Internal Control System

Background

• The objective of this policy is to create an internal control system that helps ensure the state’s ability to meet its mission, goals, and objectives, and ensures compliance with CRS 24-17-102 (applicable to principal departments of the Executive Branch) as well as 2 CFR Part 200 (OMB Uniform Guidance).

Policy

• Effective with the date of this policy, the Office of the State Controller has adopted the “Standards for Internal Control in the Federal Government” (Green Book) as the State standard for internal controls. State Agencies must follow the Green Book for internal controls. In addition, principal departments of the Executive Branch shall comply with CRS 24-17-102, The Colorado State Department Financial Responsibility and Accountability Act (Act).

State Employees' Responsibilities

Every State of Colorado employee is responsible for internal controls, including

• Performing assigned internal control activities; 
• Complying with all policies and procedures, laws, rules, and regulations relating to their jobs; and, 
• Reporting significant internal control deficiencies to their supervisors and/or through designated agency communication channels. 

State Agencies’ Responsibilities 

CRS 24-17-102 provides that each principle department of the executive department of the state government listed in CRS 24-1-110 shall institute and maintain systems of internal accounting and administrative control within said department, which shall be applicable to all agencies within said department and which shall provide for: 

• a plan of organization that specifies such segregation of duties as may be necessary to assure the proper safeguarding of state assets;
• restrictions permitting access to state assets only by authorized persons in the performance of their assigned duties;
• adequate authorization and record-keeping procedures to provide effective accounting control over state assets, liabilities, revenues, and expenditures;
• personnel of quality and integrity commensurate with their assigned responsibilities; and
• an effective process of internal review and adjustment for changes in conditions.

CRS 24-17-103 requires that state agencies file a written statement that attests to its compliance with the statutory requirements listed above.   
State Agencies not subject to CRS 24-17-102 should adopt an appropriate system of internal control. 

Office of the State Controller’s Responsibilities 

The Office of the State Controller (OSC) has statutory responsibilities for managing the state’s financial affairs.  Specifically, CRS 24-30-201(e) and (f) require the OSC to “coordinate all the procedures for financial administration and financial control so as to integrate them into an adequate and unified system, including the devising, prescribing, and installing of accounting forms, records, and procedures for all state agencies.”  To meet its statutory obligations, the 
OSC provides fiscal oversight of agencies’ through State Fiscal Rules, Fiscal Procedures 
Manual, policies and procedures, guidance, best practices, training, and one-on-one assistance. 

Definitions

• Internal Control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives in the following categories: 
  • Effectiveness and efficiency of operations, 
  • Reliability of financial reporting, and 
• Compliance with applicable laws and regulations. 
  
  Internal control includes the plans, methods, policies, and procedures used to further the State agency’s mission, strategic plans, goals, and objectives.  An effective system of internal controls provides reasonable assurance that agencies will achieve their objectives, increases the state’s operational effectiveness and efficiency, safeguards public funds, ensures compliance, and minimizes fraud, waste, and abuse. 
   
• Internal Control Framework is a standard way to organize, document, and discuss internal controls.  State agencies shall use the Government Accountability Office (GAO) Green Book, published by the U.S. Government Accountability Office (GAO), as its framework. 
  • The Green Book includes five interrelated components – control environment, risk assessment, control activities, information and communication, and monitoring – as well as 17 principles that work together to form an effective internal control system.  Internal control principles help management achieve a strong internal control system by supporting the effective design, implementation, and operation of the five interrelated components.  The Green Book control activities and principles were adapted from the Committee of Sponsoring Organizations (COSO) of the Treadway Commission 2013 revision of Internal Control:  Integrated Framework (www.coso.org) for the government environment.

Components of Internal Control 

• Control Environment is the first component of the internal control framework and is the foundation of an effective internal control system.  Control environment includes five related principles: 

  • The oversight body and management should demonstrate a commitment to integrity and ethical values. 
  • The oversight body should oversee the entity’s internal control system. 
  • Management should establish an organizational structure, assign responsibility, and delegate individuals. 
  • Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
  • Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 

  An effective control environment exists when employees view internal control as a central part of performing their day-to-day jobs.  The internal control framework is management’s responsibility.  An effective control environment begins with the “tone at the top” – the words and actions of the agency’s leadership.  An oversight body oversees the internal control system.  An oversight body might be one or a few members of senior management, or may include multiple parties within or external to the entity.  Internal management must exclude themselves from their management roles when acting as part of an oversight body. 

• Risk Assessment is the second component of the internal control framework and refers to the identification and analysis of risks to the organization achieving its goals and objectives.  Risk assessment includes four related principles (sequentially numbered to show all 17 principles): 

  • Management should define objectives clearly to enable the identification of risks and define risk tolerances.
  • Management should identify, analyze, and respond to risks related to achieving the defined objectives.
  • Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
  • Management should identify, analyze, and respond to significant changes that could impact the internal control system. 

  State agencies should develop a risk assessment plan that identifies those business processes subject to risk.  Assessing risks usually includes documenting a particular business process, identifying the risks found in the process, prioritizing those risks, and developing appropriate responses to mitigate those risks based on their priority.

• Control Activities is the third component of the internal control framework and refers to the policies and procedures management implements to ensure their directives are carried out to reduce risk and minimize the obstacles to accomplishing goals.  The control activities component includes three related principles:

  • Management should design control activities to achieve objectives and respond to risks.
  • Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
  • Management should implement control activities through policies.

  Once managers assess the risks facing their agency, they have a basis for developing appropriate risk responses, including implementing control activities to mitigate the risk.  Examples of control activities include adequate separation of duties, periodic reconciliations of one accounting system to another, and management reviews and approvals.

• Information and Communication is the fourth component of the internal control framework and refers to the flow of information and data down, across, and up the organization.  The information and communication component includes three related principles: 
  • Management should use quality information to achieve the entity’s objectives.
  • Management should internally communicate the necessary quality information to achieve the entity’s objectives.
  • Management should externally communicate the necessary quality information to achieve the entity’s objectives.
  • Information includes facts (i.e., data) and opinions.  Communication refers to the flow of information from one person or organization to another.  Information and communication are critical to the effective operation of an internal control system, flowing to, from, and through each of the other four components. Because information and communication is imbedded in the other four internal control components, there is not a separate statewide operating procedure on information and communication.

• Monitoring is the fifth component in the internal control framework and refers to the actions taken to ensure that control activities are operating effectively and efficiently, and as intended.  Monitoring includes two related principles:

  • Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results
  • Management should remediate identified internal control deficiencies on a timely basis.

  An example of monitoring activities is a periodic review of reconciliation files by senior management to ensure that reconciliations are in fact being prepared. In a grant program, monitoring activities include site visits and desk reviews to ensure that grant funds are properly spent.  Periodic internal audits are considered monitoring activities.

Related Policies and Procedures

• State Controller Guidance Regarding Federal Grant Management and Compliance with the OMB Uniform Guidance (2 CFR Part 200)
• Office of the State Controller Internal Control Guide for State Agencies and Institutions of Higher Education
• Office of the State Controller Risk Assessment Questionnaire
• Office of the State Controller Internal Control Training Presentation

 State Controller Policies

• View Policies & Guidance
• View Contract Policies