In the interest of promoting responsible, efficient and cost effective governance, the Office of the State Comptroller (OSC), the Office of Policy and Management (OPM) and the Auditors of Public Accounts (APA) cooperatively developed the following accountability directive concerning proper internal controls and financial management integrity.

While this directive is geared to improving the financial integrity of State government, it is also designed to transfer more authority to State agencies. The idea is to make State government more effective by streamlining it and granting more authority to the agencies.

However, in order to successfully transfer this new level of authority to State agencies, it is critical to ensure that agencies be adequately prepared to assume this new level of responsibility. This directive attempts to achieve this by helping agencies evaluate and strengthen their internal controls.


The purpose of this directive is to help managers evaluate the internal control systems and identify possible deficiencies within their areas of responsibility by establishing an annual self-evaluation and risk assessment process. Such an effort will lead to the implementation of more effective controls before problems arise. OSC, OPM and APA are committed to providing assistance to agency personnel in the completion of this important task.

The final product of this process, an internal control self-assessment, will be completed annually by June 30 and kept on file at the agency. Please notify the Office of the Auditors of Public Accounts (18 Trinity St. Hartford, CT 06106) by memo when the internal control questionnaire has been completed. Notification must be received by June 30th of each fiscal year. Agencies which will not be visited by audit staff during an audit cycle will be asked to mail the completed questionnaire. You will be contacted under separate cover if this is required.

The internal control self-evaluation file should also contain the back up materials for the self assessment (including worksheets, questionnaires and/or flowcharts describing the agency's financial operations), reports from other auditors (including the Auditors of Public Accounts) and the agency's response to those reports.

In addition to establishing the annual agency self assessment of internal controls, this directive:


The State Constitution and CGS Sec. 3-112 provide that the Comptroller shall "... prescribe the mode of keeping and rendering all public accounts."

CGS Sec. 4-65a (a) provides "there shall be an office of policy and management which shall be responsible for all aspects of state staff planning in the areas program evaluation."

CGS Sec. 4-70e (b) provides "The executive financial officer of the office of finance shall, subject to the approval of the secretary:(1) Establish state agency financial policies..."

CGS Sec. 2-90 (c) provides " auditors shall audit the books and accounts of each department ... of the state government... Each such audit may include an examination of performance to determine effectiveness ..."

Consistent with the Constitutional and statutory authority granted to these three offices, this directive will be issued and administered jointly by OSC, APA and OPM.


This directive supersedes the OSC/OPM Accountability Directive Number 1 Exposure Draft issued in December 1994.


The management personnel of each State Agency are responsible for establishing and maintaining an effective internal control structure. To fulfill this responsibility, estimates and judgments by management are required to assess the expected benefits and related costs for internal control policies and procedures. The objectives of an internal control structure are to provide management with reasonable assurance that assets are safeguarded against loss from unauthorized use or disposition, and that financial transactions are executed in accordance with management's authorization and recorded properly to permit the preparation of financial statements in accordance with generally accepted accounting principles (GAAP).

In addition, the management of each State Agency and Authority is responsible for adhering to the prescribed accounting policies and procedures as promulgated by the Office of the State Comptroller in the State Accounting Manual (SAM).


The United States General Accounting Office describes the significance of internal controls as establishing and maintaining the internal control structure as an important management responsibility. Effective internal controls are essential to achieving the proper conduct of government business with full accountability for the resources made available. Internal controls also facilitate the achievement of management objectives by serving as checks and balances against undesired actions.

More specifically, internal control may also be defined as a process, effected by an entity's management, personnel, and oversight agencies, designed to provide reasonable assurance regarding the accomplishment of the following objectives:

A well-designed internal control structure will reduce improper activity. The responsibility of designing and implementing internal controls is a continuous process. As conditions change, control procedures may become outdated and inadequate. Management must anticipate that certain procedures will become obsolete and modify internal control systems in response to these changes. Appendices are included to provide detailed descriptions of internal controls, assessment tools such as checklists, and other sources of information. Using these tools, management can evaluate internal controls on a regular basis and be responsive to changes in the internal control environment.


Risk assessment is a process that helps to identify and analyze risks relevant to achieving specific organizational objectives. Risks can arise or change for a number of reasons, including the following:

  1. Changes in the operating environment.
  2. New personnel.
  3. New or revamped information systems.
  4. Rapid growth.
  5. New technology.
  6. New services or activities.

The purpose of an agency's risk assessment is to identify, assess, and manage risks that could affect an agency's ability to achieve its objectives.


An annual self-evaluation and risk assessment shall be performed by each agency.

Documentation of internal controls usually takes the form of internal control questionnaires, written narratives, or flow charts. The traditional method of describing an internal control structure is to complete a standardized internal control questionnaire. The appendices provide some examples. Most internal control questionnaires are designed so that a "no" answer to a question indicates a weakness in internal control. If completion of the questionnaire is regarded as an end in itself, there may be a tendency to fill in the "yes" and "no" answers in a mechanical manner, without any real understanding or study of the transaction cycle. The intent is to have the evaluation team obtain a working knowledge of the existing internal control structure.

During each fiscal year, each agency may be subject to audit by at least one of the central agencies (i.e., the Auditors of Public Accounts, the Office of the State Comptroller or the Office of Policy and Management). The audit report, compliance review, post audit report, or other evidence of an external review shall be filed in the internal control self-evaluation file. The agency responses to these audit reports along with any reports issued under CGS Sec. 4-33a (on the illegal, irregular or unsafe handling of State funds) shall also be included. These materials should be reviewed, along with agency remedial actions taken, in preparing the self-evaluation questionnaire.

Annually, prior to June 30, each agency shall complete the checklist of internal control evaluation questions attached in Appendix B. The review of these questions shall be documented by a report noting weaknesses and recommending solutions. Whenever remedial action is required, the agency will prepare and implement an action plan to correct the deficiency.

This self-evaluation shall be filed at the agency and made available to those auditors who visit the site and upon request by the Auditors of Public Accounts.

While the agency head is in a position to have a risk assessment performed, the authority to effect necessary changes may lie outside of the control of the agency head (e.g., budget, personnel, legislative changes, etc.). As part of an ongoing effort to promote efficient and cost effective State government, the issuers of this directive will assist State agencies in obtaining good internal controls.


Three separate State agencies conduct external risk assessments that serve somewhat different purposes. These agencies include the Office of the State Comptroller (OSC), the Auditors of Public Accounts (APA) and the Office of Policy and Management (OPM).

As the State's accountant, the State Comptroller prescribes accounting procedures for State agencies and sets standards for what constitutes an effective internal control structure. In terms of specific audit and risk assessment activity, OSC conducts compliance reviews for agencies and departments that have autonomous check writing authority under PA 91-256, the Higher Education Flexibility Act. In these cases, OSC has delegated its central authority to settle accounts to these agencies. Therefore, OSC evaluates the internal control environment of these sites on a regular basis as part of its audit program. More recently, OSC has initiated paperless processing of claims at selected sites and eventually will expand this system statewide. As this occurs, OSC's audit and risk assessment activity will expand as well to minimize the risk of a breakdown in the control environment.

The State Auditors conduct annual or biennial audits of all State agencies and authorities, except for the Office of the State Comptroller and the Office of the State Treasurer, which are always audited annually. During the audit process, APA evaluates the effectiveness of each agency's internal control structure and performs tests of the agency's compliance with certain provisions of laws, regulations, contracts and grants. In addition, as required by the Federal Single Audit Act, APA conducts an annual Statewide Single Audit of the State's general purpose financial statements, as well as, its Federal financial assistance programs. A formal report on an auditee's internal control structure is included in each audit report issued by the Auditors of Public Accounts.

As noted earlier, the Office of Policy and Management is responsible for all aspects of agency resource planning, including staffing needs. In addition, OPM is responsible for the areas of management and program evaluation. Through its budget and planning process, OPM conducts a review of agency fiscal staffing needs and agency requests for financial systems resources. In determining the disposition of these requests, OPM conducts its own assessment of agency internal control structures.

Although each of the above will independently assess the risk, to some extent they may all rely on the agency self-evaluations in collecting information to perform this assessment.


One of the only certainties in life is change. Therefore, an annual self-assessment allows each agency to discover what has changed and how that change has affected the agency's mission and internal control system. It is possible that the growth of agency functions has overwhelmed the staffing available to accomplish the agency's mission. It is also possible that the growth has expanded the responsibilities of staff to the point where reassignments or additional staff are necessary to improve internal controls.

The existence of current flowcharts of agency functions and narratives describing the transaction cycles give management an opportunity to better understand the operations of their area of responsibility, however simple or complex.

Whatever the findings from an annual self-evaluation, it is a beneficial process to be aware of potential internal control problem areas before such problems become overwhelming and unexpected or potentially embarrassing situations occur.


Overall, the five-step internal control self-evaluation process outlined here should take between three and five months to complete.

The best way to start the process is to gather existing information pertinent to the agency's financial operations. Examples of such documents include narrative descriptions, worksheets or flowcharts depicting the agency's financial systems, any reviews of agency financial operations by internal auditors, reports by the Auditors of Public Accounts or other independent auditors, and agency responses to these reports.

Once this material has been collected, the agency should be ready to begin its internal control self assessment.

Step One: Perform an Initial Review of the Accounting Systems in Place
The first step for evaluating internal control is to understand the accounting/transaction process and identify the systems currently in use at your agency. This initial review provides the basic foundation for identifying specific risks (see section VII for a definition of risk). Agency personnel should identify the major financial systems in place, the accounts these systems affect, and how these two elements interrelate.

Examples of typical systems might include the following:

Estimated Time Frame: For most State agencies, this step should require a minimal amount of time. The majority of agency heads and their business managers are familiar with the basics of their agency operations.

Step Two: Prepare Descriptions of These Systems
The second step would be to prepare descriptions of these accounting systems. A general description of a particular agency system should include the following:

The agency might use a narrative, a flowchart or questionnaire to describe the operation of the internal control system and to identify staff who perform relevant tasks.

Estimated Time Frame: For this step, a time frame of 4-6 weeks is suggested because most of this information should already be documented in some form. Reformatting this information should not be a difficult or time consuming task.

Step Three: Analyze the Control Environment
The third step would be to analyze the control environment. A useful tool for this evaluation is the collection of worksheets found in Appendix B. These worksheets cover six critical areas and can help agencies pinpoint internal control areas that merit closer attention.

Estimated Time Frame: The third step can be done concurrently with step two. Therefore, the same 4-6 week period is recommended.

Step Four: Identify the System's Control Procedures
The fourth step would be to identify the control procedures in each system. The basic control types include the following:

  1. Reconciliations and Comparisons of Assets With Records
    These controls, such as bank reconciliations, involve independent checks over the output of the agency accounting system.
  2. Reviews
    These include both analytic reviews and transactional reviews. The purpose of each type of analysis is to evaluate summary information.
    The most common form of analytical review in government is the comparison of actual figures to budgeted amounts, with an investigation of variances. This can be effective when:
In addition, when there are differences discovered that represent a misstatement, there should be an established procedure for correcting the error.
Transactional reviews are performed with the use of exception reports. These reports list transactions that vary from the norm. Using this method, staff can assess the validity and accuracy of accounting output by comparing detail with expected results.
  1. Physical Controls
    This includes physical controls over access to assets and incurring liabilities.
  2. Monitoring
    Monitoring can include proper approval of transactions, comparing outputs to supporting documents and observing control procedures, including audit tests.
    Time Frame: This step may represent a new procedure and a new set of concepts for many State agencies. Therefore, a two month period should be allotted for completing this task.
    If assistance is needed, agency heads and business managers can obtain consultation from either the Office of the State Comptroller or the Office of Policy and Management.
    Step Five: Document Key Internal Control Procedures
    The fifth step would be to determine and document the key internal controls that the agency relies upon to guard its assets. To do so, an agency first needs to determine the types of errors that might occur. When these potential errors are identified, agencies can match the internal controls that are in place to guard against these errors. This exercise is often done on a summary worksheet.
    Time Frame: Two to four weeks.


Each agency shall have a series of self-evaluation files that shall contain the results of the most recent financial audit, the most recent single audit, any reports under CGS 4-33a, OSC compliance reviews or post audits, OPM agency assessments, and State agency responses to the recommendations in each of those audit reports. In addition, the following documents should be kept on file: the annual self-evaluation of the internal controls including the completed checklists, questionnaires, or other evaluation tools, the risk assessment, and an action plan to reduce risks.


Effective internal controls are the foundation of efficient and cost effective State Government. Primary responsibility for the implementation and risk assessment is with each State agency head. The monitoring function is shared among the Auditors of Public Accounts, Office of the State Comptroller, and the Office of Policy and Management (as discussed earlier in section VII B). To assist all parties in the monitoring function and to fulfill their primary responsibility, each State agency shall perform an annual self-evaluation prior to June 30, which shall be kept on file for audit.

The Office of Policy and Management, the Office of the State Comptroller and the Auditors of Public Accounts are committed to assisting State agencies in their efforts to institute and maintain effective internal controls.


For assistance in evaluating your agency internal control structure, please contact:

The Office of the State Comptroller, Policy Evaluation & Review at 860-702-3440.
The Office of Policy and Management, Office of Finance at 860-418-6235.
The Auditors of Public Accounts at 860-566-3648 x314.

Back to Comptroller's Home Page
Back to Table of Contents