Internal Control

3 Accounting

3.1 Accounting Principles and Internal Control

3.1.3 Internal Control

Purpose and definition of internal controls

3.1.3.10 Internal control refers to the means by which management runs its organization and achieves organizational objectives.

The Government Accountability Office (GAO) publishes Standards for Internal Control in the Federal Government, also known as the “Green Book,” which provides a comprehensive conceptual framework for designing, implementing and evaluating a government's system of internal control. The Green Book is not authoritative for Washington governments, but is the basis for this section of the BARS manual and represents a resource for local governments. The Green Book is compatible with similar guidance on internal control published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and is referenced in professional auditing standards and Uniform Guidance for federal grants.

3.1.3.20 Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations performance
     
  • Compliance with applicable laws and regulations and safeguarding of public resources
     
  • Reliability of financial reporting

3.1.3.30 A government's management and governing body are responsible for its performance, compliance and financial reporting. Therefore, the adequacy of internal controls is to provide reasonable assurance in achieving these objectives is also the responsibility of management, with oversight from the governing body. The governing body has ultimate responsibility for ensuring adequate controls to achieve objectives, even though primary responsibility has been delegated to management. Since management and the governing body are assumed to work in harmony, both parties are collectively referred to as “management” throughout the rest of this section.

The State Auditor's Office is not part of a local government's internal control system and cannot be a replacement or supplement to an adequate system of internal control. In accordance with Washington law, the State Auditor's Office also provides certain guidance, resources and educational materials. Such materials do not relieve management of their responsibility to evaluate the relevance of such information and decide whether and how to apply it in the context of their government. The role of the auditor is to provide independent accountability and assurance to the public and the government's stakeholders. However, this independence assurance, along with any recommendations provided by the auditor, also represents valuable feedback to management.

3.1.3.40 An effective system of internal control is composed of five interrelated components, as follows:

  1. Control environment – The tone set by management that influences the control consciousness of staff. Control environment includes communication of integrity and ethical values, commitment to ensure that staff are competent, management's philosophy and operating style, extent of participation by the governing board in scrutinizing activities and holding management accountable, and human resource practices (hiring, organization, development, evaluation, promotion and remedial action).
     
  2. Risk assessment – Management's identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be addressed or controlled. Risk assessment includes identification of internal and external risks to the achievement of objectives, such as new contracts or grants, changing regulations and accounting standards, new technology, new personnel, new or discontinued activities and programs, new or discontinued organizational policies and procedures, obsolescence of facilities, and so on. Risk assessment also includes evaluation of risks and determining how to best address them.
     
  3. Information and communication – Systems to support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. This encompasses the organization's methods of capturing and sharing information as well as its software, including its accounting information systems.
     
  4. Control activities – Specific policies or procedures that directly address risks related to the achievement of objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities such as approvals, reviews, reconciliations, segregation of duties, performance measurement, tracking events or assets, etc.
     
  5. Monitoring – Management's review of the operation of internal controls over time. Monitoring allows the system of internal controls to be self-sustaining and self-correcting over time. Monitoring is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs during the course of operations when management observes controls and can discern whether they were effective. Separate evaluations occur when management reviews and assesses a particular control to determine if it has been effective.

3.1.3.50 Internal control should be viewed as an integral or inherent part of the policies, systems and procedures management uses to operate and oversee the organization. This is not to say effective control will never require additional or incremental effort. Rather, controls exist to provide reasonable assurance about the achievement of objectives and so should be integrated into all the organization's fundamental business processes. Controls are normally most effective when built into the government's infrastructure rather than being treated as supplemental or separate processes. In the same way, implementation and monitoring of internal controls should not be viewed as a singular event, but rather a continuous or iterative process.

3.1.3.60 Since internal control is as fundamental as the objectives the controls relate to, the need for effective control is applicable to all organizations, regardless of size. While small entities may implement internal controls differently than larger ones, effective internal control is still both necessary and possible.

Determining what specific controls to implement

3.1.3.70 It is a management decision as to what specific controls to implement and how such controls are designed and operated.

3.1.3.80 There are many ways to attain effective internal control. Governments and their control needs vary considerably by statutory purpose, regulations, activities and programs, size, organizational structure, contractual and program structures, technology and information systems, expertise of staff and the policies of the governing body. In addition, there are often many different methods or combinations of methods that would result in effective internal control for any given situation. Thus, while all entities should have effective internal control, the specific controls in place may look very different from one government to another.

3.1.3.90 When choosing among different methods of achieving effective control, management often considers the costs and benefits of different control options.

  • Costs - Certain controls may be less costly or require less staff resources , or may allow the process to operate faster.
     
  • Effect on other control or policy objectives – Certain controls may be able to achieve multiple objectives or may also serve to support the organization's values or operating principles.
     
  • Organizational limitations - Control options may be limited by organizational or program policy or structure, expertise of staff, software limitations and other decisions made by management. However, if such factors limit options for effective control to only those that management believes are infeasible or not cost effective, management should consider how it might change the limiting factors rather than ignore the need for effective control.

3.1.3.100 The Washington State Auditor's Office does not require specific controls to be implemented by governments. Management is only required to ensure that whatever controls they choose to implement be adequate to provide reasonable assurance regarding compliance and financial reporting risks. The burden of demonstrating the adequacy of internal controls rests on management, since management is responsible both for the achievement of objectives and the determination of the design and operation of controls.

Controls over compliance

3.1.3.110 This objective refers to compliance with laws, regulations, contracts, grant agreements and government policies, including the requirement to safeguard public resources against misappropriation, misuse and loss.

3.1.3.120 In meeting this objective, the government should have controls that accomplish the following key functions:

  • Identification of requirements – Controls should ensure that requirements are identified and that employees whose actions may affect compliance are aware of applicable requirements. When statutory, regulatory or contractual provisions are unclear, the government should seek clarification through legal counsel, research or communication with regulatory agencies or contracting parties.
     
  • Compliance – Controls should prevent non-compliance or detect non-compliance in a timely enough manner for the government to remedy the situation. Such controls vary greatly, depending on the nature of the compliance requirement.
     
  • Safeguarding of public resources – Controls should prevent misappropriation or misuse of public resources or detect misappropriation or misuse in a timely manner and assign responsibility to individuals charged with custody of assets. Such controls should cover all receipts and receivables, expenditures and commitments, provisions of goods or services and the safekeeping of all public assets at risk of misappropriation, misuse or loss.

Controls over financial reporting

3.1.3.140 This objective refers to fair presentation of financial statements and required schedules in all material respects in accordance with the stated basis of accounting.

3.1.3.150 In meeting this objective, the government should have controls that accomplish the following key functions:

1. Identification of financial events – Controls should ensure financial events and transactions are properly identified and recorded.

2. Properly applying accounting standards – Controls should ensure correct criteria and methodology is applied when accounting for financial events. When the correct method of accounting for or reporting a transaction is unclear, the government should seek clarification by performing research, contracting for accounting assistance, or communicating with the State Auditor's Office or standard setting bodies.

3. Correctly accounting for all financial events – Controls should ensure that:

  • Only valid transactions are recorded and reported.
  • All transactions occurred during the period are recorded and reported.
  • Transactions are recorded and reported at properly valued and calculated amounts.
  • Recorded and reported transactions accurately reflect legal rights and obligations.
  • Transactions are recorded and reported in the account and fund to which they apply.

4. Preparation of the annual report – Controls should ensure that financial statements and required schedules are properly compiled and prepared from source accounting records. Controls should also ensure correct presentation of statements and schedules.

Limitations of internal control

3.1.3.170 No matter how well designed and operated, internal controls cannot provide absolute assurance that the government will achieve its objectives due to inherent limitations. These limitations include the following:

  • Judgment – If controls depend on human judgment, the effectiveness of controls may be limited by the experience and qualifications, time available, information available, motivations, and pressures on the person applying the control. Moreover, differences in these factors over time and in different people applying the control may result in inconsistencies in the operation of the control. This limitation, when applicable, can be mitigated through a good control environment, clear policies or instructions, redundant controls, supporting controls such as check figures or exception reports and adequate monitoring of controls.
     
  • Breakdowns – Breakdowns could occur due to changes, failure or obsolesce of data, technology, assumptions, procedures, programming or other dependencies that controls may rely upon for effective functioning. This limitation, when applicable, can be mitigated by thorough risk assessment, redundant controls and adequate monitoring of controls.
     
  • Collusion – Many controls assume that employees (or certain employees) will not collude. When individuals act together, they may be able to overcome controls. This is typically only a risk when employees have a motivation to overcome controls, such as misappropriation or misuse of public resources. This limitation, when applicable, can be mitigated by a good control environment, redundant controls and adequate monitoring of controls. Control override – Personnel with responsibility to resolve issues identified by controls may decide to ignore or override prescribed policies or procedures. This limitation, when applicable, can be mitigated by a good control environment and adequate monitoring of controls.
     
  • Control override – Personnel with responsibility to resolve issues identified by controls may decide to ignore or override prescribed policies or procedures. This limitation, when applicable, can be mitigated by a good control environment and adequate monitoring of controls.
     
  • Mistakes – Although internal controls may be designed in such a way as to reduce the likelihood of mistakes, is it always possible that a mistake may be made. This limitation can be mitigated by a good control environment, redundant controls, automated controls, supporting controls such as check-figures or exception reports, and adequate monitoring of controls.
     
  • Unforeseen circumstances – Controls may operate incorrectly when faced with unforeseen situations or permutations. This limitation can be mitigated by thorough risk assessment and adequate monitoring of controls.
     
  • External factors – Achievement of operational performance objectives (efficiency and effectiveness) may depend on factors outside of the government's control, such as regulation, resource limitations, environmental changes, decisions made by service recipients or stakeholders, actions of key suppliers, customers or program partners, etc. This limitation can be mitigated by thorough risk assessment.

3.1.3.180 Although controls are not an absolute guarantee of success, effective internal controls are expected to consistently and reliably achieve objectives, year after year. However, even well-designed controls have a remote possibility of failure. This possibility increases with the number and primacy of external factors, as is often the case for performance objectives.

3.1.3.190 Ultimately, providing reasonable assurance of achieving compliance and financial reporting objectives is within the government's control and depends primarily on how well controls are designed and operated. Achievement of operational performance objectives also depends in large part on effective internal controls. By implementing effective controls a government can have reasonable assurance that it is doing all it can to meet its objectives.