INTERNAL CONTROL STANDARDS - ACGOV.org

1 COUNTY OF ALAMEDAISSUED BY STEVE MANNINGAUDITOR-CONTROLLERJANUARY 1999 INTERNAL CONTROLSTANDARDSCOUNTY OF ALAMEDAINTERNAL CONTROL STANDARDSTABLE OF CONTROL INTERNAL INTERNAL INTERNAL INTERNAL A* CONTROL Assessment Work ProgramAPPENDIX B* INTERNAL CONTROL QuestionnaireAPPENDIX C* CONTROL Evaluation Method * Available as MS-WORD CONTROL StandardsStandards - Page 3 of main purpose of this publication is to prescribe INTERNAL CONTROL STANDARDS for alldepartments and agencies of Alameda STANDARDS will be revised from time to time to address changes in the Countycontrol secondary purpose is to provide the tools for departments and agencies toestablish and maintain these CONTROL StandardsStandards - Page 4 of ACCOUNTABILITYThe Board of Supervisors and the County elected officials are accountable to theirconstituents, State officials and the public at large in conducting the affairs of theCounty.

2 Department and agency heads are similarly accountable to the CountyAdministrator and other appointing various levels of accountability contain the same core elements, which formthe essence of public accountability:1. Effectiveness and efficiency of Compliance with applicable laws and Reliability of financial officials and County management can obtain reasonable assurance thatpublic accountability is achieved by maintaining strong INTERNAL controls within theCounty publication prescribes STANDARDS of INTERNAL CONTROL that would help to achieveadequate public publication also recommends methods to develop and maintain the optimumlevel of INTERNAL FINANCIAL REPORTSPUBLIC ACCOUNTABILITYCOMPLIANCE WITH LAWS & REGULATIONSEFFECTIVE & EFFICIENT OPERATIONSI nternal CONTROL StandardsStandards - Page 5 of CONTROL STANDARDSAn INTERNAL CONTROL helps to achieve the goal of a process without being annecessary part of the process - in much the same way as the white and

3 Yellowbands delineating freeway lanes help to keep traffic orderly without being necessaryfor CONTROL is labeled INTERNAL CONTROL to signify that it is an INTERNAL mechanism of anentity, as different from one that is imposed by another entity or external element. As a general rule, when INTERNAL CONTROL is adequate, external regulatory forces areless likely to impose external the context of the County government, INTERNAL CONTROL is any activity undertakenby County personnel that increases the degree of public accountability. In otherwords, it is any activity that increases assurance that: Operations are effective and efficient. Applicable laws and regulations are complied with. Financial reports are CONTROL can be viewed by a County department head as insurance againstthe effect of adverse operating a department, an adequate INTERNAL CONTROL structure must contain the followingfive interrelated elements:GOALI nternal CONTROL StandardsStandards - Page 6 of 12 CONTROL ENVIRONMENTRISK ASSESSMENTMONITORINGCOMMUNICATIONCONTROL PROCEDURESINTERNAL CONTROL environment: This refers to the general environment in whichemployees carry out their responsibilities.

4 It includes the ethical values setby management, management operating philosophy and style, theorganizational culture and structure. The tone set at the top pervades allother activities in the : Management should support and promote a controlenvironment that is conducive to public assessment: This is the identification and analysis of all possible risksrelevant to the achievement of management objectives: given managementobjectives, the effect of "what can go wrong" scenarios is :Management should periodically assess the riskexposures that threaten public CONTROL StandardsStandards - Page 7 of procedures: These are the policies and procedures that areestablished by management to mitigate the effect of the risks identified. These procedures include performance measurements, benchmarks,authorizations, approvals, reviews, reconciliations, verifications, restrictedaccess and segregation of :Management should establish the CONTROL procedures thatreduce the risk exposures to a level that is reasonable to aprudent and informed manager in public a minimum, the CONTROL procedures described in theInternal CONTROL Questionnaire issued by the Auditor-Controller (Appendix B) should be : Relevant information about the organization and itsoperation should be identified, captured and communicated to appropriatepersonnel to ensure that they carry out their responsibilities effectively.

5 Thisis done through meetings, memoranda, policies and procedures manuals andmanagement :Management should establish adequate informationsystems and communicate relevant information to theappropriate : The functioning of INTERNAL CONTROL should be monitored to ensureits effectiveness over time. This is accomplished through: (1) on-goingmonitoring activities such as regular review of performance results orcontinual quality assurance programs, or (2) periodic evaluations such ascontrol self-assessments, management audits and performance :Management should regularly evaluate INTERNAL CONTROL andensure its proper next four sections recommend methods for applying these CONTROL StandardsStandards - Page 8 of RISKIn order to ensure that an adequate accountability system exists in the department,management should be aware of the risk factors that threaten accountability.

6 Thoserisk factors are of three types: Factors that affect the effectiveness and efficiency of operations: poorlydefined goals, procedures based on antiquated technology, inadequate stafftraining, etc. Factors that affect compliance with laws and regulations: lack of monitoring ofnew laws, lack of enforcement policy, etc. Factors that affect the reliability of financial reports: weak audit trail, lack ofreconciliation procedure, lack of authorization procedure, method to assess the potential effect of such risk factors involves five steps:1. Identify the key operational Determine what can go wrong (risk exposures) at each step of Estimate the likelihood of the threats Estimate the potential effect of each Determine the materiality of the risk exposures based on their likelihoodand potential County department can perform risk assessment at three levels: General: Perform a quick assessment using generic tools to get ageneral feel for the risk exposures.

7 The CONTROL questionnaire in AppendixB may be used for this purpose. Specific: Perform an in-depth assessment with help from County InternalAudit staff. Expert consulting: Engage an outside expert to perform a managementaudit or review on specific areas. County Audit staff can help thedepartment to determine the specifications for such management audit the CONTROL Self-assessment Program, Auditor-Controller staff assessaccountability risk annually for the entire County based on objective data, thenrequest CONTROL self-assessments by high risk departments. The CONTROL AssessmentWork Program in Appendix A outlines such a next step after assessing risk is to design controls to mitigate CONTROL StandardsStandards - Page 9 of INTERNAL CONTROLThe purpose of an INTERNAL CONTROL is to reduce the risk exposures that threatenpublic accountability to a reasonable are four steps for designing an effective and efficient INTERNAL CONTROL :1.

8 Understand the risk to be mitigated: this is accomplished through a riskassessment as described in Section Identify the activity ( , the CONTROL ) which would reduce the risk to anacceptable Estimate the cost of implementing and maintaining the CONTROL to ensurethat it does not outweigh the expected Establish that activity as an INTERNAL CONTROL design can be approached at two levels: General: The appropriate CONTROL procedures can be selected from ageneric list such as the INTERNAL CONTROL questionnaire in Appendix B andmodified as required. Specific: CONTROL procedures are custom-designed to address the specificrisks identified in the risk assessment. Appendix C describes such CONTROL StandardsStandards - Page 10 of INTERNAL CONTROLOnce an INTERNAL CONTROL has been designed it should be implemented through : The CONTROL should be documented and communicated to allemployees and managers concerned.

9 Typically, a high level managerinforms employees of the new CONTROL through memorandum and the controlis incorporated into a policy and procedure information related to the operation of the CONTROL (such as performancemeasures, results of audits, etc.) and any subsequent modification to thecontrol should be similarly communicated to CONTROL fails most often when the proper information is notcommunicated to the appropriate : INTERNAL CONTROL deteriorates over time if not properly maintained. Therefore, management should periodically check the functioning of internalcontrol through various mechanisms such as: Continual monitoring through a quality assurance unit. Periodic "check-up" of the INTERNAL CONTROL structure through a self-assessment process facilitated by County INTERNAL Audit staff.

10 Focused reviews of specific operational areas through management auditor performance involvement of top level management in INTERNAL CONTROL matters is crucial to theeffectiveness of the INTERNAL CONTROL . Management involvement sets the tone at thetop and determines whether the CONTROL environment is conducive to the effectivefunctioning of the INTERNAL CONTROL StandardsStandards - Page 11 of 12 VII. EVALUATING INTERNAL CONTROLThe best time to evaluate INTERNAL CONTROL is when everything seems to run smoothly. The worst time is during or after a crisis. A crisis tends to distort normal perspectiveand the ensuing reaction will normally result in the installation of inefficient aspects of INTERNAL CONTROL should be evaluated:1. Is it valid, that is, would it reduce the risk identified?