finan. & opr. cntrl
TRANSCRIPT
-
8/2/2019 Finan. & Opr. cntrl
1/23
Financial andOperationalControl
in theFederalGovernment
-
8/2/2019 Finan. & Opr. cntrl
2/23
-
8/2/2019 Finan. & Opr. cntrl
3/23
Introduction
The following definition, objectives, andfundamental concepts provide the foundationfor the internal control standards.
Definition andObjectives
Internal Control
An integral component of an organizations
management that provides reasonable assurance
that the following objectives are being achieved:
effectiveness and efficiency of operations,
reliability of financial reporting, and
compliance with applicable laws and regulations.
-
8/2/2019 Finan. & Opr. cntrl
4/23
Internal control is a major part of managing anorganization. It comprises the plans, methods,and procedures used to meet missions, goals,and objectives and, in doing so, supportsperformance-based management. Internalcontrol also serves as the first line of defense
in safeguarding assets and preventing anddetecting errors and fraud. In short, internalcontrol, which is synonymous withmanagement control, helps governmentprogram managers achieve desired resultsthrough effective stewardship of publicresources.
Internal control should provide reasonableassurance that the objectives of the agencyare being achieved in the following categories:
-
8/2/2019 Finan. & Opr. cntrl
5/23
Effectiveness and efficiency ofoperations including the use of theentity's resources.
Reliability of financial reporting,including reports on budget execution,financial statements, and other reportsfor internal and external use.
Compliance with applicable laws andregulations.
A subset of these objectives is the safeguardingof assets. Internal control should be designed toprovide reasonable assurance regardingprevention of or prompt detection ofunauthorized acquisition, use, or disposition ofan agency's assets.
Fundamental
Concepts
Internal Control
A continuous built-incomponent of operations.
Effected by people.
Provides
reasonable
assurance, not
absolute
assurance.
InternalControl Is aContinuous
Built-inComponentf
Internal control is not one event,but a series of actions andactivities that occur throughout anentity's operations and on anongoing basis. Internal controlshould be recognized as an
-
8/2/2019 Finan. & Opr. cntrl
6/23
that is built into the entity as a
-
8/2/2019 Finan. & Opr. cntrl
7/23
InternalControl IsEffectedby People
People are what makeinternal control work. Theresponsibility for goodinternal control rests withall managers.Management sets the
objectives, puts thecontrol mechanisms andactivities in place, andmonitors and evaluatesthe control. However, allpersonnel in theorganization playimportant roles in makingit happen.
InternalControlProvidesReasonableAssurance, NotAbsoluteAssurance
Management should designand implement internalcontrol based on the relatedcost and benefits. No matterhow well designed andoperated, internal controlcannot provide absoluteassurance that all agencyobjectives will be met.Factors outside the control
or influence of managementcan affect the entity's abilityto achieve all of its goals. Forexample, human mistakes,
judgment errors, and acts ofcollusion to circumventcontrol can affect meetingagency objectives.
Therefore, once in place,internal control providesreasonable, not absolute,
assurance of meetingagency objectives.
-
8/2/2019 Finan. & Opr. cntrl
8/23
-
8/2/2019 Finan. & Opr. cntrl
9/23
Internal Control Standards
Presentation ofthe Standards
The Five Standards for Internal Control
Control Environment
Risk Assessment
Control Activities
Information and Communications
Monitoring
These standards define the minimum level ofquality acceptable for internal control ingovernment and provide the basis againstwhich internal control is to be evaluated. Thesestandards apply to all aspects of an agency'soperations: programmatic, financial, andcompliance. However, they are not intended tolimit or interfere with duly granted authorityrelated to developing legislation, rule-making,or other discretionary policy-making in anagency. These standards provide a general
framework. In implementing these standards,management is responsible for developing thedetailed policies, procedures, and practices tofit their agency's operations and to ensure thatthey are built into and an integral part ofoperations.
In the following material, each of thesestandards is presented in a short, concisestatement. Additional information is provided to
help managers incorporate the standards intotheir daily operations.
-
8/2/2019 Finan. & Opr. cntrl
10/23
ControlEnvironment
Management and employees should establish
and maintain an environment throughout the
organization that sets a positive and supportive
attitude toward internal control and
conscientious management.
A positive control environment is thefoundation for all other standards. It providesdiscipline and structure as well as theclimate which influences the quality of
internal control. Several key factors affectthe control environment.
One factor is the integrity and ethical valuesmaintained and demonstrated bymanagement and staff. Agency managementplays a key role in providing leadership in thisarea, especially in setting and maintainingthe organization's ethical tone, providingguidance for proper behavior, removingtemptations for unethical behavior, and
providing discipline when appropriate.
Another factor is management's commitmentto competence. All personnel need topossess and maintain a level of competencethat allows them to accomplish theirassigned duties, as well as understand theimportance of developing and implementinggood internal control. Management needs toidentify appropriate knowledge and skillsneeded for various jobs and provide needed
training, as well as candid and constructivecounseling, and performance appraisals.
-
8/2/2019 Finan. & Opr. cntrl
11/23
Management's philosophy and operating stylealso affect the environment. This factordetermines the degree of risk the agency iswilling to take and management's philosophytowards performance-based management.Further, the attitude and philosophy ofmanagement toward information systems,accounting, personnel functions, monitoring,
and audits and evaluations can have aprofound effect on internal control.
Another factor affecting the environment is theagency's organizational structure. It providesmanagement's framework for planning, directing,and controlling operations to achieve agencyobjectives. A good internal control environmentrequires that the agency's organizational structureclearly define key areas of authority and
responsibility and establish appropriate lines ofreporting.
The environment is also affected by themanner in which the agency delegatesauthority and responsibility throughout theorganization. This delegation covers authorityand responsibility for operating activities,reporting relationships, and authorizationprotocols.
Good human capital policies and practices areanother critical environmental factor. This includesestablishing appropriate practices for hiring,orienting, training, evaluating, counseling,promoting, compensating, and discipliningpersonnel. It also includes providing a properamount of supervision.
A final factor affecting the environment is theagency's relationship with the Congress and
central oversight agencies such as OMB. Congressmandates the programs that agencies undertakeand monitors their progress and central agencies
-
8/2/2019 Finan. & Opr. cntrl
12/23
RiskAssessment
Internal control should provide for an assessment
of the risks the agency faces from both external
and internal sources.
A precondition to risk assessment is theestablishment of clear, consistent agencyobjectives. Risk assessment is theidentification and analysis of relevant risksassociated with achieving the objectives,such as those defined in strategic and annualperformance plans developed under theGovernment Performance and Results Act,and forming a basis for determining howrisks should be managed.
Management needs to comprehensivelyidentify risks and should consider allsignificant interactions between the entityand other parties as well as internal factors atboth the entitywide and activity level. Riskidentification methods may includequalitative and quantitative ranking activities,management conferences, forecasting andstrategic planning, and consideration offindings from audits and other assessments.
Once risks have been identified, they should beanalyzed for their possible effect. Risk analysisgenerally includes estimating the risk'ssignificance, assessing the likelihood of itsoccurrence, and
-
8/2/2019 Finan. & Opr. cntrl
13/23
deciding how to manage the risk and what actions
should be taken. The specific risk analysismethodology used can vary by agency because ofdifferences in agencies' missions and the difficultyin qualitatively and quantitatively assigning risklevels.
Because governmental, economic, industry,regulatory, and operating conditionscontinually change, mechanisms should beprovided to identify and deal with any
special risks prompted by such changes.
Control Activities
Internal control activities help ensure that
management's directives are carried out. The
control activities should be effective and efficient
in accomplishing the agency's control objectives.
Control activities are the policies, procedures,techniques, and mechanisms that enforcemanagement's directives, such as the process ofadhering to requirements for budgetdevelopment and execution. They help ensure
that actions are taken to address risks. Controlactivities are an integral part of an entity'splanning, implementing, reviewing, andaccountability for stewardship of governmentresources and achieving effective results.
Control activities occur at all levels andfunctions of the entity. They include a widerange of diverse activities such as approvals,authorizations, verifications, reconciliations,performance reviews,
-
8/2/2019 Finan. & Opr. cntrl
14/23
maintenance of security, and the creation andmaintenance of related records which provideevidence of execution of these activities as
well as appropriate documentation. Controlactivities may be applied in a computerizedinformation system environment or throughmanual processes.
Activities may be classified by specificcontrol objectives, such as ensuringcompleteness and accuracy of information processing.
Examples of ControlActivities
Top level reviews of actual performance,
Reviews by management at the functional
or activity level,
Management of human capital,
Controls over information processing,
Physical control over vulnerable assets,
Establishment and review of performance measures and indicators,
Segregation of duties,
Proper execution of transactions and events,
Accurate and timely recording of
transactions and events,
Access restrictions to and accountability
for resources and records, and
Appropriate documentation of transactions
and internal control.
There are certain categories of controlactivities that are common to all agencies.Examples include the following:
-
8/2/2019 Finan. & Opr. cntrl
15/23
Top Level Reviews of Management should track major agencyachievements
Actual Performance and compare these to the plans, goals, andobjectives
established under the Government Performance
andResults Act.
Reviews by Management Managers also need to compare actualperformanceat the Functional or to planned or expected results throughout theActivity Level organization and analyze significant differences.
Management of Human Effective management of an organization's
Capital workforceits human capitalis essential to
achieving results and an important part ofinternalcontrol. Management should view human capitalasan asset rather than a cost. Only when therightpersonnel for the job are on board and areprovidedthe right training, tools, structure, incentives,andresponsibilities is operational success possible.
Management should ensure that skill needsarecontinually assessed and that the organization isableto obtain a workforce that has the required skillsthatmatch those necessary to achieveorganizationalgoals. Training should be aimed at developingandretaining employee skill levels to meetchangingorganizational needs. Qualified and continuoussupervision should be provided to ensure thatinternal
control objectives are achieved. Performanceevaluation and feedback, supplemented by aneffective reward system, should be designed tohelpemployees understand the connection betweentheir
performance and the organization's success. As apartof its human capital planning management
-
8/2/2019 Finan. & Opr. cntrl
16/23
Controls Over A variety of control activities are used in information
Information Processing processing. Examples include edit checks of data
entered, accounting for transactions innumerical
sequences, comparing file totals with control
-
8/2/2019 Finan. & Opr. cntrl
17/23
accounts, and controlling access to data, files,andprograms. Further guidance on control activitiesfor
information processing is provided belowunderControl Activities Specific for InformationSystems.
Physical Control Over An agency must establish physical control to secure
Vulnerable Assets and safeguard vulnerable assets. Examples include
security for and limited access to assets such ascash,securities, inventories, and equipment which might
bevulnerable to risk of loss or unauthorized use.Suchassets should be periodically counted andcomparedto control records.
Establishment and Activities need to be established to monitorReview of Performance performance measures and indicators. Thesecontrols
Measures and Indicators could call for comparisons and assessmentsrelatingdifferent sets of data to one another so thatanalysesof the relationships can be made andappropriateactions taken. Controls should also be aimedatvalidating the propriety and integrity of bothorganizational and individual performancemeasures
and indicators.
Segregation of Duties Key duties and responsibilities need to be divided or
segregated among different people to reduce theriskof error or fraud. This should include separatingtheresponsibilities for authorizing transactions,processing and recording them, reviewing thetransactions, and handling any related assets. No
oneindividual should control all key aspects of atransaction or event
-
8/2/2019 Finan. & Opr. cntrl
18/23
principal means of assuring that only validtransactions to exchange, transfer, use, orcommitresources and other events are initiated orentered
-
8/2/2019 Finan. & Opr. cntrl
19/23
into. Authorizations should be clearlycommunicated
to managers and employees.
Accurate and Timely Transactions should be promptly recorded toRecording of maintain their relevance and value to managementin
Transactions and Events controlling operations and making decisions.This
applies to the entire process or life cycle of atransaction or event from the initiation andauthorization through its final classification insummary records. In addition, control activitieshelpto ensure that all transactions are completelyandaccurately recorded.
Access Restrictions to Access to resources and records should belimited toand Accountability for authorized individuals, and accountability for theirResources and Records custody and use should be assigned andmaintained.
Periodic comparison of resources with therecorded
accountability should be made to help reducethe riskof errors, fraud, misuse, or unauthorizedalteration.
Appropriate Internal control and all transactions and other
Documentation of significant events need to be clearly documented,and
Transactions and the documentation should be readily available forInternal Control examination. The documentation should appear in
management directives, administrativepolicies, oroperating manuals and may be in paper or
-
8/2/2019 Finan. & Opr. cntrl
20/23
range
and variety of control activities that may beuseful toagency managers. They are not all-inclusive andmay
not include particular control activities that anagency
may need.
Furthermore, an agency's internal control shouldbeflexible to allow agencies to tailor controlactivities tofit their special needs. The specific controlactivitiesused by a given agency may be different fromthose
-
8/2/2019 Finan. & Opr. cntrl
21/23
used by others due to a number of factors.These could include specific threats they faceand risks they incur; differences in objectives;managerial judgment; size and complexity ofthe organization; operational environment;sensitivity and value of data; andrequirements for system reliability,availability, and performance.
Control ActivitiesSpecific forInformation
Systems
GeneralControl
Application
Control
There are two broadgroupings ofinformation
systems control -general control andapplicationcontrol. Generalcontrol applies to allinformationsystemsmainframe,minicomputer,network, andend-userenvironments.
Application control isdesigned to cover theprocessing of data
-
8/2/2019 Finan. & Opr. cntrl
22/23
planning,management, controlover data centeroperations, systemsoftware acquisition
andmaintenance, accesssecurity, andapplication systemdevelopment andmaintenance. Morespecifically:
Data center andclient-server operationscontrols
include backup andrecovery procedures,andcontingency anddisaster planning. Inaddition, datacenter operationscontrols also include
job set-up andscheduling
procedures andcontrols overoperatoractivities.
-
8/2/2019 Finan. & Opr. cntrl
23/23