NASACT



TOPIC: Internal ControlsOFFICE: Office of the State AuditorSTATE: INDATE: 10/09/2018QUESTION / ISSUE:Here are some topics/questions that I’d like to circulate to the Internal Controls Group:Internal ControlsHow does your organization manage its system of internal controls? Who is responsible for the oversight of internal controls?Policies and ProceduresHow are policies and procedures managed in your organization? Who is responsible for policies and procedures? How often are policies and procedures reviewed and updated?Is there information related to the policies and procedures program you can share such as the policies and procedures themselves and/or a list of all policies and procedures?Risk ManagementWhat other tools besides policies and procedures does your organization use to manage risk?? Does your organization use any risk control matrices (RCMs also known as internal control cycles)?? How has this impacted your organization?Does your organization have plans to implement or has already implemented enterprise risk management?? How has this impacted your organization?ArizonaInternal ControlsOur organization is the state as a whole.? The GAO publishes policies and procedures related to internal controls and several computer-based training units dealing with internal controls at several levels (management, accounting, program, etc.).? We also have an internal audit unit that, in addition to conducting certain types of audits and internal control reviews, distributes periodic internal control self-assessments to the state's agencies.? The state's Auditor General also does internal control reviews and other audits.? Many of the larger agencies maintain their own internal audit departments that specialize in the controls relevant to their operations.The State Comptroller is, in many respects, responsible for the oversight of internal controls, particularly over the executive branch of state government.?Policies and ProceduresThe GAO publishes fairly extensive policies and procedures (The State of Arizona Accounting Manual (SAAM)) dealing with, among other matters, internal controls, accounting, grants, etc.? ?See:?? a statewide basis, within the realm of accounting and internal controls, the State Comptroller has principal responsibility for policies and procedures.? Agencies may and are frequently required to develop policies and procedures related to agency operations; these policies and procedures must not contradict statewide policies and procedures.SAAM is continually updated and expanded.? At least three updates to SAAM are published each quarter.See SAAM Topic 05 for internal control related policies (there are currently twelve sections spanning forty-two pages that deal specifically with internal controls).? Moreover, several of the accounting policies deals with aspects of internal control relating to the operation under consideration (e.g., taking inventory, reconciling bank accounts, etc.)?Risk ManagementRisk is a frequent topic of discussion at monthly agency CFO meetings.? Audit operations as well as CBTs have been discussed above.? The GAO also publishes a number of Quick Reference Guides (QRGs), some of which tangentially touch upon internal controls while giving instructions as to how to perform certain accounting functions within the state's automated systems.At the moment, these exist only with relation to our PCI compliance activities (both operational and technological).? At some point, these may be expanded into other areas.This is something that has been discussed, but not yet truly planned nor implemented.ColoradoInternal ControlsColorado has adopted the Green Book for internal controls.? The Office of the State Controller (OSC) issues guidance for internal controls.? Policies and ProceduresEach agency's executive director is responsible to internal controls at that agency.OSC is responsible for and manages internal controls policies and procedures.? Generally updated annually.We are in the process of updating the OSC website.Risk ManagementWe conduct a risk assessment for monitoring subrecipients to comply with OMB Super Circular.We have not implemented enterprise risk management.Here is the link to Colorado's Office of the State Controller Internal Audit website where we have policies and guidance on internal control: Controls Delaware adopted the Committee of Sponsoring Organizations (COSO) of the Treadway Commission Internal Control Integrated Framework (COSO Framework) for Organizations to use in the assessment of internal control as adapted by the Government Accountability Office (GAO) Standards for Internal Control in the Federal Government issued September 2014.? The state of Delaware’s Budget and Accounting Policy Manual (the Manual) establishes general policies and procedures for all state organizations relative to budgeting, managing and reporting of financial transactions.? Each state organization is responsible for developing specific policies and procedures based on the structure and personnel within the organization.The Division of Accounting (DOA) is responsible for the establishment of the state’s internal control structure.? Together with the Office of Management and Budget (OMB), DOA administers the policies and procedures of the Manual ensuring adherence by state organizations.? DOA conducts annual reviews of state organizations to ensure compliance with the Manual and organizations’ specific policies and procedures.? Policies and Procedures The Manual sets forth the general budgeting and accounting policies, rules, regulations and guidelines for all state organizations.? Specific policies and procedures are adopted by each state organization based on their structure and personnel.? In addition to the Manual developed centrally, the management of each state organization is responsible for maintaining and communicating written policies and procedures to ensure that an effective system of internal control exists within each organization.? The Manual is continually reviewed and updated by OMB and DOA in monthly meetings.? State organizations are required to update policies when changes occur within their organization. State organizations are subject to review of their policies and procedures as well as periodic audits to ensure they comply with state law, regulatory requirements, and the organization’s own internal control plan.Not at this time.Risk Management Internally developed checklists and questionnaires are used to assess the policies and procedures developed by state organizations.No.Not at this time.MassachusettsInternal ControlsMassachusetts has operated under the Internal Control Law since 1989. See Internal Control Legislation from Chapter 647 of the Acts of 1989: Commonwealth Department Head is responsible for implementing and maintaining effective internal controls based on prescribed statutes, regulations and policies. Each year all Department Heads must certify that they have effective and up to date internal controls in place via our Internal Control Questionnaire. The Office of the Comptroller is responsible for issuing guidance on internal controls and monitoring state agency compliance with that guidance. State agencies must, at least annually, evaluate the effectiveness of its internal control system. Agencies report any unaccounted for variances, losses, shortages or thefts of funds or property to the Auditor’s Office when they become aware of such.The State Auditor is responsible for reviewing each matter received to: Determine the amount involved, which shall be reported to appropriate management and law enforcement officials. Determine the internal control weakness that contributed to or caused the condition. Make recommendations to the agency official overseeing the internal control system and other appropriate management officials (including the Comptroller) that address the correction of the conditions found and the necessary internal control policies and procedures that must be modified.Policies and ProceduresThe Office of the Comptroller has nine business teams with each team responsible developing, editing, and/or enhancing policies and procedures in its area of oversight. Policies are reviewed by senior management and our General Counsel prior to being issued by the Comptroller. The nine Comptroller’s business teams are responsible for issuing policies and procedures. State agencies are responsible for complying with Comptroller policies by developing and implementing procedures specific to their needs that also comply with the policies.Approximately every six months each Comptroller business team reviews its website pages, inclusive of policies, with the Web Content Management Team for deletes/adds/updates.Here is a link to the CTR Policies page: can field questions on specific policies if follow up is required.Risk ManagementData analytics, agency Desk Reviews and site visits, tracking of audit findings, enterprise systems access reviews. Per the Internal Control Law and the Comptroller’s Internal Control Guide, each department or agency must have an Internal Control Plan updated annually and based on a risk assessment per the Enterprise Risk Management (ERM) framework. Yes, the Comptroller uses a matrix to record and assess objectives, risks and strength of controls for each business team. Visualized through heat maps, this has led to greater awareness among staff of the risks, inherent and residual, in their operating areas. Already implemented. Has led to the identification and assessment of cross-functional risks, and greater focus on how to achieve the mission of the Office.Our Office has been part of the AGA Intergovernmental Partnership work groups that have developed the following tools:AGA Internal Controls Tool Fraud Prevention Tool ERM Hub also: Office of the Comptroller’s Internal Control Guide – based on ERM Internal Control Guide?New HampshireNew Hampshire’s challenge with internal controls has really been in getting agency administrators to not only understand the concept and framework of COSO/Greenbook but to understand how to actually apply that knowledge to their management of agency business.? In New Hampshire each agency manages its own system of internal control. Within our own office, we follow the guidelines of the attached internal control toolkit in maintaining and implementing new policies. From a statewide perspective to improve internal controls over financial reporting at the agencies, our current strategy at the Division of Accounting Services (Comptroller’s Office) is to conduct training sessions that take agency personnel through the framework using specific and measurable agency objectives. The course is broken into multiple sessions and produces an implementation ready policy and procedure document for the agency to use.? The course follows the attached toolkit and can be customized to fit the specific objectives agencies are using for the course. (I included a slide-deck we use for the first session as well.)Our first “victim” was our P-card administration group and was very productive.? They produced some well thought out policy and procedure improvements with clear direction on how and when to revisit/measure operational effectiveness.? Our current and 2nd victim is the grants administration group at our Department of Justice who are re-evaluating their federal grant reporting against the uniform guidance.? We’re about halfway through and it seems to be going just as well as the first time.? \s\sNorth CarolinaShared information via phone.Rhode IslandInternal ControlsManagement of the Internal Controls System is a joint effort by the Rhode Island Office of Internal Audit and the RI State Controller’s Office.? While management of each state agency is responsible for the assessment, documentation and implementation of a set of internal controls specific to that agency, Internal Audit and the State Controller’s Office provide training and other tools to assist in that process, an effort which is under development and continues to evolve.Policies and ProceduresA yearly review is done of the policies and procedures which are the responsibility of the State Controller’s Office. If a change is known (for example, a change in state law) which will impact a procedure, it is updated as soon as possible to enable the procedures to be appropriately tested and implemented.? Annually, approximately 20-25% of the policies in place are selected for review, beginning with the oldest or any with known changes. The process is managed by the supervisor of Fiscal Services and the Assistant Controller-Operations.? After the selection is made, the review/update of the policy or procedure will be assigned to the appropriate responsible party to complete.? The State Controller will approve when complete and it will be posted to the Enterprise Policies website of the RI Department of Administration, which links to the State Controller’s website.Additional information related to policies and procedures can be found at the Rhode Island State Controllers site: .? General overview information can be found on the RI State Internal Audit site: .? A comprehensive list of the policies in place in the Department of Administration, including those issued by the State Controller, is here:? . This site is continually updated to replace outdated policies and post new ones.? Risk ManagementCurrently, a risk assessment questionnaire is under development as a tool to assist divisions in identifying weaknesses in internal controls and areas of opportunity to strengthen them.? This tool will be used in conjunction with the internal control audits performed by the Office of Internal Audit.? Testing is performed by the Office of Internal Audit in order to develop and strengthen the audit plan and identify priorities in internal audit. ?Vizio templates are being developed to detail various internal control processes, and are one tool out of several used to test the controls. The Internal Control cycles, currently under development, follow the Office of Internal Audit cycle of testing and audit. ?UtahInternal ControlsThe state of Utah has an Internal Control Group (ICG) in the Division of Finance, Department of Administrative Services.? The group reviews with each state agency Internal Control Questionnaires (ICQs), which are based on the NASC documents adapted for the state of Utah.? The ICG assists state agency management with their ICQs by performing field visits and providing training and guidance as needed.? The Division of Finance also has a policy (FIACCT 20-00.00) that outlines the requirements of the state agencies to submit the ICQs.Management of the state agencies are ultimately responsible for their own internal controls, but the ICG, under the Division of Finance management's direction, assists agency management to help assure compliance with best practice regarding internal controls.? Agencies with Internal Audit divisions have responsibility of oversight of internal controls in accordance with the Utah Internal Audit Act (63I-5-101).?Policies and ProceduresThe Division of Finance establishes high level accounting and control policies and procedures. The State Comptroller (referred to as the Director of Finance in statute) is ultimately responsible for statewide policies and procedure. As such, he reviews and approves policies. Agencies must work within the established statewide policies and usually create more prescriptive policies and procedures specific to agency needs. Typically, all accounting controls established within an agency are determined by the agency finance directors.The state of Utah reviews statewide accounting policies at least annually and updates them as needed.We are happy to share and collaborate on work. ?Risk ManagementCertain state agencies are required to have an internal audit function. The State Division of Finance has a statewide internal control group which manages a series of ICQs and trains agencies on internal controls. Finance also has a post-audit group that audits samples of disbursements for compliance with policy. The Division of Finance is currently working with the Division of Risk Management on creating a risk map to determine audit/review frequency and depth for the internal control and post-audit group. Enterprise Risk Management is already implemented in the state but not specific to accounting controls.?VirginiaMy office implemented COSO-based Agency Risk Management and Internal Control Standards (ARMICS) in 2006.? The standards are mandatory but allow agencies maximum flexibility to adapt to their circumstances as long as the overall objectives are met.??ARMICS?is now largely institutionalized and we require annual certifications of risk assessments covering the agency control environment and significant fiscal processes.? Our webpage URL (below) provides the standards and tools we make available to Virginia agencies.? It has been a very good program to provide a uniform means of communicating risk and control expectations across all agencies.? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download