1

Internal Controls Resource

Introduction

The Office of the State Controller has adopted the Standards for Internal Control in the Federal Government (Green Book) as the State standard for internal controls. State Agencies must follow the Green Book for internal controls. See OSC Internal Control System Policy.  In addition, principal departments of the Executive Branch shall comply with CRS 24-17-102, The Colorado State Department Financial Responsibility and Accountability Act (Act).

All local governments that have received federal funds will be responsible for ensuring that they establish and maintain effective internal controls that provide reasonable assurance that they are managing the federal funds in compliance with all applicable federal statutes, regulations, and the terms and conditions of the federal award. This Reference Guide is meant to be a guide for understanding and developing internal controls, and is not an exhaustive list of potential internal controls.

Internal Control

An internal control is a process, carried out by an entity’s oversight body, management, and other personnel that provides reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. (See 2 CFR 200.1 definitions) “internal controls are the measures to ensure that the things we want to happen will happen, and the things we don’t want to happen won’t happen”. Waste or misuse of the federal/state/local government assets, inaccurate or incomplete information, embezzlement, and fraud can result if proper internal controls are not in place.

Characteristics of a good internal control system include:

  • Continuous processes built into operations
  • Processes that are accomplished by people, not only policies, procedures, and forms.
  • Processes that are adaptable to the entire agency or department
  • Processes that provide reasonable assurance (not absolute assurance) that assets and resources are safeguarded
  • Documented processes that can be provided to auditors
  • Tailored to the unique operations and degree of complexities for each entity

Federal Requirements

Internal controls are not only good practice, but are required when using federal funds. Per Uniform Grant Guidance (UGG), 2 CFR 200.303 -- Internal controls, the Non-Federal Entity must:

  • Establish and maintain effective internal controls--Provide reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
  • Evaluate and Monitor Compliance--Remain compliant with statutes, regulations and the terms and conditions of the Federal award.
  • Take prompt action on audit findings-- Take prompt action when instances of non-compliance are identified including non-compliance identified in audit findings.
  • Safeguard protected personally identifiable information (PII)-- Take reasonable measures to safeguard protected personally identifiable information (PII) and other information the Federal awarding agency or pass-through entity designates as sensitive consistent with applicable Federal, state, and local laws regarding privacy and obligations of confidentiality (this includes Social Security numbers, credit card numbers, etc.).

Developing Internal Controls for Grants/Internal Control Components

An internal control system needs to include a documented plan of how to achieve the entity’s objectives and ensure compliance (policies, processes—including approvals required). The Committee of Sponsoring Organizations’ (COSO) Framework includes five components and seventeen principles of internal control (see Appendix for a summary).  An internal control system needs to be effectively designed, documented, implemented, and monitored for that internal control system to be effective. Within these five components, consider the questions below as you are designing and documenting your internal controls.

Control Environment (tone at the top; governance structure; training and communication):

  • What policies and procedures are in place to ensure the following is true?
    • Key management responsibilities are clearly defined
    • Management is committed to adequate training for staff, adequate systems, and ethical operations
    • Management is committed to program compliance and is responsive in addressing questioned costs and/or compliance concerns
    • Staff understands how to perform their duties within the compliance parameters and feel empowered to communicate non-compliance to management
    • Governance structure that is transparent and free from conflicts of interest
    • Clear workflow for approvals and decisions while providing separation of duties where appropriate (performance, review, and recordkeeping tasks segregated)

Risk Assessment: (identify, analyze, and mitigate internal and external risks):

  • What policies and procedures are in place to ensure the following is true:
    • Organizational structure provides appropriate supervision over employees
    • Responsibilities are clearly assigned to monitor and communicate changes in laws, regulations, requirements, and policies.
    • Responsibilities are clearly assigned to monitor and maintain system access and data integrity
    • Resources and staffing are appropriately aligned with the complexity and risk for each program or project

Control Activities (controls are designed, documented, updated, and monitored):

  • Are internal controls in place in a diverse range of activities such as the following?
    • Segregation of Duties
    • Approvals and Authorizations
    • Verifications and Reconciliations
    • Performance Metrics and Reviews
    • Security of Assets
    • Data Entry and System Access
    • Reviews of Inputs and Outputs
    • Adequate Documentation
      • Signatures to support authorizations
      • Timecards to support labor
      • Detailed receipts to support spending
      • Reports with support of review and approval by management
    • Monitoring of Regulations and Guidance
    • Policy or Control Exception Reporting
    • Review and Investigation for Claims of Fraud, Waste, or Abuse
    • Remediation Plans to Address Identified Control Risk

Information and Communication: (identifies, captures, and exchanges information enabling people to carry out their responsibilities):

  • What are the mechanisms and frequency for communicating internally (Meetings, Manuals, Bulletin Boards, Memos, Training Materials, Surveys, Suggestion Boxes, etc.)?
  • What are the mechanisms and frequency for communicating externally (Website posts, Newsletters, List Servs, Surveys, Webinars, Dashboards, etc.)?
  • How are suspected improprieties reported from inside or outside of the organization?

Monitoring: (ongoing evaluation of control activities with timely remediation of deficiencies):

  • What processes are in place that would identify control deficiencies
    • Reconciliations
    • Staff Feedback
    • Rotating Staff
    • Management Review of Reports
    • Sampling from Subrecipient Reports
  • Who is accountable for assessing control systems with auditors and ensuring corrective actions are adequate when findings are identified?

Conclusion

As a result of increasing pressure on state and local governments, well-planned and documented internal control systems, including policies and procedures, are important in controlling government financial operations. In addition to preventing audit findings, benefits from strong internal controls include:
 

  • Reducing and preventing errors in a cost-effective manner
  • Ensuring priority issues are identified and addressed
  • Protecting employees & resources
  • Providing appropriate checks and balances
  • Having more efficient audits with less testing and fewer demands on staff

For further information, consult the Uniform Grant Guidance or the additional resources listed below.

Resources:    

Government Finance Officers Association, Internal Control for Grants, Internal Control for Grants (gfoa.org)
Government Accountability Office, Standards for Internal Control in the Federal Government, GAO-14-704G, Standards for Internal Control in the Federal Government (This document includes the COSO Framework.)
U.S. Health Resources and Services Administration, Internal Controls at a Glance – Tips for Developing Effective Internal Controls, Internal Controls at a Glance (hrsa.gov)
Office of Management and Budget, Uniform Guidance, 2 CFR Part 200.1 - Definitions; Uniform Guidance, 2 CFR Part 200.303 - Internal Controls.

Appendix – Excerpt from the Green Book

The Five Components and 17 Principles of Internal Control

Control Environment

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values.
  2. The oversight body should oversee the entity’s internal control system.
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
  4. Management should demonstrate a commitment to recruit, develop, and retrain competent individuals.
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

Risk Assessment

  1. Management should define objectives clearly to enable the identification of risks and define risk tolerances.
  2. Management should identify, analyze, and respond to risks related to achieving the defined objectives.
  3. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
  4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

Control Activities

  1. Management should design control activities to achieve objectives and respond to risks.
  2. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
  3. Management should implement control activities through policies.

Information and Communication

  1. Management should use quality information to achieve the entity’s objectives.
  2. Management should internally communicate the necessary quality information to achieve the entity’s objectives.
  3. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

Monitoring

  1. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
  2. Management should remediate identified internal control deficiencies on a timely basis.