Internal Control Guidelines

There are five internal control standards issued by the Committee of Sponsoring Organizations (COSO).  Your agency will address these standards when documenting internal controls for your agency.  The purpose of this document is to guide agency management in carrying out their agency’s goals and objectives. This guidance is not intended to take the place of management’s judgment or to dictate how management chooses to carry out its responsibilities.

What are Internal Controls?

Internal control or an internal control system is the integration of the activities, plans, attitudes, policies, and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its mission and objectives.

This definition establishes that:

  • internal control impacts every aspect of an agency: all of its people, processes and physical structures;
  • internal control is a basic element that permeates an agency - not a feature that is added on;
  • internal control incorporates the qualities of good management;
  • internal control is dependent upon people and will succeed or fail depending on the attention people give to it;
  • internal control is effective when all of the people and the surrounding environment work together;
  • internal control provides a level of comfort to an agency; controls do not guarantee success; and
  • internal control helps an agency achieve its goals and objectives.

As stated in the above definition, internal control is a means for achieving the agency's goals and objectives. More specifically, there are four purposes of internal control:

  • to promote orderly, economical, efficient and effective operations and to produce quality products and services consistent with the organization's mission;
  • to safeguard resources against loss due to waste, abuse, mismanagement, errors and fraud;
  • to ensure adherence to laws, regulations, contracts and management directives; and
  • to develop and maintain reliable financial and management data, and to accurately present that data in timely report.

If an agency addresses each of these four purposes in developing its internal control system, the agency will most likely achieve its goals and objectives. Failure to adequately address any one of these purposes may put the organization at risk.

Five Internal Control Standards

The first internal control standard is Control Environment.

Your Agency should establish and maintain a positive and supportive attitude towards the achievement of your agency objectives. While managers set the tone for the work environment, all employees have input into the control environment.  Over the years, studies have found that there are two effective ways to reduce fraud.  One way is to lock up everything in your workplace and the other way is to surround yourself with ethical people.  Employees make internal controls work.  The values in place at your agency determine your organization's ethical tone. 

Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of an organization. It is a product of management's philosophy, style and supportive attitude, as well as the competence, ethical values, integrity, and morale of the organization's people. The organization structure and accountability relationships are key factors in the control environment.

The second internal control standard is Risk Assessment.

All State agencies should perform a risk assessment on an annual basis.  This involves a review and analysis of program operations to determine where risk exists, and what those risks are.  These risks are then measured towards the impact on your operations.  A risk assessment also allows you to target high-risk areas or programs and focus on where the greatest exposure exists.  Always reassess risk as a result of changing conditions, both internal and external, in your workplace. 

Risk identification occurs as a result of findings from audits, evaluations and other testing or assessments.  Risk analysis includes estimating the likelihood and frequency of occurrence of each risk and determining whether it falls into the low, medium, or high-risk category.  Once risk is identified, the potential impact on programs should be measured and additional controls should be developed.  What are your risks from downsizing your operations and personnel?  What are your risks relating to new legislation and/or regulations?  Risk is not another thing to manage, but a way of managing.

Risks are events that threaten the accomplishment of objectives. They ultimately impact an organization's ability to accomplish its mission. Risk assessment is the process of identifying, evaluating and determining how to manage these events. At every level within an organization there are both internal and external risks that could prevent the accomplishment of established objectives. Ideally, management should seek to prevent these risks. However, sometimes management cannot prevent the risk from occurring. In such cases, management should decide whether to accept the risk, reduce the risk to acceptable levels, or avoid the risk. To have reasonable assurance that the organization will achieve its objectives, management should ensure each risk is assessed and handled properly.

The third internal control standard is Control Activities.

This is using methods to reduce risk identified during the risk assessment process to ensure that agency decisions and objectives are carried out.  Methods used to control activities include policies, procedures, networking, auditing and investigations.  Control activities can include both prepayment and/or post payment mechanisms to manage any improper payments. 

Your agency should have in place detection techniques to quickly identify and correct improper payments.  Detection techniques play a large role in identifying improper payments and also provide information on why these payments were made so that corrections in you process can be made.  Good internal controls should ensure that there is a proper segregation of duties, divided among different people to reduce error, waste, or fraud.  No one individual should be allowed to control all key aspects on a transaction or event.  

An agency's internal control activities should be flexible, weighing costs and benefits, to allow agencies to tailor these activities to fit their special needs.  Once in place, control activities will provide you useful information to meet the objectives of your agency. 

Control activities are tools - both manual and automated - that help prevent or reduce the risks that can impede accomplishment of the organization's objectives and mission. Management should establish control activities to effectively and efficiently accomplish the organization's objectives and mission.

The fourth internal control standard is Information and Communications.

For an agency to run and control its operations, it needs fast, reliable and accurate information.  Also, the agency needs to make sure that the types of communications are broad-based and that information technology management assures useful, reliable and continuous communications. 

How we communicate is as important as what we communicate.  Effective communication should occur in a broad sense with information flowing down, across, and up your agency’s organization.  By asking questions, we should treat feedback from employees as another way to consider if our internal controls are effective.  

Communication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a time frame that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers and regulators.

The fifth internal control standard is Monitoring.

Monitoring performance is a critical tool to the success of your agency.  When your risk is identified, internal control monitoring should be in place to measure the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.  Your organization should consider continuous monitoring activities as well as specific events, such as audits, special reviews or evaluations. Monitoring should include policies and procedures for tracking audit findings and other reviews brought to the attention of management to see they are promptly resolved. A specific evaluation is a great method to look at your internal controls by focusing on a specific event and time.  At this point, you have your problem areas and risk identified and procedures in place to treat problems.  Proper monitoring and review allows you to track the progress of your improvements and determine if deficiencies are corrected.

Monitoring your activities should be ongoing to aid in reducing improper payments.  Your monitoring process should include procedures for ensuring that results are communicated to the necessary people within your agency so that they can be promptly resolved.  Using data from monitoring will not only improve your operations; it will allow management ways to identify areas needing further attention or a shift in focus.  Simply said, improper payments should not be considered an acceptable cost towards operating your agency.

Monitoring is the review of an organization's activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization's mission, objectives, responsibilities and risk tolerance levels.