State Administrative Manual
Skip to: | Content | Footer

Quick Links

 

SAM - Chapter 20000

20050     INTERNAL CONTROL 
(Revised 03/08)

State entity heads, by reason of their appointments, are accountable for activities carried out in their agencies.  This responsibility includes the establishment and maintenance of internal accounting and administrative controls. Each system an entity maintains to regulate and guide operations should be documented through flowcharts, narratives, desk procedures, and organizational charts.  The ultimate responsibility for good internal control rests with management.

Financial Integrity and State Manager's Accountability Act

Because governments are susceptible to fraud, waste, and abuse, increased attention has been directed toward strengthening internal control to help restore confidence in government and improve its operations. In particular, the Financial Integrity and State Manager's Accountability Act was enacted to inhibit waste of resources and create savings. GC 13400 through 13407 describes the Legislative findings, entity responsibilities, and entity reports on the adequacy of internal control.

GC 13403 defines internal accounting and administrative controls and sets forth the elements of a satisfactory system of internal control.  As stated in GC 13403, internal accounting and administrative controls are the methods through which state entity heads can give reasonable assurance that measures to safeguard assets, check the accuracy and reliability of accounting data, promote operational efficiency, and encourage adherence to prescribe managerial policies are being followed.

Internal accounting controls comprise the methods and procedures directly associated with safeguarding assets and assuring the reliability of accounting data.  Internal administrative controls comprise the methods and procedures that address operational efficiency and adherence to management policies.

Furthermore, GC 13403 states the elements of a satisfactory system of internal accounting and administrative controls, shall include, but are not limited to:

  1. A plan of organization that provides segregation of duties appropriate for proper safeguarding of state assets.
     
  2. A plan that limits access to state assets to authorized personnel who require these assets in the performance of their assigned duties.
     
  3. A system of authorization and record keeping procedures adequate to provide effective accounting control over assets, liabilities, revenues and expenditures.
     
  4. An established system of practices to be followed in performance of duties and functions in each of the state agencies.
     
  5. Personnel of a quality commensurate with their responsibilities.
     
  6. An effective system of internal review. 
These elements, as important as each is in its own right, are expected to be mutually reinforcing and, thus, to provide the system with "internal checks and balances."  All the elements are so basic to adequate internal control, that serious deficiencies in any one could preclude effective operation of the system and should trigger a sign of a problem.
 
Symptoms of Control Deficiencies
 
Experience has indicated that the existence of one or more of the following danger signals will usually be indicative of a poorly maintained or vulnerable control system.  These symptoms may apply to the organization as a whole or to individual units or activities.  Entity heads and managers should identify and make the necessary corrections when warned by any of the danger signals listed below.
 
  1. Policy and procedural or operational manuals are either not currently maintained or are nonexistent.
     
  2. Lines of organizational authority and responsibility are not clearly articulated or are nonexistent.
     
  3. Financial and operational reporting is not timely and is not used as an effective management tool.
     
  4. Line supervisors ignore or do not adequately monitor control compliance.
     
  5. No procedures are established to assure that controls in all areas of operation are evaluated on a reasonable and timely basis.
     
  6. Internal control weaknesses detected are not acted upon in a timely fashion.
     
  7. Controls and/or control evaluations bear little relationship to organizational exposure to risk of loss or resources.

Institute of Internal Auditors

The International Standards for the Professional Practice of Internal Auditing (ISPPIA), issued by the Institute of Internal Auditors, defines internal control as a process designed to provide an organization reasonable assurance regarding the achievement of the following primary objectives:

  1. The reliability and integrity of information.
  2. Compliance with policies, plans, procedures, laws and regulations.
  3. The safeguarding of assets.
  4. The economical and efficient use of resources
  5. The accomplishment of established objectives and goals for operations or programs


 
COSO Framework
 
The auditing profession has widely accepted the Committee of Sponsoring Organizations of the Treadway Commission's report titled The Internal Control - Integrated Framework (COSO Report) as a general definition of internal control.  The COSO Report defines internal control as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following three categories:

  1. Effectiveness and efficiency of operations
  2. Reliability of financial reporting
  3. Compliance with applicable laws and regulations

Internal control consists of five interrelated components:

  1. Control Environment.  The organization's tone; the foundation for all other components of internal control.
     
  2. Risk Assessment.  Management establishes activity-level objectives and mechanisms for identifying and analyzing risks related to their achievement.
     
  3. Control Activities.  Policies and procedures that ensure management's directives are carried out and help ensure that necessary actions are taken to minimize risks to achievement of the entity's objectives.
     
  4. Information and Communication.  Information must be identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities.
     
  5. Monitoring.  Assessing the quality of the system's performance over time.  This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.

 
Updated : 3/14/2008