INTERNAL CONTROL - 20060
INTERNAL CONTROL DEFINED
Internal control is defined as a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. These objectives and related risks of not achieving those objectives can be broadly classified into one or more of the following three categories:
- Effectiveness and efficiency of operations
- Reliability of reporting for internal and external use
- Compliance with applicable laws and regulations
This definition is from the Standards for Internal Control in the Federal Government (Green Book) by the Comptroller General of the United States. The Green Book provides the overall framework for establishing and maintaining an effective internal control system. The State of California has adopted the Green Book as a framework for an internal control system. The Green Book adapted internal control principals from the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) published Internal Control - Integrated Framework which establishes five principals related to basic components of internal control. The five components of internal control are listed below in the SLAA section.
SLAA defines internal control in a manner similar to the Green Book. SLAA defines internal control as a process, including a continuous built-in component of operations, effected by a state agency’s oversight body, management, and other personnel that provide reasonable assurance that the state agency’s objectives will be achieved.
Further state internal audit organizations may be familiar with another definition of internal control as defined in the International Standards for the Professional Practice of Internal Auditing (Standards), issued by the Institute of Internal Auditors (IIA). IIA defines internal control as any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.
STATE LEADERSHIP ACCOUNTABILITY ACT
State agency heads, by reason of their appointments, are accountable for activities carried out in their agency. This responsibility includes the establishment and maintenance of a system of internal control, and effective and objective ongoing monitoring of the internal controls within the agency. Such responsibility also includes documenting the system, communicating system requirements to employees, and ensuring that the system is functioning as intended and is modified, as appropriate, for changes in conditions.
Because governments are susceptible to fraud, waste, and abuse, increased attention has been directed toward strengthening internal control to help restore confidence in government and improve its operations. As a result, SLAA1 was enacted in 1983 to inhibit waste of resources, create savings, and enhance public accountability. SLAA is codified in GC 13400 through 13407, which describes the legislative findings, agency responsibility, internal controls, and reporting on the adequacy of internal control and ongoing monitoring. All levels of management must be involved in assessing and strengthening the systems of internal control to minimize fraud, errors, abuse, and waste of government funds.
GC 13403 defines internal control and sets forth the elements of a satisfactory system of internal control. It also emphasizes the importance of ongoing monitoring and agency head responsibilities. As stated in GC 13403, internal controls provide reasonable assurance that the agency objectives will be achieved. To constitute an effective internal control system, the state agency needs to effectively design, implement, and operate the five components of internal control in an integrated manner. The five components of internal control include the following:
- Control Environment. The foundation for an internal control system that provides the discipline and structure to help an agency achieve its objectives.
- Risk Assessment. An assessment of the risks facing the agency as it seeks to achieve its objectives and provides the basis for developing appropriate risk responses.
- Control Activities. The actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system.
- Information and Communication. The quality of vital information used and communicated to achieve the agency’s objectives.
- Monitoring. Activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.
GC 13403 states the elements of a satisfactory system of internal control shall include, but are not limited to:
- A plan of organization that provides segregation of duties appropriate for proper safeguarding of state agency assets.
- A plan that limits access to state agency assets to authorized personnel who require these assets in the performance of their assigned duties.
- A system of policies and procedures adequate to provide compliance with applicable laws, criteria, standards, and other requirements.
- An established system of practices to be followed in performance of duties and functions in each of the state agencies.
- Personnel of a quality commensurate with their responsibilities.
- An effective system of internal review.
- A technology infrastructure to support the completeness, accuracy, and validity of information processed.
These elements, as important as each is in its own right, are expected to be mutually reinforcing and, thus, to provide the system with “internal checks and balances.” All the elements are so basic to adequate internal control that serious deficiencies in any one could preclude effective operation of the system and signal a problem.
Another vital aspect of an internal control system is the ongoing monitoring of the system. Ongoing monitoring ensures management possesses the information to assess whether the: system is functioning as intended, controls remain effective, control weaknesses are corrected timely, and information is accurate and reliable.
SYMPTOMS OF CONTROL DEFICIENCIES
Experience has indicated that the existence of one or more of the following situations are usually indicative of a poorly maintained or vulnerable control system. These situations may apply to the organization as a whole or to individual units or activities. Agency heads and managers must identify and make the necessary corrections if any of the situations listed below exist within their organization and/or a similar situation of equal gravity.
- Policy and procedural or operational manuals are not current or are nonexistent.
- Lines of organizational authority and responsibility are not clearly articulated or are nonexistent.
- Financial and operational reporting is not timely and is not used as an effective management tool.
- Management and line supervisors ignore or do not adequately monitor control compliance.
- Operation controls are not regularly evaluated for effectiveness.
- Identified internal control weaknesses are not corrected timely.
- Controls and/or control evaluations bear little relationship to organizational exposure to loss.
1 Formerly the Financial Integrity and State Manager’s Accountability Act of 1983 (FISMA).
Revisions
No Revisions for this item.