finan. & opr. cntrl

8/2/2019 Finan. & Opr. cntrl

1/23

Financial andOperationalControl

in theFederalGovernment


2/23


3/23

Introduction

The following definition, objectives, andfundamental concepts provide the foundationfor the internal control standards.

Definition andObjectives

Internal Control

An integral component of an organizations

management that provides reasonable assurance

that the following objectives are being achieved:

effectiveness and efficiency of operations,

reliability of financial reporting, and

compliance with applicable laws and regulations.


4/23

Internal control is a major part of managing anorganization. It comprises the plans, methods,and procedures used to meet missions, goals,and objectives and, in doing so, supportsperformance-based management. Internalcontrol also serves as the first line of defense

in safeguarding assets and preventing anddetecting errors and fraud. In short, internalcontrol, which is synonymous withmanagement control, helps governmentprogram managers achieve desired resultsthrough effective stewardship of publicresources.

Internal control should provide reasonableassurance that the objectives of the agencyare being achieved in the following categories:


5/23

Effectiveness and efficiency ofoperations including the use of theentity's resources.

Reliability of financial reporting,including reports on budget execution,financial statements, and other reportsfor internal and external use.

Compliance with applicable laws andregulations.

A subset of these objectives is the safeguardingof assets. Internal control should be designed toprovide reasonable assurance regardingprevention of or prompt detection ofunauthorized acquisition, use, or disposition ofan agency's assets.

Fundamental

Concepts

Internal Control

A continuous built-incomponent of operations.

Effected by people.

Provides

reasonable

assurance, not

absolute

assurance.

InternalControl Is aContinuous

Built-inComponentf

Internal control is not one event,but a series of actions andactivities that occur throughout anentity's operations and on anongoing basis. Internal controlshould be recognized as an


6/23

that is built into the entity as a


7/23

InternalControl IsEffectedby People

People are what makeinternal control work. Theresponsibility for goodinternal control rests withall managers.Management sets the

objectives, puts thecontrol mechanisms andactivities in place, andmonitors and evaluatesthe control. However, allpersonnel in theorganization playimportant roles in makingit happen.

InternalControlProvidesReasonableAssurance, NotAbsoluteAssurance

Management should designand implement internalcontrol based on the relatedcost and benefits. No matterhow well designed andoperated, internal controlcannot provide absoluteassurance that all agencyobjectives will be met.Factors outside the control

or influence of managementcan affect the entity's abilityto achieve all of its goals. Forexample, human mistakes,

judgment errors, and acts ofcollusion to circumventcontrol can affect meetingagency objectives.

Therefore, once in place,internal control providesreasonable, not absolute,

assurance of meetingagency objectives.


8/23


9/23

Internal Control Standards

Presentation ofthe Standards

The Five Standards for Internal Control

Control Environment

Risk Assessment

Control Activities

Information and Communications

Monitoring

These standards define the minimum level ofquality acceptable for internal control ingovernment and provide the basis againstwhich internal control is to be evaluated. Thesestandards apply to all aspects of an agency'soperations: programmatic, financial, andcompliance. However, they are not intended tolimit or interfere with duly granted authorityrelated to developing legislation, rule-making,or other discretionary policy-making in anagency. These standards provide a general

framework. In implementing these standards,management is responsible for developing thedetailed policies, procedures, and practices tofit their agency's operations and to ensure thatthey are built into and an integral part ofoperations.

In the following material, each of thesestandards is presented in a short, concisestatement. Additional information is provided to

help managers incorporate the standards intotheir daily operations.


10/23

ControlEnvironment

Management and employees should establish

and maintain an environment throughout the

organization that sets a positive and supportive

attitude toward internal control and

conscientious management.

A positive control environment is thefoundation for all other standards. It providesdiscipline and structure as well as theclimate which influences the quality of

internal control. Several key factors affectthe control environment.

One factor is the integrity and ethical valuesmaintained and demonstrated bymanagement and staff. Agency managementplays a key role in providing leadership in thisarea, especially in setting and maintainingthe organization's ethical tone, providingguidance for proper behavior, removingtemptations for unethical behavior, and

providing discipline when appropriate.

Another factor is management's commitmentto competence. All personnel need topossess and maintain a level of competencethat allows them to accomplish theirassigned duties, as well as understand theimportance of developing and implementinggood internal control. Management needs toidentify appropriate knowledge and skillsneeded for various jobs and provide needed

training, as well as candid and constructivecounseling, and performance appraisals.


11/23

Management's philosophy and operating stylealso affect the environment. This factordetermines the degree of risk the agency iswilling to take and management's philosophytowards performance-based management.Further, the attitude and philosophy ofmanagement toward information systems,accounting, personnel functions, monitoring,

and audits and evaluations can have aprofound effect on internal control.

Another factor affecting the environment is theagency's organizational structure. It providesmanagement's framework for planning, directing,and controlling operations to achieve agencyobjectives. A good internal control environmentrequires that the agency's organizational structureclearly define key areas of authority and

responsibility and establish appropriate lines ofreporting.

The environment is also affected by themanner in which the agency delegatesauthority and responsibility throughout theorganization. This delegation covers authorityand responsibility for operating activities,reporting relationships, and authorizationprotocols.

Good human capital policies and practices areanother critical environmental factor. This includesestablishing appropriate practices for hiring,orienting, training, evaluating, counseling,promoting, compensating, and discipliningpersonnel. It also includes providing a properamount of supervision.

A final factor affecting the environment is theagency's relationship with the Congress and

central oversight agencies such as OMB. Congressmandates the programs that agencies undertakeand monitors their progress and central agencies


12/23

RiskAssessment

Internal control should provide for an assessment

of the risks the agency faces from both external

and internal sources.

A precondition to risk assessment is theestablishment of clear, consistent agencyobjectives. Risk assessment is theidentification and analysis of relevant risksassociated with achieving the objectives,such as those defined in strategic and annualperformance plans developed under theGovernment Performance and Results Act,and forming a basis for determining howrisks should be managed.

Management needs to comprehensivelyidentify risks and should consider allsignificant interactions between the entityand other parties as well as internal factors atboth the entitywide and activity level. Riskidentification methods may includequalitative and quantitative ranking activities,management conferences, forecasting andstrategic planning, and consideration offindings from audits and other assessments.

Once risks have been identified, they should beanalyzed for their possible effect. Risk analysisgenerally includes estimating the risk'ssignificance, assessing the likelihood of itsoccurrence, and


13/23

deciding how to manage the risk and what actions

should be taken. The specific risk analysismethodology used can vary by agency because ofdifferences in agencies' missions and the difficultyin qualitatively and quantitatively assigning risklevels.

Because governmental, economic, industry,regulatory, and operating conditionscontinually change, mechanisms should beprovided to identify and deal with any

special risks prompted by such changes.

Control Activities

Internal control activities help ensure that

management's directives are carried out. The

control activities should be effective and efficient

in accomplishing the agency's control objectives.

Control activities are the policies, procedures,techniques, and mechanisms that enforcemanagement's directives, such as the process ofadhering to requirements for budgetdevelopment and execution. They help ensure

that actions are taken to address risks. Controlactivities are an integral part of an entity'splanning, implementing, reviewing, andaccountability for stewardship of governmentresources and achieving effective results.

Control activities occur at all levels andfunctions of the entity. They include a widerange of diverse activities such as approvals,authorizations, verifications, reconciliations,performance reviews,


14/23

maintenance of security, and the creation andmaintenance of related records which provideevidence of execution of these activities as

well as appropriate documentation. Controlactivities may be applied in a computerizedinformation system environment or throughmanual processes.

Activities may be classified by specificcontrol objectives, such as ensuringcompleteness and accuracy of information processing.

Examples of ControlActivities

Top level reviews of actual performance,

Reviews by management at the functional

or activity level,

Management of human capital,

Controls over information processing,

Physical control over vulnerable assets,

Establishment and review of performance measures and indicators,

Segregation of duties,

Proper execution of transactions and events,

Accurate and timely recording of

transactions and events,

Access restrictions to and accountability

for resources and records, and

Appropriate documentation of transactions

and internal control.

There are certain categories of controlactivities that are common to all agencies.Examples include the following:


15/23

Top Level Reviews of Management should track major agencyachievements

Actual Performance and compare these to the plans, goals, andobjectives

established under the Government Performance

andResults Act.

Reviews by Management Managers also need to compare actualperformanceat the Functional or to planned or expected results throughout theActivity Level organization and analyze significant differences.

Management of Human Effective management of an organization's

Capital workforceits human capitalis essential to

achieving results and an important part ofinternalcontrol. Management should view human capitalasan asset rather than a cost. Only when therightpersonnel for the job are on board and areprovidedthe right training, tools, structure, incentives,andresponsibilities is operational success possible.

Management should ensure that skill needsarecontinually assessed and that the organization isableto obtain a workforce that has the required skillsthatmatch those necessary to achieveorganizationalgoals. Training should be aimed at developingandretaining employee skill levels to meetchangingorganizational needs. Qualified and continuoussupervision should be provided to ensure thatinternal

control objectives are achieved. Performanceevaluation and feedback, supplemented by aneffective reward system, should be designed tohelpemployees understand the connection betweentheir

performance and the organization's success. As apartof its human capital planning management


16/23

Controls Over A variety of control activities are used in information

Information Processing processing. Examples include edit checks of data

entered, accounting for transactions innumerical

sequences, comparing file totals with control


17/23

accounts, and controlling access to data, files,andprograms. Further guidance on control activitiesfor

information processing is provided belowunderControl Activities Specific for InformationSystems.

Physical Control Over An agency must establish physical control to secure

Vulnerable Assets and safeguard vulnerable assets. Examples include

security for and limited access to assets such ascash,securities, inventories, and equipment which might

bevulnerable to risk of loss or unauthorized use.Suchassets should be periodically counted andcomparedto control records.

Establishment and Activities need to be established to monitorReview of Performance performance measures and indicators. Thesecontrols

Measures and Indicators could call for comparisons and assessmentsrelatingdifferent sets of data to one another so thatanalysesof the relationships can be made andappropriateactions taken. Controls should also be aimedatvalidating the propriety and integrity of bothorganizational and individual performancemeasures

and indicators.

Segregation of Duties Key duties and responsibilities need to be divided or

segregated among different people to reduce theriskof error or fraud. This should include separatingtheresponsibilities for authorizing transactions,processing and recording them, reviewing thetransactions, and handling any related assets. No

oneindividual should control all key aspects of atransaction or event


18/23

principal means of assuring that only validtransactions to exchange, transfer, use, orcommitresources and other events are initiated orentered


19/23

into. Authorizations should be clearlycommunicated

to managers and employees.

Accurate and Timely Transactions should be promptly recorded toRecording of maintain their relevance and value to managementin

Transactions and Events controlling operations and making decisions.This

applies to the entire process or life cycle of atransaction or event from the initiation andauthorization through its final classification insummary records. In addition, control activitieshelpto ensure that all transactions are completelyandaccurately recorded.

Access Restrictions to Access to resources and records should belimited toand Accountability for authorized individuals, and accountability for theirResources and Records custody and use should be assigned andmaintained.

Periodic comparison of resources with therecorded

accountability should be made to help reducethe riskof errors, fraud, misuse, or unauthorizedalteration.

Appropriate Internal control and all transactions and other

Documentation of significant events need to be clearly documented,and

Transactions and the documentation should be readily available forInternal Control examination. The documentation should appear in

management directives, administrativepolicies, oroperating manuals and may be in paper or


20/23

range

and variety of control activities that may beuseful toagency managers. They are not all-inclusive andmay

not include particular control activities that anagency

may need.

Furthermore, an agency's internal control shouldbeflexible to allow agencies to tailor controlactivities tofit their special needs. The specific controlactivitiesused by a given agency may be different fromthose


21/23

used by others due to a number of factors.These could include specific threats they faceand risks they incur; differences in objectives;managerial judgment; size and complexity ofthe organization; operational environment;sensitivity and value of data; andrequirements for system reliability,availability, and performance.

Control ActivitiesSpecific forInformation

Systems

GeneralControl

Application

Control

There are two broadgroupings ofinformation

systems control -general control andapplicationcontrol. Generalcontrol applies to allinformationsystemsmainframe,minicomputer,network, andend-userenvironments.

Application control isdesigned to cover theprocessing of data


22/23

planning,management, controlover data centeroperations, systemsoftware acquisition

andmaintenance, accesssecurity, andapplication systemdevelopment andmaintenance. Morespecifically:

Data center andclient-server operationscontrols

include backup andrecovery procedures,andcontingency anddisaster planning. Inaddition, datacenter operationscontrols also include

job set-up andscheduling

procedures andcontrols overoperatoractivities.


23/23

finan. & opr. cntrl

Documents