internal control activities. They noticed that the revenue section of the plan seemed to lack certain segregation of duties regarding their refund policies. After designing new steps to use for their refunds, they reviewed these steps against past practices. They found instances where thirty-six refunds were sent to different people at the same address within a two-month period. Further investigations found a pattern of fraud that might have gone undetected without this self-examination.
Facilitate Preparation for Audits
Each department is periodically subject to audits by independent auditors, federal auditors, the State Auditor, the Internal Control Unit of the Bureau and, in some cases, internal audit units. These audits are conducted to ensure the following:
- Public funds are administered and expended in compliance with applicable laws and regulations;
- Department programs are achieving the purpose for which they were authorized and funded;
- Financial statements accurately represent the financial position of the State Of Maine;
- Programs are managed economically; and
- Internal controls exist and provide a basis for planning the audit and planning the timing, nature, and extent of testing.
Auditors' reports will nearlyalways include an opinion of the department's internal controls. When it appears warranted, auditors will make recommendations for improvements. Managers are accountable for the adequacy of the internal control systems in their departments. Weak or insufficient internal controls will result in audit findings and, more importantly, could lead to theft, shortages, operational inefficiency, or a breakdown in the control structure.
F. Limitations of Internal Control
Internal controls, no matter how well designed and operated, can provide only reasonable assurance to management regarding the achievement of an entity's objectives, the reliability of reports, and compliance with laws and regulations. Certain limitations are inherent in all internal control systems. Cost will prevent management from ever installing an ideal system. Management will, correctly, choose to take certain risks because the cost of preventing such risks can not be justified. Furthermore, more is not necessarily better in the case of internal controls. Not only does the cost of excessive or redundant controls exceed the benefits, but this perception may also affect staff's views on controls in general. If they consider internal controls as "red tape", this negative view could adversely affect their regard for internal controls in general.
A second limitation to internal controls is due to the reality that human judgment can be faulty; breakdowns can also occur because of human failures such as simple error or mistake. Management may fail to anticipate certain risks, and thus fail to design and implement appropriate controls. Two other limitations are that controls can be circumvented by collusion of two or more people and that management has the ability to override the system.
Despite these limitations, the reasonable assurance that internal control does provide, helps enable an organization to focus on reaching its objectives while minimizing unpleasant surprises. They promote efficiency, reduce the risk of asset loss, and help ensure the reliability of financial statements and compliance with laws and regulations.
G. Management Responsibility
Internal control affects all aspects of a department's operation, fiscal, administrative, and programmatic. The department head is the individual ultimately responsible for complying with the requirements of this law and should use this guide accordingly.
Just as departments differ in purpose, number of employees, organizational structure and budget size, each manager's responsibilities differ as well. Some manage large departments with multiple programs and multi-million dollar budgets. Others manage provider contracts, administrative sections, or small programs with no other staff. Regardless of duties, internal control is the responsibility of all managers. Consider these differences when designing internal control systems, whether for a single management unit or for a department's internal control plan.
Because the primary responsibilities of the Office of the Controller include operating the State's accounting and payroll systems and overseeing the Statewide Single Audit, we would naturally assist departments in developing internal controls for their fiscal operations. Departments must also develop controls for other business activities such as human resource benefits and budgeting. Oversight agencies frequently assist departments by recommending or requiring specific policies and procedures and provide external controls. Departments must rely primarily on their own expertise when evaluating and documenting internal controls for technical and programmatic activities. As stated earlier, one of the four basic principles of internal control is that it must make sense within each organization's unique operating environment. Department managers are the experts in departments' individual circumstances. We recommend that you build on the advice contained within this guide to meet your own specific internal control needs.
Title 5, Chapter 143, §1541, §10-A
Chapter 451 of the Public Laws of 2003, codified as §10-A of §1541 of Title 5, became effective on June 12, 2003. The Office of the State Controller filed this legislation to improve internal controls within state government. We have included a copy of the statute as Appendix 1 of this guide. Refer to the law as you prepare your internal control plan.
Subsection 1541, §10-A sets forth the standards for internal control systems at state departments for administrative and financial operations. The law requires state agencies to establish internal control systems in accordance with the guidelines promulgated by the Office of the Comptroller. Together, the State Administrative and Accounting Manual and the Internal Control Guide for Managers set forth the guidelines that state departments must use.
A. Six Standards of Internal Control
The law sets forth six standards that departments must establish and incorporate in an internal control structure.
- Documentation: Departments must clearly document internal control systems and make these systems easily available for examination.
- Transactions: Departments must manage transactions and other significant events by recording transactions promptly, documenting transactions clearly and classifying transactions properly.
- Authority: Only persons acting within the scope of their authority, should be allowed to authorize and execute transactions
- Separate Duties: Departments must establish a system to assign the following essential duties and responsibilities to a number of individuals.
- Authorizing, approving and recording transactions,
- Issuing and receiving assets,
- Making payments, and
- Reviewing or auditing transactions.
- Supervision: Provide qualified and continuous supervision to all staff to ensure that internal control objectives are achieved.
- Access: Limit access to resources and records to authorized individuals, as determined by the department head. The department head is responsible for maintaining accountability for the custody and use of resources and shall assign qualified individuals for that purpose. Departments must periodically compare the physical resources and the accounting records to reduce the risk of unauthorized use or loss of resources and protect against wasteful and wrongful acts.
B. Department Responsibility
Chapter 451 requires that a qualified employee, (in addition to his or her regular duties), be assigned the responsibility for the department's internal control. This individual is the department's Internal Control Officer. The Internal Control Officer's organizational responsibilities must include the duties listed below.
- Have available on file written documentation of the department's internal accounting and administrative control system for review by the Controller's Office, the Commissioner of Administrative and Financial Services, and the State Auditor.
- Evaluate the effectiveness of the agency's internal control system at least annually, more often if conditions warrant. At that time, establish and implement any changes necessary to ensure the continued integrity of the system.
- Evaluate the results of audits and recommendations to improve departmental internal controls promptly.
- Implement timely and appropriate corrective actions in response to an audit.
- Address all actions determined as necessary to correct or otherwise resolve internal control matters in the department's budgetary request to the Governor and Legislature.
- Immediately report all variances, losses, shortages, or thefts of funds or property to the Office of the State Controller. The statute specifically requires this action. This does not relieve the agency of reporting to the State Auditor as required by Title 5, Subsection 244 - A.
One state department in another state detected equipment missing from one of their locked storage areas. They notified the Office of the State Controller as required. Through a review of the situation, the Internal Control Specialists found that this equipment was borrowed within the department without proper approvals. The department wrote a new authorization plan for equipment use as recommended by the review.
C. State Controller's Responsibility
The Office of the State Controller (OSC) reviews reported variances, losses, shortages, or thefts to determine the amount involved and report the facts surrounding the condition to the appropriate management and law enforcement officials. The OSC's Internal Control Division then determines the internal control weaknesses that allowed the problem to occur, recommending changes to department management to correct these weaknesses. Department management must immediately implement policies and procedures necessary to prevent a reoccurrence of the condition, based on the Internal Control Division's recommendations.
Five Components of Internal Control
Each Department's and Agency's internal controls and internal control plans will be unique to the individual circumstances; however, the internal control descriptions defined in Chapter One, the standards in Chapter 451 as described in Chapter Two, and the components set forth in this chapter should be incorporated into all internal control systems. The COSO Report describes the internal control process as consisting of five interrelated components that are derived from and integrated with the management process. The components are interrelated, which means that each component affects and is affected by the other four. These five components, which are the necessary foundation for an effective internal control system, include:
- Control Environment,
- Risk Assessments,
- Control Activities,
- Information and Communication, and
A. Control Environment
The control environment of a state agency sets the tone of the organization and influences the effectiveness of internal controls within the agency. Control environment, an intangible factor and the first of the five components, is the foundation for all other components of internal control, providing discipline and structure and encompassing both technical competence and ethical commitment. Managers must evaluate the internal control environment in their own unit and department as the first step in the process of analyzing internal controls. Many factors determine the control environment, including those on the following list.
- Management's attitude, actions, and values set the tone of an organization, influencing the control consciousness of its people. Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. If management views internal controls as unrelated to achieving its objectives, or even worse, as an obstacle,
- This attitude will also be communicated. Despite policies to the contrary, employees will then view internal controls as "red tape" to be "cut through" to get the job done. Management can show a positive attitude toward internal control by such actions as including internal control in performance evaluations, discussing internal controls at management and staff meetings, and by rewarding employees for good internal control practices.
- Commitment to competence includes a commitment to hire, train, and retain qualified staff. It encompasses both technical competence and ethical commitment. Management's commitment to competence includes both hiring staff with the necessary skills and knowledge and ensuring that current staff receives adequate on-going training and supervision.
B. Risk Assessment
Organizations exist to achieve some purpose or goal. Goals, because they tend to be broad, are usually divided into specific targets known as objectives. A risk is anything that endangers the achievement of an objective. Risk assessment, the second internal control component, is the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives. In attempting to identify risk, managers need to ask the following two questions:
"What could go wrong? What assets do we need to protect?"
Over the course of a day, a week, a month, or a year, situations occur which could hinder or prevent a unit (or a department) from fulfilling its responsibilities and meeting its goals. Because of this possibility, successful managers continually identify and analyze potential risks to their organizations. Performing risk assessments assists managers in prioritizing the activities where controls are most needed. Managers use risk assessments to determine the relative potential for loss in programs and functions and to design the most cost-effective and productive internal controls. When beginning a risk assessment, the manager can start by analyzing the two circumstances most likely to endanger unit objectives, change and inherent risk.
Review changes. The risk to reaching objectives increases dramatically during a time of change (turnover in personnel, rapid growth, or establishment of new services, for example). Because any type of change increases risk, monitor and assess every significant, or likely to be significant, change. Some examples of circumstances that expose an agency to increased risk are the following:
- Changes in personnel, for example after a new administration,
- New or revamped information systems, for example the upcoming implementation of MFASIS for personnel and payroll reporting,
- Rapid growth,
- New programs or services,
- Increased delegation of spending authority,
- Reorganizations within or between state agencies,
- Moving to a new location, for example when Cross Office Building agencies were relocated.
Identify inherent risk. We refer to the second type of potential problems as inherent risk. Examples include complex programs or activities, cash receipts, providing services through sub-recipients or vendors, direct third party beneficiaries, and prior problems. Activities with inherent risk have a greater potential for loss from fraud, waste, unauthorized use, or misappropriation due to the nature of the activity or asset. Cash, for example, has a much higher inherent risk for theft than a stapler does. Other examples of situations that may involve inherent risk:
- Complexity increases the danger that a program or activity will not operate properly or comply fully with applicable regulations.
- Third party beneficiaries are more likely to fraudulently attempt to obtain benefits when those benefits are similar to cash (for example food stamps).
- Decentralization increases the likelihood that problems will occur. However, a problem in a centralized system may be more serious than a problem in a decentralized system because if a problem does exist, it could occur throughout the entire department.
- A prior record of control weaknesses will often indicate a higher level of risk because bad situations tend to repeat themselves.
- Unresponsiveness to identified control weaknesses by prior auditors often indicates that future weaknesses are likely to occur.
Evaluate identified risk. After identifying potential risks, analyze each risk to determine how best to manage it. Start with the following questions:
- How important is this risk?
- How likely is it that this risk will occur?
- How can we best manage this risk?
Internal control systems should provide reasonable assurance that assets are safeguarded, resources are properly used, and objectives are achieved. Absolute assurance may not be an achievable goal, because it may be prohibitively expensive and impede productivity. One would not expend a substantial amount of funds to protect a relatively inexpensive asset. For example, it is not prudent to spend $50 to safeguard a $25 carton of pens. Spending $50 to safeguard $5,000 in laptop computers, however, may be very sensible.
One department in another state placed their computer equipment in a locked room with a security system requiring employees to sign in when working on the terminals. This gave their data systems very little chance of being used by unauthorized individuals. However, the department's supplies were kept in an open accessible room, with a doorway close to the building entrance. Staff found themselves with paper and pencil shortages every September when school started. In this instance, the department needed to establish different types of controls over different types of resources.
C. Control Activities
Once managers identify and assess risks, they need to evaluate and develop, if necessary, methods to minimize these risks. We refer to these methods as control activities, the third component of internal control. By control activities, we mean the structure, policies, and procedures, which an organization establishes so that identified risks do not prevent the organization from reaching its objectives. Policies, procedures, and other items like job descriptions, organizational charts and supervisory standards, do not, of course, exist only for internal control purposes. These activities are basic management practices.
At the same time managers are evaluating and preparing internal controls, they need to be careful to avoid the other extreme. Excessive controls can be as harmful as excessive risk because they can result in increased bureaucracy and reduced productivity. Before implementing a new policy or procedure in response to a problem, managers should make sure that the new policy is necessary. Often times, a relevant policy already exists; it just needs to be enforced. In Chapter Four, "Control Activities", we discuss control activities managers commonly use in developing their own specific policies and procedures.
D. Information and Communication
Managers must be able to obtain reliable information to determine their risks and communicate policies and other information to those who need it. Information and communication, the fourth component of internal control, articulates this factor.
- Management acquires accurate information to report on agency or program activities to the State Legislature, oversight agencies, and federal grantors.
- Supervisors must communicate duties and responsibilities to their staff.
- Staff and middle management must be able to alert upper management to potential problems.
- Administrative and program staff must communicate requirements and expectations to each other.
Information: Although a department or unit manager may have developed excellent policies and procedures, if these are not communicated to the staff, which performs these duties, they may as well not exist. Well designed internal controls outline the specific authority and responsibility of individual employees. They can also serve as a reference for employees seeking guidance on handling unusual situations.
Communication: An internal control plan should provide for information to be communicated both within the organization (up as well as down) and externally to those outside, for example, vendors, recipients, and other departments. Management should distribute copies of the department's internal control plan to all staff whose jobs are affected in any way by the information in the plan. Sending information electronically allows management to immediately distribute new procedures and other information to a large staff. Departments should conduct in-house training sessions upon releasing new or extensively revised internal control plans to explain the meaning of the plan and the importance of internal controls. This training should also be part of the orientation of new employees.
"This too shall pass" (ancient proverb). Life is change; internal controls are no exception. Satisfactory internal controls can become obsolete through changes in external circumstances. Therefore, after risks are identified, policies and procedures put into place, and information on control activities communicated to staff, managers must then implement the fifth component of internal control, monitoring. Managers must continually monitor the effectiveness of their controls. Monitoring assesses the quality of internal controls over time. Like the other four components, monitoring is a basic management duty included in management activities like performance evaluations, ongoing supervision, and status reports. Proper monitoring ensures that controls continue to be adequate and continue to function properly.
Even the best internal control plan will be unsuccessful if it is not followed. Monitoring allows the manager to identify whether controls are being followed before problems occur. For example, a unit's internal control lan may identify cross-trained staff to perform certain duties if the assigned individual is not available. However, the manager who does not monitor this arrangement by asking staff to occasionally perform the back-up duties may discover, too late, that the individual was cross-trained so long ago that substantial changes have occurred and he or she has no idea what to do.
Managers must also monitor previously identified problems to ensure that they are promptly corrected. In the same way, managers must review weaknesses identified by audits to determine whether related internal controls need revision.
The Controller's Office makes accounting and payroll reports available to assist managers in their monitoring activities. We capture, compile, and disseminate a wide range of data to users from the automated state accounting and payroll systems, and make a wide range of data available online in the production system. These reports provide managers with timely information on transactions, financial conditions, and other information. The Controller's Office also provides accounting and payroll data in the Information Warehouse, allowing department staff to prepare reports to their own specifications.
Internal Control Activities
Managers must establish internal control activities that support the internal control components discussed in Chapter Three. As established in law, departments must provide qualified and continuous supervision. To fulfill this responsibility, managers must establish clear lines of authority and responsibility. The effectiveness of any internal control plan depends directly on management's thoroughness, consistency, and the timeliness of supervision.
- Assign tasks and establish written procedures for completing assignments;
- Systematically review each staff member's work;
- Approve work at critical points to ensure quality and accuracy;
- Provide guidance and training when necessary;
- Provide documentation of supervision and review (for example, initialing examined work)
Adequate and timely supervision is especially important in small departments, where limited personnel may inhibit a thorough segregation of duties. We describe two main types of control activities. Controls can be either preventive, for example, requiring supervisory sign-off before an item is purchased, or detective, for example reconciling bank statements to ensure that all payments are appropriate. However, the existence of detective controls can also serve to prevent irregularities. An individual tempted to use department cash funds inappropriately may be deterred by the knowledge that the bank account is regularly reconciled.
A. Separate Duties
Separation of duties is a primary principle in any internal control plan. The principle of segregation of duties is especially important when using computers and other information technology, because it ensures the separation of different functions such as data compilation, input, and review. It also defines authority and responsibility over transactions and use of the State's resources.
The fundamental premise of Separated duties is that an individual or small group of individuals should not be in a position to initiate, approve, undertake, and review the same action. These are called incompatible duties when performed by the same individual. The list below offers some examples of incompatible duties:
- Managing operations of an activity and record keeping for the same activity;
- Custody of assets and recording receipt of those assets;
- Authorization of transactions and custody or disposal of the related assets or records.
Different personnel should perform the different functions of data entry, authorization, custody, and report review. If this control activity is properly planned, implemented, and adhered to, departments can safeguard state funds against a single individual's "irregularity".
Maintaining segregation of duties is especially challenging for units with small numbers of employees. Managers of such departments must consider this principle when designing and defining job duties and they must implement control procedures to assure segregation of duties exists. In an environment with limited numbers of clerical and administrative personnel, management needs to be involved in documenting, reviewing, and approving transactions, reports, and reconciliations.
Many managers exercise programmatic responsibilities and have limited administrative authority; a centralized unit may handle those responsibilities. Program managers should prepare internal controls relating to their own responsibilities. A department internal control plan, however, should ensure that all of the following activities, at a minimum, are properly separated.
Separation of Duties
A department in the Commonwealth appointed an accounting clerk to be responsible for receiving payments, posting them to the proper account, depositing the receipts, and notifying customers of the completed transactions. This individual performed all of the duties. Investigators later found that due to a lack of segregation of duties and proper oversight, this clerk had embezzled thousands of dollars over a five year period.
Personnel & Payroll Activities
- Individuals responsible for hiring, terminating and approving promotions should not prepare payroll or personnel transactions or input data.
- Payroll managers should review and approve payroll deductions. Supervisors should review time sheets before approving either by written or electronic signature, but should not be involved in preparing payroll transactions.
Other Expenditure Activities
- Individuals responsible for data entry of encumbrances and payment vouchers should not be responsible for preparing or approving these documents.
- A department should not delegate expenditure transaction approval to the immediate supervisor of data entry staff or to data entry personnel. Individuals responsible for acknowledging the receipt of goods or services should not also be responsible for purchasing or payment activities.
- Individuals responsible for monitoring inventories should not have the authority to authorize withdrawals of items maintained in inventory.
- Individuals performing physical inventory counts should not be involved in maintaining inventory records
Check Writing Activities
- Persons preparing checks should not be signing the checks.
- Persons signing the checks should not be reconciling the checking account.
- Individuals receiving cash into the office should not be involved in authorizing bank deposits.
- Individuals receiving revenue or making deposits should not be involved in reconciling the bank accounts.
B. Authorize Transactions
To maintain control over expenditures and revenue collection, persons acting within the scope of their authority must approve any financial transactions before the transactions are processed. Departments should document via Payment Authorization Forms exactly which persons have the authority to approve each type of transaction. Chief Financial Officers must monitor these authorizations.
As part of its oversight authority, periodically the Office of the Controller will require departments to submit a form, which includes the original signatures of all personnel authorized to approve transactions. Until this document is received, no departmental business activity can occur.
C. Control Access to Assets and Resources
Internal control systems should involve procedures to restrict access to and enhance control over resources. Resources include money, equipment, supplies, inventory, and the records that account for these assets. Maintaining accountability for the use and custody of resources involves assigning specific responsibilities to specific individuals. Managers should monitor expenditures, revenue collection, and physical assets to ensure that these resources are used only to achieve specific and identified purposes. For example, passwords and identification codes limit access to computer data. Require that passwords and identification codes be kept confidential. Hardware should also be protected. Monitor and control access to cash, equipment, and supplies.
D. Document Internal Controls
Documenting policies and procedures is especially important because one truth of our time is that change happens constantly. A written document will, for example, tell staff what to do in case of unexpected turnover. Preparing written internal controls will clearly communicate specific responsibilities to individual staff, facilitate training new staff, and enable you to review and monitor your internal control system.
As explained in Chapter Two, Title 5 requires that each department document its internal control systems. This internal control plan should be developed by professional and managerial staff and must be formally approved by either the department head, or, through express delegation, by the Internal Control Officer. The department plan must be readily available upon request to auditors and representatives of the Office of the State Controller and the Commissioner of Administrative and Financial Services. Title 5 also requires that the department's written internal control plan be reviewed and updated, at least annually.
As part of the statewide single audit, auditors review the internal control plans of a significant percentage of Maine departments. A department's internal control plan will also likely be examined during a review by oversight agencies and federal grantors.
Evaluating InternalControls & Preparing an Internal Control Plan
Evaluating current internal controls is the first step toward preparing an internal control plan. An internal control evaluation is a detailed examination of a unit's functions undertaken to determine whether adequate internal controls exist and function as intended and to make necessary improvements. Evaluating internal controls is a core management responsibility, part of a manager's regular job not an extraneous obligation.
A. Five-Step Approach to Evaluating Internal Controls
We have developed a five-step approach to evaluating internal controls to correspond with the five components of internal control. Managers should do this for each unit that reports to them. Before beginning the five steps, review the units (and department's) goals and objectives. Next, identify specific risks to meeting these objectives. Determine which objectives are most important and most vulnerable. Prioritize your efforts by first evaluating activities with an unfavorable control environment and a high degree of inherent risk. Then start to apply the five steps listed below for each of the most important objectives.
Step 1: Analyze the Control Environment
Attitude: Review the unit's control environment including your and any subordinate managers' attitudes and actions. If a specific procedure requires constant exceptions, you are better off changing or eliminating the procedure than establishing an attitude of "rules are made to be broken".
Whether they realize it or not, managers set an example by their behavior. If managers make exceptions to their own procedures whenever they find themselves inconvenienced, staff and contractors will feel they too can also make exceptions whenever they want.
Supervision: Departments with the best control environment attempt to hire qualified individuals while making an effort to retain skilled employees. Their managers train new and current staff to excel at their jobs and to use appropriate internal controls in all areas. They assist their staff by furnishing tools such as job descriptions and policy and procedure manuals that clearly communicate responsibilities and duties. They provide sufficient but not excessive supervision, reviewing to the extent necessary. While they allow as much autonomy as possible to competent, experienced staff, they continue to approve work at critical points to ensure that work flows as intended.
Structure: Managers should develop an organizational structure that clearly defines supervisory responsibilities and chains of command. The structure should also take into account the need to separate certain duties. Document this structure through organizational charts made available to all staff.
Step 2: Assess Risk
Because evaluating internal controls can be a lengthy process, and because every risk to an organization's objectives is not equally significant, managers must prioritize their efforts before analyzing specific actions. The risk assessment process contains two major steps: (1) identify and prioritize activities that are most likely to have problems, (2) analyze those specific activities to determine their components.
a. Identify Potential Problems
Begin by reviewing both the unit's goals and objectives and the organization's control environment. Next, determine potential problems. Examples of circumstances with potential for problems includes programs that have undergone recent changes in staff or structure, functions that receive complaints or have had problems in the past, and complex activities.
A moderate loss that is likely to occur presents as much danger as a more serious loss that is less likely to occur.
Rank the identified risks by asking the following questions: "Where do we face the greatest possible harm?" and, "Which types of losses are most likely to occur?" Use this evaluation to prioritize your efforts.
For example, the director of a hypothetical human services program (see flow chart on following page), has determined that the greatest risk to the program's goal of providing services to all eligible individuals is from recently passed legislation. This legislation may result in the program losing its funding if it provides services to ineligible individuals.
b. Identify and Analyze Control Cycles
It is easy to become overwhelmed by the volume and complexity of controls within even a single program or administrative function. To simplify this task, we suggest grouping activities of the program or function into control cycles. A control cycle is a group of actions used to initiate and perform related activities. A single program or administrative function usually contains several control cycles. Control cycles provide the focal point for evaluating internal controls.
To begin evaluating controls, list the control cycles in the program or administrative function being reviewed. The control cycles for an administrative function could be payroll, employee benefits, space planning, telephone systems, and procurement of supplies and materials.
This flow chart visually describes the eligibility determination control cycle of a hypothetical human services program. The manager of the program can use this chart to identify potential weaknesses in the unit's internal controls.
The human services program shown above might include the following five cycles: outreach, eligibility determination, service delivery, monitoring, and reporting. Within the program, the eligibility determination cycle might include the following six steps: interview, completing application form, verification, approval or denial, supervisory review, and initiate services or send denial explanation to outreach unit.
After listing the control cycles, use the following process to document them:
- First, interview the personnel involved in the cycle and observe the activity.
- Second, prepare a narrative explanation and/or a flow chart. The documentation should contain sufficient detail to permit an analysis of the internal controls.
- Third, review the completed documentation with the persons providing the information.
- Fourth, use the documentation to track one or two transactions through the process.
Performing all four of the above actions will assure that the documentation and your understanding of the cycle are accurate and complete. After documenting the control cycle, use the following steps to analyze it:
- Prepare a written narrative and/or flow chart explaining how the cycle is supposed to be handled by describing each activity or transaction within the cycle. In the narrative, describe;
- Who is performing each step?
- What is involved in the step?
- Any resulting documentation, for example, reports.
- Review the information available in policy and procedure manuals. Use written materials such as organizational charts, job descriptions, reviews, checklists, department records, and reports.
- Supplement written sources through conversations and observations.
- Finally "walk through" the process to be sure you understand every item.
After performing the above steps, the manager of the human service program, in the example cited above, might determine that the most significant internal control weakness within the eligibility determination cycle is at the point of information verification.
Step 3: Implement Management Control Activities
Evaluate the control cycle to decide whether the system, as defined, sufficiently safeguards the department's resources, assures the accuracy of its information, and promotes effectiveness and efficiency. We do this as follows:
- Define risk and control objectives for each control cycle. Objectives express the reasons we use policies and procedures to control specific identified risks. We establish objectives because control activities (policies and procedures) minimize the likelihood that an identified risk will occur.
In the example of the human services program described above, we could identify the following as an appropriate control objective: Services are approved only for eligible applicants. We would then define the related risk to be as follows: Ineligible persons receive services, jeopardizing the entire program.
- Examine the documentation of the cycle (prepared in Step 2B) to determine whether sufficient policies and procedures already exist for the control objectives to be met and remember to identify any outside policies and procedures that can off-set potential risks.
Through documenting the cycle, the manager discovered that only one individual was responsible for verifying information. When this individual was on vacation, other staff members who were not familiar with the requirements performed the verification step. This deficiency could have resulted in the program being terminated due to providing services to ineligible applicants.
- If appropriate policies and procedures do not exist, develop them and communicate to all staff in the eligibility determination unit. If the procedures do exist, determine whether they are being followed.
To continue with our example, assume that eligibility for the human services program is limited to low-income residents. Program policy might require that staff examine pay slips and tax returns to document income eligibility and driver's licenses or rent receipts to document residence. If the manager determines that these policies are not always followed correctly, new procedures might require that photocopies of these items be attached to the application for supervisory review.
- Identify any controls that are excessive or unnecessary and modify or eliminate them. Appropriate controls include external as well as internal controls. Excessive control is inefficient. Identify outside policies or procedures that can offset potential risks.
In our example, the program might accept a current MAINE CARE (Medicaid) membership card as sufficient eligibility verification and not require other items to confirm Maine residence or income level, thereby speeding up the eligibility determination cycle.
Step 4: Communicate Information
Prepare and distribute the results of the evaluation and any related changes.
The director of the human services program would communicate the above changes in policies and procedures to all staff in that unit through discussions at meetings, training sessions, and/or written communications. This communication would convey the importance of these changes to facilitate cooperation (positive control environment). The director would also make sure that this information was communicated to staff in the outreach unit, other referral sources, and potential applicants.
When making changes to internal controls, discuss the changes with the affected managers, staff, and with the department's internal control officer to determine if the changes accomplish the control objective. In evaluating possible alternatives, consider the costs and expected benefits of implementing control objectives in a cost-effective manner.
Step 5: Monitoring
At a minimum, evaluate your internal controls on an annual basis. When reviewing, consider internal and external changes, personnel turnover, new programs, administrative activities, and priorities. Schedule monitoring on a regular basis or it is likely to be by-passed by the emergencies of day to day work. Testing controls at least annually allows you to determine whether the controls continue to be adequate and are still functioning as intended.
The final step in an internal control evaluation is testing the controls to determine whether they function as intended. Program monitors, auditors, and other reviewers can be a resource in monitoring internal controls.
After completing the process, the director would test the new controls to be sure they are working as designed. Back up staff might be temporarily assigned to verify eligibility under close supervisory review, for example, while the monitoring unit might review a sample number of cases to determine whether approved recipients appear eligible for services.
Always follow up to insure that any identified problems are corrected.
B. Prepare an Internal Control Plan
An internal control plan is a description of how an agency expects to meet its various goals and objectives by using policies and procedures to minimize risk. In preparing the plan, refer to the five components. Use the information acquired throughout the evaluation to prepare an internal control plan. Internal control plans can take many different forms, depending on the organizational structure and business practices of the organization. In general, however, the internal control plan would:
- discuss the goals and objectives of the unit (for example, department),
- briefly state the integrity and ethical values expected of all staff, and especially, the ethical values top management expects of itself (control environment),
- describe the risks to meeting goals and objectives, and
- Explain how the structure, policies, and procedures of the organization act to control the risk (control activities).
In a small agency, the plan might include all the department's policies and procedures. In a large department, the plan might incorporate the various policy and procedure documents by reference. As a constituent part of the department's plan, however, these policies and procedures would also need to be reviewed and updated at least annually. Finally, the internal control plan would also include a section describing to whom the plan is distributed and another section describing how the plan is to be monitored.
The internal control plan of the hypothetical human services program might, after the evaluation was complete, include all the actions discussed in the above steps. This would include affirming the goal of providing services to all who were eligible, discussing possible risks to that goal, referring to or describing policies and procedures established to manage the risks, explaining how this information is communicated, and indicating how it is monitored.
State managers have an obligation to administer and safeguard the resources that are entrusted to their care. State managers are accountable not only to their immediate supervisor, but also to the legislature who appropriated the funds, program constituents, fellow state employees, and lastly to the taxpayers who provide the resources that the state uses. An internal control plan helps managers meet this vital responsibility.
Agency staff who takes an active role in their agency's internal controls may want to read some of the resources listed below. These useful guidelines offer practical assistance in the design, implementation, and maintenance of internal control plans.
This manual has been adapted to Maine from work completed by the Massachusetts Controller's Office.
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control - Integrated Framework. New Jersey: Committee of Sponsoring Organizations of the Treadway Commission, July, 1994.
Gauthier, Stephen J. Evaluating Internal Controls: A Local Government Manager's Guide. Chicago, Illinois: Government Finance Officers Association, 1996.
Component: One of five elements of internal control. The internal control components are the control environment, risk assessment, control activities, information and communication, and monitoring.
Control activities: the third component of internal controls; the structure, policies, and procedures, which an organization establishes so that identified risks do not prevent the organization from reaching its objectives
Control cycle: a group of actions used to initiate and perform related activities
Control environment: the first component of internal controls; it sets the tone of the organization influencing the effectiveness of internal controls and is the foundation for all other components of internal control, providing discipline and structure and encompassing both technical competence and ethical commitment
COSO: The Committee of Sponsoring Organizations of the Treadway Commission. It consists of the following organizations: the American Institute of Certified Public Accountants, the American Accounting Association, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
The COSO Report: A report prepared by COSO entitled Internal Control - Integrated Framework; it defines internal control as a process designed to provide reasonable assurance that organizational objectives are achieved
Effectiveness: programs and functions achieve their intended result
Efficiency: resource use is consistent with an organization's goals and objectives
Information and communication: the fourth component of internal control, information and communication affect all aspects of the internal control framework
Internal control: a process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
A less technical definition might define internal controls as tools that help managers be effective and efficient while avoiding serious problems such as overspending, operational failures, and violations of law
Internal Control Law: Title 5, Subsection 1541, Sub 10-A requires all departments to establish internal control systems using guidelines established by the Office of the Comptroller
Management Control: Controls performed by one or more managers at any level in an organization.
Monitoring: the fifth component of internal control, it ensures that controls are adequate and function properly
Risk: anything that endangers the achievement of an objective
Risk Assessment: the second internal control component; the process used to identify, analyze, and manage the potential risks that could hinder or prevent an agency from achieving its objectives
Separation of duties: An internal control activity, it requires that different personnel perform the functions of initiation, authorization, record keeping, and custody.
Senior official: an assistant or deputy to the department head
Unit: In this text, it refers to the staff and activities supervised by a manager. It includes a department, division, bureau, program, and other administrative units. The term unit can also include hospitals, schools, and subdivisions of these institutions.