INTERNAL CONTROL GUIDE

I. INTRODUCTION

In the interest of promoting responsible, efficient and cost effective governance, the Office of the State Comptroller (OSC) has developed an internal control guide concerning proper internal controls and financial management integrity.

II. OBJECTIVES OF THE INTERNAL CONTROL GUIDE

The purpose of this guide is to assist agencies in evaluating and strengthening their internal controls in accordance with procedures set forth with the implementation of Core-CT. The annual self-evaluation and risk assessment process allows managers to evaluate the internal control systems and identify possible deficiencies within their areas of responsibility.

The internal control self-assessment is to be completed annually by June 30 and kept on file at the agency. The Auditors of Public Accounts will review these self-assessment questionnaires for compliance with the provisions of the Internal Control Guide as part of their regularly scheduled audits of State agencies.

The internal control self-evaluation file should also contain the documentation by a report noting any weaknesses with recommendations for solutions. Whenever remedial action is required, the agency should prepare and implement an action plan to correct the deficiency.

In addition to establishing the annual agency self assessment of internal controls, this guide

III. STATUTORY AUTHORITY:

The State Constitution and CGS Sec 3-112-(4) provide that the Comptroller shall "…prescribe the mode of keeping and rendering all public accounts of departments or agencies of the state…."

CGS Sec. 4-65a (a) provides "there shall be an Office of Policy and Management which shall be responsible for all aspects of state staff planning and analysis in the areas of…management…and program evaluation."

CGS Sec. 4-70e (b) provides "The executive financial officer of the Office of Finance shall, subject to the approval of the secretary: (1) Establish state agency financial policies…"

CGS Sec. 2-90 (c) provides "auditors shall audit the books and accounts of each department…of the state government… Each such audit may include an examination of performance in order to determine effectiveness…"

IV. SUPERSEDENCE:

This directive supersedes the OSC Accountability Directive Number 1 (issued in December 1996).

V. MANAGEMENT RESPONSIBILITIES:

The management personnel of each State Agency are responsible for establishing and maintaining an effective internal control structure. To fulfill this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs for internal control policies and procedures. The objective of an internal control structure is to provide management with reasonable assurance that assets are safeguarded against loss from unauthorized use or disposition, and the financial transactions are executed in accordance with management's authorization and recorded properly to permit the preparation of financial statements in accordance with generally accepted accounting principles (GAAP).

In addition, the management of each State Agency and Authority is responsible for adhering to the prescribed accounting policies and procedures as promulgated by the Office of the State Comptroller in the State Accounting Manual (SAM).

VI. EFFECTIVE INTERNAL CONTROLS:

The United State General Accounting Office describes the significance of internal controls as establishing and maintaining the internal control structure as an important management responsibility. Effective internal controls are essential to achieving the proper conduct of government business with full accountability for the resources made available. Internal controls also facilitate the achievement of management objectives by serving as checks and balances against undesired actions.

More specifically, internal control may also be defined as a process, effected by an entity's management, personnel, and oversight agencies, designed to provide reasonable assurance regarding the accomplishment of the following objectives:

A well-designed internal control structure will reduce improper activity. The responsibility of designing and implementing internal controls is a continuous process. As conditions change, control procedures may become outdated and inadequate. Management must anticipate that certain procedures will become obsolete and modify internal control systems in response to these changes. Appendices are included to provide detailed descriptions of internal controls, assessment tools such as checklists, and other sources of information. Using these tools, management can evaluate internal controls on a regular basis and be responsive to changes in the internal control environment.

VII. RISK ASSESSMENT:

Risk assessment is a process that helps to identify and analyze risks relevant to achieving specific organizational objectives. Risks can arise or change for a number of reasons, including the following:

1. Changes in the operating environment.
2. New personnel.
3. New or revamped information systems.
4. Rapid growth.
5. New technology.
6. New services or activities.

The purpose of an agency's risk assessment is to identify, assess and manage risks that could affect an agency's ability to achieve its objectives.

A. ACTIVITIES AT THE AGENCY LEVEL:

An annual self-evaluation and risk assessment shall be performed by each agency.

During each fiscal year, each agency may be subject to audit by at least one of the central agencies (i.e., the Auditors of Public Accounts, the Office of the State Comptroller or the Office of Policy and Management). The audit report, compliance review, post audit report, or other evidence of an external review shall be filed in the internal control self-evaluation file. The agency responses to these audit reports along with any report issued under CGS Sec. 4-33a (on the illegal, irregular or unsafe handling of State funds) shall also be included. These materials should be reviewed, along with agency remedial actions taken, in preparing the self-evaluation questionnaire.
Documentation of internal controls usually takes the form of internal control questionnaires, written narrative, or flow charts. The traditional method of describing an internal control structure is to complete a standardized internal control questionnaire. The appendices provide some examples. Most internal control questionnaires are designed so that a "no" answer to a question indicates a weakness in internal control. If completing of the questionnaire is regarded as an end in itself, there may be a tendency to fill in the "yes" and "no" answers in a mechanical manner, without any real understanding or study of the transaction cycle. The intent is to have the evaluation team obtain a working knowledge of the existing internal control structure.

Annually, prior to June 30, each agency shall complete the checklist of internal control evaluation questions attached in Appendix B. The review of these questions shall be documented by a report noting weaknesses and recommending solutions. Whenever remedial action is required, the agency will prepare and implement an action plan to correct the deficiency.

This self-evaluation shall be filed at the agency and made available to those auditors who visit the site and upon request by the Auditors of Public Accounts.

While the agency head is in a position to have a risk assessment performed, the authority to effect necessary changes may lie outside of the control of the agency head (e.g., budget, personnel, legislative changes, Core-CT, etc.) As part of an ongoing effort to promote efficient and cost effective State government, the issuers of this guide will assist State agencies in obtaining good internal controls.

B. ACTIVITIES BY CENTRAL AGENCIES:

In accordance with the statutory authorities, as stated in section III, these central agencies, the Office of the State Comptroller (OSC), the Auditors of Public Accounts (APA) and the Office of Policy and Management (OPM) conduct external risk assessments that serve somewhat different purposes.

As the State's accountant, the State Comptroller prescribes accounting procedures for State agencies and sets standards for what constitutes an effective internal control structure.
Core-CT was designed and implemented to subsume the functions of various costly and technologically disparate financial systems and subsystems that the state had been using. Core-CT in design incorporated agency based financial and human resources needs. As with any financial system that is incorporating both the needs of central reporting with the needs of user department or divisions, a large degree of decentralization is required. Without that decentralization the system would not meet the needs of agency users. Inherent in decentralization is a certain loss of data entry control and the need to increase internal controls and monitoring of system entries. To better monitor system entries, a monthly closing process was implemented for accounts receivable, billing, accounts payable and the general ledger. This process allows both agency users and OSC to more readily identify transaction errors. In addition, reporting functionality has been improved incrementally to provide added reconciliation tools.

The State Auditors conduct annual or biennial audits of all State agencies and authorities. During the audit process, APA evaluates the effectiveness of each agency's internal control structure and performs tests of the agency's compliance with certain provisions of laws, regulations, contracts and grants. In addition, as required by the Federal Single Audit Act, APA conducts an annual Statewide Single Audit of the State's general purpose financial statements, as well as its Federal financial assistance programs. A formal report on an auditee's internal control structure is included in each audit report issued by the APA.

As noted earlier, the Office of Policy and Management is responsible for all aspects of agency resource planning, including staffing needs. In addition, OPM is responsible for the areas of management and program evaluation. Through its budget and planning process, OPM conducts a review of agency fiscal staffing needs and agency requests for financial systems resources. In determining the disposition of these requests, OPM conducts its own assessment of agency internal control structures.

Although each of the above will independently assess the risk, to some extent they may all rely on the agency self-evaluations in collecting information to perform this assessment.

C. BENEFITS OF THE ANNUAL SELF-EVALUATION:

An annual self-assessment allows each agency to discover what has changed and how that change has affected the agency's mission and internal control system. It is possible that the growth of agency functions has overwhelmed the staffing available to accomplish the agency's mission. It is also possible that the growth has expanded the responsibilities of staff to the point where reassignments or additional staff are necessary to improve internal controls.

The existence of current flowcharts of agency functions and narratives describing the transaction cycles give management an opportunity to better understand the operations of their area of responsibility, however simple or complex.

Whatever the findings from an annual self-evaluation, it is a beneficial process to be aware of potential internal control problem areas before such problems become overwhelming and unexpected or potentially embarrassing situations occur.

VII. ACTION STEPS FOR EVALUATING INTERNAL CONTROL

The best way to start the process is to gather existing information pertinent to the agency's financial operations. Examples of such documents include narrative descriptions, worksheets or flowcharts depicting the agency's financial systems, any reviews of agency financial operations by internal auditors, reports by the Auditors of Public Accounts or other independent auditors, and agency responses to these reports.

Once this material has been collected, the agency should be ready to begin its internal control self assessment.

Step One: Perform an Initial Review of the Accounting Systems in Place
The first step for evaluating internal control is to understand the accounting/transaction process and identify the systems currently in use at your agency. This initial review provides the basic foundation of identifying specific risks (see section VII for a definition of risk). Agency personnel should identify the major financial systems in place, the accounts these systems affect, and how these two elements interrelate.

Examples of typical systems might include the following:

Step Two: Prepare Descriptions of These Systems
The second step would be to prepare descriptions of these accounting systems. A general description of a particular agency system should include the following:

The agency might use a narrative, a flowchart or questionnaire to describe the operation of the internal control system and to identify staff that performs relevant tasks.

Step Three: Analyze the Control Environment
The third step would be to analyze the control environment. A useful tool for this evaluation is the collection of worksheets found in Appendix B. These worksheets cover six critical areas and can help agencies pinpoint internal control areas that merit closer attention.

Step Four: Identify the System's Control Procedures
The fourth step would be to identify the control procedures in each system. The basic control types include the following:

A. Reconciliations and Comparisons of Assets With Records
These controls, such as bank reconciliations, involve independent checks over the output of the agency accounting system.

B. Reviews
These include both analytic reviews and transactional reviews. The purpose of each type of analysis is to evaluate summary information.

The most common form of analytic review in government is the comparison of actual figures to budget amounts, with an investigation of variances. This can be effective when:

In addition, when there are differences discovered that represent a misstatement, there should be an established procedure for correcting the error.

Transactional reviews are performed with the use of exception reports. These reports list transactions that vary from the norm. Using this method, staff can assess the validity and accuracy of accounting output by comparing detail with expected results.

C. Physical Controls
This includes physical controls over access to assets and incurring liabilities.

D. Monitoring
Monitoring can include proper approval of transactions, comparing outputs to supporting documents and observing control procedures, including audit tests.

If assistance is needed, agency heads and business managers can obtain consultation from either the Office of the State Comptroller or the Office of Policy and Management.

Step Five: Document Key Internal Control Procedures
The fifth step would be to determine and document the key internal controls that the agency relies upon to guard its assets. To do so, an agency first needs to determine the types of errors that might occur. When these potential errors are identified, agencies can match the internal controls that are in place to guard against these errors. This exercise is often done on a summary worksheet.

IX. RECORDKEEPING REQUIREMENTS:

Each agency shall have a series of self-evaluation files that shall contain the results of the most recent financial audit, the most recent single audit, any reports under CGS 4-33a, OSC compliance reviews or post audits, OPM agency assessments and State agency responses to the recommendations in each of those audit reports. In addition, the following documents should be kept on file: the annual self-evaluation of the internal controls including the completed checklists, questionnaires, or other evaluation tools, the risk assessment, and an action plan to reduce risks.

X. SUMMARY:

Effective internal controls are the foundation of efficient and cost effective State government. Primary responsibility for the implementation and risk assessment is with each State agency head. The monitoring function is shared among the Auditors of Public Accounts, Office of the State Comptroller, and the Office of Policy and Management (as discussed earlier in section VII B). To assist all parties in the monitoring function and to fulfill their primary responsibility, each State agency shall perform an annual self-evaluation prior to June 30, which shall be kept on file for audit.

XI. QUESTIONS:

For assistance in evaluating your agency's internal control structure, please contact:

The Office of the State Comptroller, at (860) 702-3440
The Office of Policy and Management, Office of Finance at (860) 418-6235
The Auditors of Public Accounts at (800) 797-1702

Back to Table of Contents
Back to Index of Comptroller's Manuals
Back to Comptroller's Home Page