Internal Control Systems

SUBJECT: INTERNAL CONTROL SYSTEMS NUMBER:
S.2.
DEPARTMENTS & DISTRICTS AFFECTED: ALL AGENCIES, DEPARTMENTS, AND DISTRICTS GOVERNED BY THE BOARD OF SUPERVISORS
EFFECTIVE: 01/86 REVISED: 09/2000
 signed
_________________________________ David E. Sundstrom, Auditor-Controller
TABLE OF CONTENTS
1. POLICY
1.1 Purpose 1.2 Authority 1.3 Definitions
2. COMPONENTS OF INTERNAL CONTROL
2.1 Control Environment 2.2 Risk Assessment 2.3 Control Activities 2.4 Information and Communication 2.5 Monitoring
3. STANDARDS OF INTERNAL CONTROLS
3.1 Segregation of Duties 3.2 Access to Assets 3.3 Authorization, Execution, and Recording of Transactions 3.4 Documentation of System 3.5 Integrity and Competent Personnel 3.6 Supervision 3.7 Monitoring Controls 3.8 Reasonable Assurance 3.9 Supportive Attitude 3.10 Control Objectives
4. RESPONSIBILITIES OF DEPARTMENTS/AGENCIES AND DISTRICTS GOVERNED BY THE BOARD OF SUPERVISORS
4.1 Establish and Maintain a Systems of Internal Control 4.2 Determine that the System is Functioning as Prescribed and is Modified, As Appropriate, for Changes in Conditions. 4.3 Document and Communicate the System of Internal Control to All Employees.
5. RESPONSIBILITIES OF THE INTERNAL AUDIT DEPARTMENT
5.1 Periodic Reviews 5.2 Written Reports 5.3 Follow-up Audits
6. RESPONSIBILITIES OF THE AUDITOR-CONTROLLER DEPARTMENT
6.1 Policies 6.2 Procedures 6.3 Systems
SUBJECT: INTERNAL CONTROL SYSTEMS NUMBER:
S.2.
DEPARTMENTS & DISTRICTS AFFECTED: ALL AGENCIES, DEPARTMENTS, AND DISTRICTS GOVERNED BY THE BOARD OF SUPERVISORS
EFFECTIVE: 01/86 REVISED: 09/2000
 signed
_________________________________ David E. Sundstrom, Auditor-Controller
1. POLICY
All County departments/agencies shall maintain effective internal control systems as an integral part of their management practices. This is because management has primary responsibility for establishing and maintaining the internal control system. All levels of management must be involved in assessing and strengthening internal controls. Effective internal control systems should provide management with reasonable, but not absolute, assurance that assets are safeguarded from unauthorized access, use or disposition; transactions are executed in accordance with management's authorizations; financial and statistical records and reports are reliable; applicable laws, regulations and policies are adhered to; and resources are efficiently and effectively managed. Control systems shall be continuously evaluated and weaknesses, when detected, must be promptly corrected. New programs shall be designed to incorporate effective systems of internal control.
1.1 Purpose
To prescribe policies and standards to be followed by departments/agencies in establishing and maintaining internal control systems in their operations and administrative activities.
1.2 Authority
1.2.1 Committee of Sponsoring Organizations of the Treadway Commissions(COSO)
Internal control-integrated framework dated February 1992, which set criteria for evaluating an entity's internal control structure.
1.2.2 Board of Supervisors' Resolution No. 82-162, dated February 2, 1982
Authorizes the Auditor-Controller to prescribe the accounting policies for all offices, departments, and institutions under the control of the Board of Supervisors.
1.2.3 Board of Supervisors' Resolution No. 85-337, dated March 12, 1985
Establishes that all County departments/agencies maintain effective internal control systems, as an integral part of their management practices. Also, establishes that all levels of management shall be involved in evaluating control systems on an on-going basis and, when detected, ensuring weaknesses are promptly corrected. (Responsibility for periodic reviews of control systems now belongs to the Internal Audit Department, rather than the Auditor-Controller Department, per Board Resolution No. 95-271.)
1.2.4 Board of Supervisors' Resolution No. 95-271, dated April 25, 1995
Establishes the Internal Audit Department as independent from the Auditor-Controller Department, and authorizes the Internal Audit Department to perform the Auditor-Controller's legally required audits, if requested by the Auditor-Controller.
1.3 Definitions
1.3.1 Internal Control
A process - effected by an entity's board of supervisors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  1. Effectiveness and efficiency of operations
  2. Reliability of financial reporting
  3. Compliance with applicable laws and regulations
1.3.2 Standards of Internal Controls
Elements of a satisfactory system of internal controls. (See Section 3 for specific standards.)
1.3.3 Documentation of Internal Controls
Any material used to describe the internal control system, which communicates responsibilities and authorities and serves as a reference for persons reviewing the internal controls and their function. Such material can include written policies, organization charts, procedural write-ups, manuals, memoranda, flow-charts, software, and related written materials.
2. COMPONENTS OF INTERNAL CONTROL
Internal control consists of five interrelated components, which are control environment, risk assessment, control activities, information and communication, and monitoring.
2.1 Control Environment
Sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment encompasses the following factors: integrity and ethical values, commitment to competence, board of supervisors or audit committee participation, management's philosophy and operating style, organizational structure, assignment of authority and responsibility, and human resource policies and practices.
2.2 Risk Assessment
The entity's identification and analysis of relevant risks in regards to the achievement of its objectives and to form a basis for determining how the risks should be managed. Risks can arise or change due to circumstances such as the following: changes in operating environment, new personnel, new or revamped information systems, rapid growth, new technology, new activities, restructuring, or changing accounting pronouncements.
2.3 Control Activities
The policies and procedures that help ensure management that necessary actions are taken to address risks to achieve the entity's objectives, which include:
  • Performance Reviews - Comparisons and analysis of actual performance versus budgets, or program objectives to actual outcomes.
  • Information Processing - Controls to check accuracy, completeness, and authorization of transactions, which include computer system general controls and application controls.
  • Physical Controls - Activities encompassing the physical security of assets, including adequate safeguards such as secured facilities; security over access to assets and records; security management over information systems (e.g. protection against computer viruses and "hacking"); and periodic counting and comparison with amounts shown on control records.
  • Segregation of Duties - Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets with the intent to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or irregularities.
2.4 Information and Communication
The identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
  • Information - Includes the accounting system, which consists of the methods and records established to record, process, summarize and report transactions and to maintain accountability for the related assets, liabilities, and equity (funds). Information systems produce reports containing operational, financial, and compliance-related information that makes it possible to run and control an organization. An information system encompasses methods and records that
    • Identify and record all valid transactions.
    • Describe timely and sufficiently detailed transactions to permit proper classification for financial reporting.
    • Measure the value of transactions to permit recording their proper financial value in the financial statements.
    • Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period.
    • Present properly the transactions and related disclosures in the financial statements.
  • Communication - Involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. Communication takes such forms as policy manuals, accounting and financial reporting manuals, memoranda, oral communication, and management actions.
2.5 Monitoring
A process that assesses the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. This process is accomplished through ongoing monitoring activities of internal controls and separate evaluations of internal controls, or a combination of the two. Ongoing monitoring activities should be built into the normal recurring activities of an entity and should include regular management and supervisory duties. Internal auditors or personnel performing similar functions contribute to the monitoring of an entity's activities through separate evaluations. However, the entity's management is ultimately responsible for effectively monitoring controls.
3. STANDARDS OF INTERNAL CONTROLS
A satisfactory system of internal control shall include, but not be limited to, the following standards:
3.1 Segregation of Duties
A plan of organization that provides segregation of duties appropriate for proper safeguarding of County assets. Key duties such as authorizing, approving or recording transactions, issuing or receiving assets, making payments, and reviewing or auditing shall be assigned to separate individuals to minimize the risk of loss. A satisfactory internal control system depends largely on the elimination of opportunities to perpetrate and then conceal errors or irregularities. This in turn depends on the assignment of work in such a fashion that no one individual controls all phases of an activity or transaction.
3.2 Access to Assets
Access to County assets should be limited to authorized personnel who require these assets in the performance of their assigned duties. Access includes both direct physical access and indirect access through the preparation or processing of documents that authorize the use or disposition of resources.
3.3 Authorization, Execution, and Recording of Transactions
A system of authorization and record-keeping procedures is needed to provide effective accounting control over assets, liabilities, revenues, and expenditures. Independent evidence shall be maintained to document that authorizations are issued by persons acting within the scope of their authority and that transactions conform with the terms of the authorizations. Documentation shall provide an adequate audit trail. Transactions shall be accurate, timely, properly recorded, and properly classified. Computer system controls should be utilized to safeguard records and preserve data integrity.
3.4 Documentation of System
All departments/agencies should have an established system of policies and procedures to be followed in the performance of duties and functions. Such a system shall include, but not be limited to, documentation of internal controls, accountability for resources and recording of financial transactions, and such documentation shall be communicated and made available to all employees and auditors.
3.5 Integrity and Competent Personnel
Key personnel should have high standards of integrity, and be competent through education, training, or experience to accomplish their assigned duties.
3.6 Supervision
Qualified and continuous supervision shall be provided to assure that approved procedures are followed and are operating as intended. Lines of personal responsibility and accountability shall be clear. Supervision should be competent and continuing so as to ensure the achievement of internal control objectives.
3.7 Monitoring Controls
An effective system of internal review by both the department/agency and the Internal Audit Department should be established. Managers should take action when control deviations requiring action are noted.
3.8 Reasonable Assurance
Internal control systems shall provide reasonable, but not absolute, assurance that the internal control objectives will be achieved. This standard recognizes that the cost of internal controls should not exceed the benefits derived there from, and that the benefits consist of reductions in the risks of failing to achieve the stated objectives.
3.9 Supportive Attitude
Executives, managers and employees should maintain a supportive attitude towards internal controls.
3.10 Control Objectives
Control objectives are to be identified or developed for each organizational activity.
4. RESPONSIBILITIES OF DEPARTMENT/AGENCIES AND DISTRICTS GOVERNED BY THE BOARD OF SUPERVISORS
4.1 Establish and Maintain a System or Systems of Internal Control.
4.1.1 Responsibility
Designate specific responsibility for determining that department/agency internal control systems are developed, maintained, reviewed and improved as necessary.
4.1.2 Coordination
Provide for coordination between organizational units within the department/agency and with other departments/agencies' in matters concerning internal control.
4.1.3 Standards
Require each internal control system to meet the standards of internal control described in Section 3. (Standards of Internal Controls).
4.1.4 Guidelines
4.2 Determine that the System is Functioning as Prescribed and is Modified, as Appropriate, for Changes in Conditions.
4.2.1 Review
Review internal control systems on an ongoing basis to determine whether controls are operating as intended and are effective.
4.2.2 Resolution of Deficiencies Identified by Department/Agency Personnel
Provide prompt and proper resolution of deficiencies identified by department/agency personnel.
4.2.3 Resolution of Deficiencies Identified by Other Parties
Provide prompt and proper resolution of deficiencies noted during audits by the Internal Audit Department, external auditors, and/or consultants.
4.3.4 Risk Identification
On an on-going basis, identify potential risks that could hinder the department/agency from realizing management's objectives (i.e., effectiveness, efficiency, compliance with laws and regulations, and proper financial reporting) and determine how to manage those risks.
4.3 Document and Communicate the System of Internal Control to all Employees.
4.3.1 Written Policies and Procedures
Establish written policies and procedures that supplement the policies and procedures in the Auditor-Controller's County Accounting Procedures Manual, to assure intended functioning of internal control systems. These policies and procedures should set forth in writing the specific procedures to be followed, and should be communicated and made available to all employees.
4.3.2 Performance Appraisals
Reflect effectiveness in developing internal controls and in resolving and implementing appropriate audit recommendations in the performance appraisals of personnel.
5. RESPONSIBILITIES OF THE INTERNAL AUDIT DEPARTMENT
The Internal Audit Department shall assist management in the monitoring of internal controls through:
5.1 Periodic Reviews
Make periodic reviews of internal control systems including documentation and compliance to determine whether policies and standards established by a department/agency are adequate, properly implemented, and being followed.
5.2 Written Reports
Prepare written reports summarizing deficiencies in existing internal control systems accompanied by recommendations for improving those deficiencies. Distribute the reports in accordance with Audit Oversight Committee procedures.
5.3 Follow-up Audits
Conduct follow-up reviews of department/agency efforts to respond to audit findings and recommendations.
6. RESPONSIBILITIES OF THE AUDITOR CONTROLLER DEPARTMENT
The Internal Audit Department shall assist management in the monitoring of internal controls through:
6.1 Policies
Develop and maintain County Accounting Procedures, and make them available to all departments/agencies.
6.2 Procedures
Prepare written reports summarizing deficiencies in existing internal control systems accompanied by recommendations for improving those deficiencies. Distribute the reports in accordance with Audit Oversight Committee procedures.
6.3 Systems
Develop financial accounting systems with built-in controls that safeguard and maintain the integrity of the accounting information that is submitted.
Back to Top