The Internal Control Guidebook

Montana Operations Manual (MOM) Volume IIChapter 9900 The Internal Control Guidebook Effective 12/1/2007

2-9900 THE INTERNAL CONTROL GUIDEBOOK

1 INTRODUCTION............................................................................................6

1.1 Preface....................................................................................................................6

1.2 Acknowledgements................................................................................................6

2 INTERNAL CONTROLS – WHO NEEDS THEM?.........................................7

2.1 Role of the DofA State Accounting Division.......................................................7

2.2 Management’s responsibilities.............................................................................7

2.3 What is internal control over financial reporting?.............................................8

2.4 Why do we need internal controls?......................................................................92.4.1 Accountability.....................................................................................................92.4.2 Encourage sound financial management practices..............................................92.4.3 Facilitate preparation for audits.........................................................................102.4.4 Fraud prevention................................................................................................10

2.5 Effect of information technology on internal control.......................................10

2.6 Limitations of internal control...........................................................................10

3 THE FIVE HORSEMEN OF INTERNAL CONTROL....................................12

3.1 Control environment...........................................................................................12

3.2 Risk assessment....................................................................................................133.2.1 Periods of change...............................................................................................133.2.2 Inherent risks.....................................................................................................143.2.3 Evaluate identified risks....................................................................................14

3.3 Control activities..................................................................................................15

3.4 Information and communication.......................................................................15

3.5 Monitoring............................................................................................................16

4 ACTIVITIES FOR THE CONTROLLING MIND...........................................17

4.1 Transaction processing errors and frauds........................................................17

4.2 Control methods and techniques........................................................................18

9900-1


4.2.1 Segregation of duties.........................................................................................184.2.2 Access controls..................................................................................................194.2.3 Periodic reconciliations.....................................................................................204.2.4 Periodic performance comparisons...................................................................204.2.5 Authority............................................................................................................204.2.6 Documentation control......................................................................................214.2.7 Supervision........................................................................................................21

5 ALL SYSTEMS GO......................................................................................23

5.1 Potential benefits of using IT in the financial reporting process....................23

5.2 Potential risks of using IT in the financial reporting process..........................23

5.3 General controls versus application controls....................................................245.3.1 General controls.................................................................................................245.3.2 Application controls..........................................................................................24

5.4 The role of the IT specialist.................................................................................25

6 “THE PLAN”................................................................................................26

6.1 An internal control evaluation and monitoring plan.......................................266.1.1 Identify who does what......................................................................................266.1.2 Determine what to evaluate...............................................................................276.1.3 Document the transaction processing cycles.....................................................276.1.4 Test the controls.................................................................................................286.1.5 Evaluate findings and report the results............................................................286.1.6 Continuous monitoring......................................................................................28

7 TESTING, TESTING, 1-2-3..........................................................................30

7.1 Entity-level tests...................................................................................................307.1.1 Document review...............................................................................................30

7.1.1.1 Governance documents.....................................................................................307.1.1.2 Code of conduct.................................................................................................307.1.1.3 Other documentation.........................................................................................30

7.2 Surveys and inquiries..........................................................................................317.2.1 Employee surveys..............................................................................................317.2.2 Management inquiries.......................................................................................32

7.3 General computer controls.................................................................................327.3.1 Activity-level tests.............................................................................................32

7.4 Using focus groups...............................................................................................337.4.1 Observation........................................................................................................34

9900-2


7.4.2 Re-performing control procedures.....................................................................347.4.3 Reconciliations..................................................................................................347.4.4 Application controls..........................................................................................357.4.5 Summary............................................................................................................35

8 THE BOTTOM LINE....................................................................................36

8.1 Judging the severity of internal control deficiencies........................................368.1.1 Likelihood of misstatement...............................................................................368.1.2 Magnitude of misstatement...............................................................................378.1.3 Strong indicators of a significant weakness......................................................378.1.4 Strong indicators of a material weakness..........................................................37

8.2 Reporting guidelines............................................................................................38

9 REFERENCES.............................................................................................39

10 APPENDIX A – LEVELS OF SYSTEM ACCESS AND POTENTIAL RISKS.....................................................................................................................40

11 APPENDIX B – IT GENERAL CONTROL OBJECTIVES FOR FINANCIAL REPORTING................................................................................................41

12 APPENDIX C – IT APPLICATION CONTROL OBJECTIVES FOR FINANCIAL REPORTING............................................................................49

13 APPENDIX D – A MODEL INTERNAL CONTROL PLAN..........................56

13.1 Introduction and background information.......................................................5613.1.1 Introduction.......................................................................................................5613.1.2 General information...........................................................................................56

13.1.2.1 Agency mission.................................................................................................5613.1.2.2 Statutory references (Montana revised statutes):..............................................5613.1.2.3 Executive staff...................................................................................................5713.1.2.4 Designated internal control officer....................................................................5713.1.2.5 Other internal control contacts/team members [name of individual], chief fiscal

officer, financial services..................................................................................5713.1.3 Organization chart.............................................................................................57

13.2 Management’s key internal control concepts....................................................5713.2.1 Concept 1: Risk assessments should be conducted...........................................5713.2.2 Concept 2: Internal control plan should be documented and communicated....5813.2.3 Concept 3: Duties should be segregated............................................................5813.2.4 Concept 4: Internal control systems should be supervised................................5913.2.5 Concept 5: Transactions should be documented...............................................59

9900-3


13.2.6 Concept 6: Transactions should be authorized..................................................6013.2.7 Concept 7: Access to resources should be controlled........................................60

13.2.7.1 Access to physical resources.............................................................................6113.2.7.2 Access to monetary resources...........................................................................6113.2.7.3 Access to personnel...........................................................................................6213.2.7.4 Access to information........................................................................................62

13.2.8 Concept 8: Employees must adhere to the agency’s code of conduct...............6213.2.8.1 Office of Internal Affairs or similar organization.............................................6213.2.8.2 Code of conduct.................................................................................................6313.2.8.3 Office of Internal Audit Services......................................................................63

13.3 Transaction cycles................................................................................................6313.3.1 Expenditure cycle..............................................................................................63

13.3.1.1 Overriding control objectives............................................................................6313.3.1.2 Applicable statutes, rules, policies, and procedure manuals.............................6413.3.1.3 Automated information systems in use.............................................................6413.3.1.4 Key reports........................................................................................................6413.3.1.5 Questions for determining risk..........................................................................6513.3.1.6 Questions the approving officer should answer................................................6513.3.1.7 Documentation..................................................................................................65

13.3.2 Revenue cycle....................................................................................................6913.3.2.1 Overriding control objectives............................................................................6913.3.2.2 Applicable statutes, rules, policies, and procedure manuals.............................7013.3.2.3 Automated information systems in use.............................................................7013.3.2.4 Key reports........................................................................................................7013.3.2.5 Questions for determining risk..........................................................................7113.3.2.6 Documentation..................................................................................................72

13.3.3 Payroll cycle......................................................................................................8113.3.3.1 Overriding control objectives............................................................................8113.3.3.2 Applicable statutes, rules, policies, and procedures..........................................8113.3.3.3 Automated information systems in use.............................................................8113.3.3.4 Key reports........................................................................................................8113.3.3.5 Questions for determining risk..........................................................................8213.3.3.6 Documentation..................................................................................................84

14 APPENDIX E – EXAMPLE EMPLOYEES SURVEY ON AGENCY CULTURE AND PERSONNEL POLICIES..................................................90

15 APPENDIX F – EXAMPLE OF MANAGEMENT INQUIRIES REGARDING ENTITY LEVEL CONTROLS.......................................................................92

16 APPENDIX G – EXAMPLE QUESTIONS FOR INDIVIDUALS OR FOCUS GROUPS......................................................................................................95

9900-4


17 INTERNAL CONTROLS OVER FINANCIAL REPORTING – SELF-ASSESSMENT TOOLS...............................................................................97

18 SAMPLE INTERNAL CONTROL CHECKLISTS.......................................122

18.1 Sample self-assessment questions.....................................................................12218.1.1 Purpose............................................................................................................12218.1.2 Commitment....................................................................................................12218.1.3 Capability.........................................................................................................12218.1.4 Monitoring and learning..................................................................................123

9900-5


1 Introduction

1.1 PrefaceThe Internal Control Guidebook was developed based on the principle that the effectiveness of internal control depends on how well employees perform their control-related responsibilities. Because every individual in an organization has some role affecting internal control, one objective of the Guidebook is to help managers and employees better understand the elements of their jobs that contribute to the internal control structure and to improve their performance.

The second tenet of this Guidebook is the belief that, given the proper tools, agency personnel can conduct their own internal control review. Contained in the appendices to the Guidebook are a variety of hands-on tools that can be used right now, starting today, to conduct an internal control assessment.

The material contained in the Guidebook is comprehensive. However, it is not a textbook and it does not address every potential control weakness or deficiency that may exist in an agency’s internal control system. Instead, the Guidebook should be considered a living document that will be added to and modified in the months and years ahead. In fact, agencies are encouraged to adapt the query tools, flowcharts, and Model Plan to fit their specific circumstances.

The Department of Administration (DofA) State Accounting Division is always interested in hearing feedback from its customers. Please send any comments or suggestions to mailto:[email protected] or mailto:[email protected] or fax to (406) 444-2812.

1.2 AcknowledgementsWe would like to acknowledge the Oregon State Controller’s Division for allowing us to adapt their manual for the State of Montana’s use. We would also like to acknowledge the Commonwealth of Massachusetts, whose internet resources, and Mr. Michael Ramos, whose book entitled How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, were used extensively in developing this Guidebook and the related appendices. We would also like to thank Linda Atkins of the Montana Environmental Quality Department for her assistance in editing, proofing and adding information to this manual.

9900-6

mailto:[email protected]

mailto:[email protected]


2 Internal controls – who needs them?

2.1 Role of the DofA State Accounting DivisionMCA 17-1-102 states that the Department of Administration (DofA) shall establish a system of financial control so that the functioning of the various agencies of the state may be improved, duplications of work by different state agencies and employees may be eliminated, public service may be improved, and the cost of government may be improved. This law further states that the department shall prescribe and install a uniform accounting and reporting system for all state agencies and institutions, reporting the receipt, use and disposition of all public money and property in accordance with generally accepted accounting principles.

Within DofA, the State Accounting Division (SAD) has primary responsibility for carrying out these directives. In particular, SAD is responsible for providing reliable and efficient statewide accounting systems, protecting the accuracy and integrity of statewide financial information, and promoting fiscal accountability, compliance and sound financial management. SAD communicates its support of these objectives through publication of the Montana Operations Manual Volume II (MOM II) and various Management Memorandums. The policies and procedures contained in the MOM II are intended to enhance internal controls and promote financial discipline. Appropriately, the focus of this document is the applicability of MOM II 2-0250.00, Internal Controls.

2.2 Management’s responsibilitiesManagement is responsible for establishing and maintaining agency internal controls. Essentially, internal control is defined as a coordinated set of policies and procedures used by managers and line workers to ensure that their agencies, programs, or functions operate efficiently and effectively in conformance with applicable laws and regulations, and that the related transactions are accurate, properly recorded and executed in accordance with management’s directives.

Throughout the year, management is expected to conduct reviews, tests and analyses of internal controls to ensure their proper operation. Agency management is responsible for the extent of the efficiency and effectiveness of internal controls, as well as any deficiencies. When weaknesses are identified, including any internal or external audit findings, a plan and schedule for corrective action should be prepared.

The purpose of this Guidebook is to provide a tool that agencies can use in performing internal control evaluations. The Guidebook is consistent with the internal control model developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The COSO framework is well accepted by accounting authorities and professionals and identifies three categories of internal control objectives:

Efficiency and effectiveness of operations Financial reporting Compliance with laws and regulations

Although an agency’s internal control plan may address objectives in each of these categories, not all of the objectives and related controls are relevant to financial reporting. Generally, the

9900-7


focus is on internal control objectives and activities that pertain to financial reporting. However, since some controls may achieve objectives in more than one category, all controls that could materially affect financial reporting shall be considered for purposes of this Guidebook as part of internal control over financial reporting.

Because agencies in state government vary in size, complexity, and degree of centralization, no single method of internal controls is universally applicable. This Guidebook provides a general framework. It is management’s responsibility to develop the detailed internal control policies, procedures, and practices that best fit each agency’s business needs.

2.3 What is internal control over financial reporting?For purposes of this document, internal control over financial reporting is defined as follows:1:

Internal Control Over Financial Reporting

Internal control over financial reporting is defined as a process designed by, or under the supervision of the entity’s principal executive and principal financial officers, or persons performing similar functions, and effected by the entity’s governing board, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the entity;

2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the entity are being made only in accordance with authorizations of management and directors of the entity; and

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the entity’s assets that could have a material effect on the financial statements

This definition reflects certain fundamental concepts:

Internal control is a process. It is a means to an end, not an end in itself. People are what make internal control work. Internal control is not just the policies and

procedures contained in an accounting manual. Personnel play an important role in making internal control happen.

No matter how well designed and operated, internal control can provide only reasonable (not absolute) assurance that all agency objectives will be met.

When designing and implementing internal control activities, managers should consider the following four basic principles:

1 This definition was adapted from the definition of internal control set forth in Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, March 9, 2004.

9900-8


Internal control should benefit, rather than hinder, the organization. Internal control policies and procedures are not intended to limit or interfere with an agency’s duly granted authority related to legislation, rule-making or other discretionary policy-making.

Internal control should make sense within each agency’s unique operating environment. Internal control is not a set of stand-alone practices. Internal control is woven into the

day-to-day responsibilities of managers and their staff. Internal control should be cost effective.

Internal control is not a separate, static system. Instead, it should be viewed as a continuous series of actions and activities that are interwoven throughout an entity’s operations. In a sense, internal control is management control built into the entity as part of its infrastructure to help managers run the entity and achieve their goals on an ongoing basis.

2.4 Why do we need internal controls?

2.4.1 AccountabilityAgency managers are responsible for managing the resources entrusted to them to carry out government programs. A major factor in fulfilling this responsibility is ensuring that adequate controls exist. Adequate internal controls allow managers to delegate responsibilities to subordinate staff and contractors with reasonable assurance that what they expect will happen, actually does.

The concept of accountability is intrinsic to the governing process. Public officials, legislators, and taxpayers are entitled to know whether government funds are handled properly and in compliance with applicable laws and regulations. They need to know whether government organizations, programs, and services are achieving the objectives for which they were authorized and funded. A key factor in achieving these objectives and minimizing operational problems is the implementation of appropriate internal control.

2.4.2 Encourage sound financial management practicesManagement’s role is to provide the leadership that an agency needs to achieve its goals and objectives. Part of that responsibility encompasses establishing internal control policies and procedures designed to safeguard agency assets, check the accuracy and reliability of financial data, promote operational efficiency, and encourage adherence to prescribed managerial policies and compliance with applicable laws and regulations. The exact plan of internal control will depend, in part, on management’s estimation and judgment of the benefits and related costs of control procedures, as well as on available resources.

Effective internal control helps managers cope with shifting environments and evolving demands and priorities. As programs change and as agencies strive to improve operational processes and implement new technologies, management must continually evaluate its internal control to ensure that the control activities being used are effective and updated when necessary.

2.4.3 Facilitate preparation for auditsEach agency is periodically subject to audit by the Legislative Audit Division, federal auditors and; in some cases, by internal auditors. These audits are conducted to ensure the following:

9900-9


Public funds are administered and expended in compliance with applicable laws and regulations;

Agency programs are achieving the objectives for which they were authorized and funded;

Programs are managed economically and efficiently; Financial statements accurately represent the financial position of the State of Montana;

and Information system controls exist and provide a reasonable basis for relying on system

results.

Only in rare instances, where audit procedures are developed to accomplish very limited objectives, will an audit not include an assessment of an agency’s system of internal control.

2.4.4 Fraud preventionManagers are accountable for the adequacy of the internal control systems in their agencies. Weak or insufficient internal controls may result in audit findings and, more importantly, can lead to theft, shortages, operational inefficiency, or a breakdown in the control structure.

2.5 Effect of information technology on internal control2

The use of information technology (IT) affects the fundamental manner in which transactions are initiated, recorded, processed, and reported. In a manual system, an entity uses manual procedures to record transactions in a paper format. Internal controls are also manual and may include such procedures as approvals and reviews of activities, reconciliations and follow-up of reconciling items.

Alternatively, computerized information systems use automated procedures to initiate, record, process and report transactions. As a result, records are stored in electronic formats that may replace paper documents. Controls for computerized systems generally consist of a combination of automated controls (e.g., controls embedded in the computer programs) and manual controls. The manual controls may be independent of IT; they may use information produced by IT; or they may be limited to monitoring the information systems and automated controls and handling exceptions. The mix of manual and automated controls will vary with the nature and complexity of an entity’s use of IT.

2.6 Limitations of internal controlInternal controls, no matter how well designed and operated, can provide only reasonable assurance to management regarding the achievement of an entity's objectives, the reliability of reports, and compliance with laws and regulations. Certain limitations are inherent in all internal control systems.

Cost will prevent management from installing an ideal system and, for this reason, management will choose to take certain risks because the cost of preventing such risks cannot be justified. In addition, more is not necessarily better in the case of internal controls. Not only does the cost of excessive or redundant controls exceed the benefits, but a negative perception may also result. If employees consider internal controls to be “red tape,” this viewpoint can adversely affect their regard for internal controls in general.

2 This subsection on the effect of IT on internal control was adapted from AICPA Professional Standards, AU Section 319.17, Consideration of Internal Control in a Financial Statement Audit.

9900-10


A second limitation to internal control is the reality that the process is subject to human judgment which can be faulty. Breakdowns can also occur because of simple errors or mistakes. Management may fail to anticipate certain risks and, thus, does not design and implement appropriate controls. Controls can also be circumvented by the collusion of two or more people and/or by management’s improper override of the system.

These limitations apply to information technology (IT) as well. For example, errors may occur in designing, maintaining, or monitoring automated controls. If an organization’s IT personnel do not completely understand how an order entry system processes sales transactions, they may erroneously design changes to the system that impact the wrong product line. Conversely, these changes may be correctly designed but misunderstood by the people responsible for translating the design into program code. Errors also occur in the use of information produced by IT. Automated controls may be designed to report transactions over a specified dollar limit for management review. However, if individuals responsible for the review do not understand the purpose of the reports, they may fail to review them and, as a result, will fail to investigate unusual items. 3

"Ninety-nine percent of all surprises in business are negative."

-- Harold Geneen

3 The discussion on the limitations of IT controls was adapted from AICPA Professional Standards, AU Section 319.21, Consideration of Internal Control in a Financial Statement Audit.

9900-11


3 The five horsemen of internal controlEach agency's and each business unit’s internal controls and internal control plan will be unique; however, the internal control components set forth in this chapter should be incorporated into all systems of internal control. Using the COSO model, referred to in Chapter One, the internal control process can be broken down into five interrelated components that are derived from and integrated with the management process. These five components, which are the necessary foundation for an effective internal control system, include:4

Control environment Risk assessments Control activities Information and communication Monitoring

3.1 Control environmentThe control environment of a state agency sets the tone of the organization and influences the effectiveness of internal controls within the agency. The control environment is an intangible factor. Yet, it is the foundation for all other components of internal control, providing discipline and structure and encompassing both technical competence and ethical commitment. Managers must evaluate the internal control environment in their own business unit and agency as the first step in the process of analyzing internal controls. Many factors determine the control environment, including the following:

Management’s attitude, actions, and values set the tone of an organization, influencing the control consciousness of its people. Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels through policy statements, codes of conduct and by behavioral example.

Management demonstrates a positive attitude toward internal control by providing appropriate training and including internal control in performance evaluations, discussing internal controls at management and staff meetings, and by rewarding employees for good internal control practices. Management supports good internal controls by emphasizing the value of internal auditing and being responsive to information developed through internal and external audits.

Commitment to competence includes a commitment to hire, train, and retain qualified staff. Managers should be required to comply with established personnel policies and practices. Hiring and staffing decisions should include pertinent verification of education and experience and, once on the job, the employee should be given the necessary formal and on-the-job training. Management should identify the knowledge and skills required for various jobs and provide needed training, as well as candid and constructive counseling and performance appraisals.

Assignment of authority and responsibility. This factor includes management’s responsibility for defining key areas of authority and responsibility and establishing

4 The information presented in this chapter is based on the principles set forth in Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), American Institute of Certified Public Accountants, USA, 1992.

9900-12


appropriate lines of reporting. Management should provide policies and direct communications so that all personnel understand the agency’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.

In addition to organizational hierarchies, a proper segregation of duties is a necessary condition to make control procedures effective. Management should ensure adequate separation of the following responsibilities: authorization of transactions, recording of transactions, custody of assets, and periodic reconciliation of existing assets to recorded amounts.

Advisory board participation. The involvement of an agency’s governing board in a review of internal controls and audit activities can be a positive influence on the agency’s control environment.

3.2 Risk assessmentOrganizations exist to achieve some purpose or goal. Goals, because they tend to be broad, are usually divided into specific targets known as objectives. A risk is anything that endangers the achievement of an objective.

Risk assessment, the second internal control component, is the process used to identify, analyze, and manage potential risks. Risk identification methods may include qualitative and quantitative ranking activities, management conferences, forecasting and strategic planning, and consideration of previous audit findings. In attempting to identify risk, managers need to ask the following two questions:

What could go wrong? What assets do we need to protect?

Over the course of time, situations can occur which prevent a business unit or an agency from fulfilling its responsibilities and meeting its goals. Because of this possibility, successful managers continually identify and analyze potential risks to their organizations. When beginning a risk assessment, managers should start by analyzing the two circumstances most likely to create problems: change and inherent risk.

3.2.1 Periods of changeThe risk that objectives will not be achieved increases dramatically during a time of change. Some examples of circumstances that expose an agency to increased risk are listed below:

Changes in management responsibilities Disruption of information systems processing due to new or revamped systems Rapid growth and/or new technology New programs or services Re-engineering agency operating processes Downsizing agency operations Early retirements that reduce workforce and knowledge base

9900-13


3.2.2 Inherent risksThe second risk category involves activities, which due to their nature, have a greater potential for loss from fraud, waste, unauthorized use, or misappropriation. Cash handling, for example, has a much higher inherent risk for theft than data entry activities do.

Other examples of activities where inherent risk is high include the following:

Situations and systems that involve great complexity increase the risk that a program or activity will not operate properly or comply fully with applicable regulations.

Third party beneficiaries are more likely to fraudulently attempt to obtain benefits when those benefits are similar to cash.

Decentralization increases the likelihood that problems will occur. However, a problem in a centralized system may be more serious than a problem in a decentralized system because, if a problem does exist, it could affect the entire agency.

A prior record of control weaknesses often indicates a higher level of risk because bad situations tend to repeat themselves.

A lack of corrective actions in response to control weaknesses identified in prior audits often indicates that future problems are likely to occur.

3.2.3 Evaluate identified risksOne way to approach the risk assessment process is to first identify the agency’s event cycles. In the context of internal control, a cycle can be defined as a group of interrelated processes used to initiate and perform an activity. Event cycles can be programmatic or financial. Programs usually contain several event cycles. For example, a human services program might include the following five cycles: outreach, eligibility determination, record keeping, service delivery and monitoring.

The focus of this Guidebook is on financial cycles. Most financial activities fall into two broad categories: activities related to the expenditure cycle and activities related to the revenue cycle. Each of these major cycles contains various sub-cycles. For example, the expenditure cycle may be further broken down into purchasing and receiving, accounts payable and disbursements, travel expense reimbursements, grants and cash advances. Other financial cycles include inventory, fixed assets and payroll. Because of the significant role that information technology systems play in the initiation, recording, processing and reporting of financial transactions, agencies may choose to evaluate controls over automated processing separately.

Once potential risks are identified, they should be analyzed for their possible effect. Start with the following questions:

How important is this risk? How likely is it that this risk will occur? How large is the dollar amount involved? To what extent does the risk potential of one activity affect other activities? Are existing controls (policies and procedures) sufficient to manage this risk? To what degree are secondary controls in place?

This evaluation can then be used to rank problem areas and to prioritize internal control efforts. Remember that a moderate loss that is likely to occur may pose as much danger as a more serious loss that is less likely to occur. In addition, agencies should recognize that absolute assurance is generally not achievable; it would be prohibitively expensive and impede

9900-14


productivity. For example, it would not be considered prudent to spend $50 to safeguard a $10 carton of pens. On the other hand, spending $50 to safeguard computer equipment costing $5,000 might be reasonable.

3.3 Control activitiesOnce managers identify and assess risks, the next step is to develop methods to minimize the risks. These methods are referred to collectively as control activities, the third component of internal control. By control activities, we mean the policies, procedures, techniques, and mechanisms that enforce management’s directives. Control activities occur at all levels and functions. They include a wide range of diverse activities such as approvals, authorizations, verifications, reconciliations, performance reviews, security measures, and the creation and maintenance of appropriate documentation. In short, these activities represent basic management practices.

Managers should be careful to avoid excessive control which can be just as harmful as excessive risk. Unnecessary controls can result in increased bureaucracy and reduced productivity. When a problem arises, before implementing a new policy or procedure, managers should make sure that a relevant policy does not already exist that just needs to be enforced.

Section 4 presents a detailed discussion of the control methods and techniques managers commonly use in developing their own specific policies and procedures.

3.4 Information and communicationAn agency’s control structure must provide for the identification, capture and exchange of information both within the agency and with external parties. For example, management relies on the information system, including the accounting system, for reporting on agency or program activities to the Legislature, oversight agencies, and federal grantors. Accurate information communicated in a timely manner is, therefore, the focus of the fourth component of internal control.

Within the organization, communication must be up, as well as down. Supervisors must communicate duties and responsibilities to their staff. Staff and middle management must be able to alert upper management to potential problems. Administrative and program staff must communicate requirements and expectations to each other. Well-designed internal controls outline the specific authority and responsibility of individual employees in carrying out their day-to-day activities. They also serve as a point of reference for employees seeking guidance when unusual situations arise.

Sending information electronically allows management to immediately distribute new procedures and other information to a large staff. Agencies should consider conducting in-house training sessions upon releasing new or revised internal control policies and procedures. Internal control concepts should be emphasized as a part of the orientation for new employees. Managers should reinforce policies and procedures through their own actions and words.

Effective communication also encourages employee involvement. Agencies should consider establishing a process that supports recommendations from employees for quality improvement and acknowledges good suggestions with meaningful recognition. Employees should also feel they can report suspected improprieties without fear of reprisal and that their anonymity and confidentiality will be respected.

9900-15


3.5 MonitoringAfter risks have been identified, policies and procedures put into place and information on control activities communicated, managers must implement the fifth component of internal control, monitoring. Monitoring assesses the quality of internal controls over time, making adjustments as necessary. Like the other four components, monitoring is a basic management practice that involves activities such as performance evaluations; ongoing supervisory activities, reviews and analyses; and independent evaluations of internal controls performed by management or other parties outside of the process. Proper monitoring ensures that controls continue to be adequate and to function properly.

Monitoring allows a manager to identify whether controls are being followed before problems occur. For example, a business unit’s internal control plan may identify situations where cross-training is required. If the manager does not monitor the plan to ensure that cross-training occurs on a regular basis, he or she may discover too late that the back-up staff will not be able to handle the operations when circumstances change.

The monitoring process should also include policies and procedures designed to ensure that the findings of audits and other reviews are promptly resolved. Managers should determine the proper remedies in response to audit findings and complete, within established time frames, all actions needed to correct identified deficiencies.

"To solve big problems you have to be willing to do unpopular things."

-- Lee Iacocca

9900-16


4 Activities for the controlling mindControl activities help ensure that management directives are carried out. They include (1) performance reviews, such as an analysis and follow-up of budget variances; (2) transaction processing controls, including approvals, verifications and reconciliations; (3) physical controls designed to ensure safeguarding and security of assets and records; and (4) segregation of duties designed to reduce opportunities for a person to be in a position to perpetrate and conceal errors and frauds when performing normal duties.

4.1 Transaction processing errors and fraudsControl activities (both computerized and manual) are imposed on the accounting system for the purpose of preventing and detecting errors and frauds that might enter and flow through to the financial statements.

Seven Categories of Errors and Frauds

1. Invalid transactions are recorded: Fictitious revenue transactions are recorded and charged to nonexistent customers. Fictitious expenditure transactions are recorded and paid to existing or nonexistent vendors.

2. Valid transactions are omitted from the accounts: Shipments of merchandise to customers is not recorded.

3. Unauthorized transactions are executed and recorded. A customer’s order is not approved for credit, yet the goods are shipped and/or the service is provided and Transaction amounts are inaccurate: A customer is billed and the sale is recorded in the wrong amount because the quantity shipped and quantity billed are not the same and the unit price is for a different product.

4. Transactions are classified in the wrong accounts. Expenditures for capital acquisitions are coded and charged to an an operating supplies object.

5. Transaction accounting and posting is incorrect. Sales are posted in total to the accounts receivable GL control account, but not all of them are posted to the individual customer account records in the subsidiary ledger.

6. Transactions are recorded in the wrong period. Purchases made in one fiscal year (June) are recorded as expenditures in the next fiscal year when the invoice is received (July). Revenues attributable to July are recorded as transactions occurring in June.

Management’s task is to design control activities that prevent, detect and correct these potential errors and frauds. Front-end, or preventive, controls are performed before an action takes place. For example, a supervisor or manager must approve an invoice before it is processed for payment. Back-end, or detective, controls examine transactions after they have been processed to ensure they are appropriate. An example would be the month-end reconciliation of cash account balances to the bank statement to ensure that all payments have been recorded. Sometimes, the existence of detective controls can also serve to prevent irregularities. An individual tempted to use agency funds inappropriately may be deterred by the knowledge that the bank account is regularly reconciled.

9900-17


4.2 Control methods and techniquesControl activities can be automated or manual, have various objectives and are performed at various organizational and functional levels. Generally, control activities that pertain to financial reporting can be grouped into the following categories.

4.2.1 Segregation of dutiesSegregation of duties is one of the most important features of an internal control plan. The fundamental premise of segregated duties is that an individual or small group of individuals should not be in a position to initiate, approve, undertake and review the same action. These are called incompatible duties when performed by the same individual. Examples of incompatible duties include situations where the same individual (or small group of people) is responsible for:

Managing both the operation of and recordkeeping for the same activity. Managing custodial activities and recordkeeping for the same assets. Authorizing transactions and managing the custody or disposal of the related assets or

records.

Stated differently, there are four kinds of functional responsibilities that should be performed by different work units, or at a minimum, by different persons within the same unit:

Authorization to execute transactions: This duty belongs to persons with authority and responsibility to initiate and execute transactions.

Recording transactions: This duty refers to the accounting or recordkeeping function, which in most organizations, is accomplished by entering data into a computer system.

Custody of assets involved in the transactions: This duty refers to the actual physical possession or effective physical control/safekeeping of property.

Periodic reviews and reconciliation of existing assets to recorded amounts: This duty refers to making comparisons at regular intervals and taking appropriate action to resolve differences.

The advantage derived from an appropriate segregation of duties is twofold:

Fraud is more difficult to perpetrate because it would require collusion of two or more persons, and most people hesitate to seek the help of others to conduct wrongful acts.

By handling different aspects of the transaction, innocent errors are more likely to be found and flagged for correction.

At a minimum, an agency’s plan of internal control should ensure that the following activities are properly segregated:

1. Personnel and payroll activities Individuals responsible for hiring, terminating and approving promotions should not

be directly involved in preparing payroll or personnel transactions or inputting data. Managers should review and approve payroll deductions and time sheets before data

entry, but should not be involved in entering payroll transactions. Individuals involved in payroll data entry should not have payroll approval authority.

Individuals who are part of the payroll staff should not enter changes to their own data files.

9900-18


An individual who is not involved in the payroll process should periodically verify all personnel salaries and wage rates.

Unless otherwise approved, dual update access to the Montana State Payroll and the Human Resource functions on SABHRS should not be permitted.

Gross pay adjustment reports should be received and reviewed by an individual outside of the payroll function.

2. Other expenditure activities Individuals responsible for data entry of encumbrances and payment vouchers should

not be responsible for approving these documents. A department should not delegate expenditure transaction approval to the immediate

supervisor of data entry staff or to data entry personnel. Delegated expenditure authority must be in writing and approved by the appointed

authority. Individuals responsible for acknowledging the receipt of goods or services should not

also be responsible for purchasing or accounts payable activities.

3. Inventories Individuals responsible for monitoring inventories should not have the authority to

authorize withdrawals of items maintained in inventory. Individuals performing physical inventory counts should not be involved in

maintaining inventory records.

4. Check writing activities Individuals who prepare/record checks should not sign the checks. Individuals who prepare/record checks should not reconcile the checking account.

5. Revenue activities Individuals responsible for cash receipts functions should be segregated from those

responsible for cash disbursements. Individuals who receive cash into the office should not be involved in preparing bank

deposits. Individuals who receive cash or make deposits should not be involved in reconciling

the bank accounts. Individuals responsible for issuing agency billings should not be involved in

estimating, budgeting, collecting or processing cash receipts and should not be directly involved in maintaining accounts receivable.

Individuals responsible for maintaining accounts receivable records should not be directly involved in the billing process or cash receipting.

If agencies do not have sufficient staff to accomplish an optimum division of duties, management will need to be more actively involved in reviewing reports and reconciliations and ensuring transactions are adequately documented and properly authorized.

4.2.2 Access controlsControl over physical access refers to the physical security of assets. Physical safeguards include secured facilities; limited access to assets and important records, documents and blank forms; and periodic physical counts that are compared with amounts shown on control records. Inventories of items held for sale and stocks of materials and supplies should not be available to

9900-19


persons who have no need to handle them. Likewise, access to accounts receivable records and payroll data should be denied to people who do not have a recordkeeping responsibility for them.

Access control over information systems means that access to program documentation, data files, programs and computer hardware is limited to the extent required by individual job duties. Access controls should include the use of multilevel security, user identifications coupled with regularly changed passwords, limited access rooms, call backs and dial-up systems, use of file attributes and firewalls, and encryption of confidential information.

4.2.3 Periodic reconciliationsManagers should provide for periodic comparison of recorded amounts with independent evidence of existence and valuation. Internal auditors and/or other members of the accounting staff can perform such comparisons on a regular basis. These individuals, however, should not also have responsibility for authorization of the related transactions, accounting or recordkeeping, or custodial responsibility for the assets.

Periodic comparisons may include reconciliation of bank statements, inventory counting, confirmation of accounts receivable and accounts payable. The more frequent the comparisons, the greater the opportunity to detect errors. The results of nightly processing in the Statewide Accounting Budgeting and Human Resource System (SABHRS), for example, should be compared the next morning to the agency’s detail summary records. Cash account balances should be reconciled monthly to monthly bank statements (and to the balance in SABHRS, if an agency subsystem is involved). For other records, the frequency of periodic comparisons must be balanced against the costs and benefits.

Subsequent action to correct differences is also important. Together, periodic comparisons and actions to correct errors lower the risk that material misstatements in the financial statements will occur.

4.2.4 Periodic performance comparisonsThis category of controls includes periodic reviews of actual performance versus budgets, forecasts and prior period performance. Operating (activity-based) data is compared to financial data. The relationship of the two data sets is analyzed, with the differences investigated and corrective action taken if necessary. This type of control activity is usually performed by management employees that have no recordkeeping or custodial responsibilities.

4.2.5 AuthorityEvidence must be maintained to demonstrate that only persons acting within the scope of their authority are allowed to authorize and execute transactions. Agencies need to document which persons have expenditure authority and the extent of that authority. The signature of authorized personnel is a matter of record and should be readily available for comparison when the underlying documents are audited. Periodically, the agency chief fiscal officer or delegate should perform reviews to ensure compliance.

Transfer transactions and adjusting entries, particularly year end financial statement entries, require special control to avoid errors and possible misstatement. Management oversight is critical. The supporting documentation should provide clear evidence that these transactions have been properly reviewed and authorized before they are entered into the accounting system.

9900-20


4.2.6 Documentation control Internal control systems, all transactions and other significant events should be clearly documented, and the documentation should be readily available for examination at each agency.

Detailed written evidence of the internal control system, its objectives and activities, is essential. This documentation is valuable to managers in controlling their operations and is useful to auditors or others involved in analyzing and reviewing operations. Written documentation facilitates job training by communicating specific responsibilities. The documentation should appear in management directives, administrative policy, and accounting procedure manuals. Many documentation tools are available such as checklists, flow charts, narratives, and software packages. These tools may be particularly helpful in documenting complex information systems and the related control activities.

Internal control reviews and risk analyses should be documented. Supporting documentation for conclusions should be kept on file in accordance with records management guidelines.

Documentation of transactions and other significant events should be timely, complete and accurate and should allow tracing the transaction or event from the source documents, while it is in process, through to the financial reports. It is important that each step in the transaction process is documented and the appropriate control accounts, ledgers and files are updated.

Regardless of format, the supporting documentation should indicate the purpose or reason for the transaction and that the transaction was properly authorized. The transaction amount should be clearly evident or easily verified upon recalculation. In addition, the documentation should fully support the information entered into SABHRS in the following data fields: fund, project, general ledger account, and vendor name/number, if applicable.

Adjusting entries, which include reclassifications, error corrections and year end financial statement adjustments must be fully documented. In cases where estimates are used, the estimates must be reasonable, based on relevant information and sufficiently documented. For system-generated transactions, documentation that clearly describes the methodology, formulas and calculations, and the applicable system links and processes should be maintained.

Finally, transaction documentation should be archived in accordance with Montana retention schedules.

4.2.7 SupervisionThe effectiveness of any system of internal control depends on continuous, qualified supervision of all staff. It is management’s primary means of monitoring and maintaining a system of internal control. In fulfilling their responsibilities, managers and supervisors should:

Assign tasks and establish written procedures for completing assignments. Systematically review each staff member's work. Approve work at critical points to ensure quality and accuracy. Provide guidance and training when necessary. Provide documentation of supervision and review (e.g., initialing examined work).

9900-21


Adequate and timely supervision is especially important in small departments, where limited personnel make it difficult to establish a complete segregation of duties. Accounting and payroll reports are vital tools that managers can use in carrying out their supervisory responsibilities. The reports provide managers with timely information for transaction verification, analysis and forecasting, and reference purposes.

Recently, in an archeological excavation in the Middle East, a large stone tablet was unearthed. Scholars finally determined that it was an ancient audit report in which the auditors complained about the use of papyrus scrolls by the scribes: “Such scrolls lack the evidential integrity of stone and clay tablets.”

9900-22


5 All systems goBecause the accuracy and timeliness of financial reporting is to a large extent dependent on a well-controlled systems environment, more and more attention is being focused on the role of information technology (IT) in the financial reporting process. For most agencies, the role of information technology is critical to achieving an agency’s financial objectives. Whether transactions are processed directly in, or transmitted to, SABHRS from independent agency subsystems, IT systems are deeply embedded in the initiation, recording, processing and reporting of financial transactions.

5.1 Potential benefits of using IT in the financial reporting process5

IT provides the following potential internal control benefits because it enables an agency to:

Consistently apply predefined business rules and perform complex calculations in processing large volumes of transactions or data.

Enhance timeliness, availability and accuracy of information. Facilitate additional analysis of information. Enhance the ability to monitor the performance of the agency’s activities and its policies

and procedures. Reduce the risk that control will be circumvented. Enhance the ability to achieve effective segregation of duties by implementing security

controls in applications, databases, and operating systems.

5.2 Potential risks of using IT in the financial reporting processIT also poses specific risks to an agency’s internal control, such as:

Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.

Unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions.

Unauthorized changes to data in master files. Unauthorized changes to systems or programs. Failure to make necessary changes to systems or programs. Inappropriate manual intervention. Potential loss or compromise of data.

The use of computer systems to process financial transactions, store data, and perform statistical and other analysis does not change the internal control objectives already discussed. However, extensive use of computer systems may change the techniques used to meet control objectives. For example, when IT is used in an information system, segregation of duties may be achieved or enhanced by implementing access security controls. (See Appendix A for a matrix of the risks associated with various levels of system access.)

5 The subsections on the potential benefits and risks of IT on internal controls were adapted from AICPA Professional Standards, AU Section 319.18 -.19, Consideration of Internal Control in a Financial Statement Audit.

9900-23


5.3 General controls versus application controlsIn an automated environment there are two broad categories of controls: general controls and application controls.

5.3.1 General controlsGeneral controls apply to all information systems—mainframe, minicomputer, network, and end-user environments; they impact the entire data processing environment, including application systems. General controls address data center and network operations; system software acquisition and maintenance; physical security, environmental protection, disaster recovery, hardware maintenance and computer operations. Other examples include program change controls; controls that restrict access to programs or data; controls over implementation of packaged software or development of new software applications; and controls over system software that monitors the use of system utilities that could change financial data without leaving an audit trail.

5.3.2 Application controlsApplication controls, on the other hand, are more specific to individual application systems. They include both computerized and manual controls and are designed to help ensure the completeness, accuracy, and validity of all information processed. Application controls should be installed at an application’s interfaces with other systems to ensure that all inputs are received and are valid and outputs are correct and properly distributed.

Input control activities: Input controls are designed to provide reasonable assurance that data received for computer processing have been properly authorized and converted into machine-sensible form, and that the data have not been lost, suppressed, added, duplicated, or improperly changed. Computerized input controls include validation procedures such as check digits, record counts, hash totals and batch financial totals.

Processing control activities: Processing controls are designed to provide reasonable assurance that data processing has been performed as intended without any omission or double-counting. Processing controls such as computerized edit routines include valid character tests, missing data tests, sequence tests and limit or reasonableness tests – all designed to detect data conversion errors. Many processing controls are the same as the input controls, but they are used during the actual processing phases. These controls include run-to-run totals, control total reports, file and operator controls, such as external and internal labels, system logs of computer operations, and limit or reasonableness tests.

Output control activities: Output controls are designed to provide reasonable assurance that processing results are accurate and distributed to authorized personnel only. Control totals produced as output during processing should be compared/reconciled to input and run-to-run control totals produced during processing. Computer-generated change reports for master files should be compared to original source documents for assurance that data are correct.

General and application controls over computer systems are interrelated. General control supports the functioning of application control, and both are needed to ensure complete and accurate information processing. If general controls are inadequate, the application controls are unlikely to function properly and could be overridden.

9900-24


Appendices B and C contain questions that relate to IT general and application control objectives from a financial systems perspective. Large agencies with internal audit functions may have already addressed most of these questions, particularly those agencies that operate in highly complex data processing environments and have large IT organizations. All agencies, however, will find that answering these questions provides the following benefits:

Assurance that the agency’s IT operations and investment strategies, as they relate to financial systems, are well planned, properly staffed and executed in accordance with the agency and statewide IT strategies and security and control policies.

Documentation that the agency has conducted a review of IT general and application controls over financial systems, which can be incorporated into the agency’s internal control plan.

A tool that agencies, who are contemplating replacement of existing financial systems or who are currently in the implementation phase, can use to monitor and control the acquisition/development software project.

5.4 The role of the IT specialist6

When evaluating controls over computer processing, the presence of one or more of the following conditions may require the expertise of an IT specialist:

Technology is an integral part of the agency’s business processes, involving both its primary, customer-oriented activities and its support activities, such as general management, planning, finance and accounting.

The agency has recently implemented a new IT financial system or made significant modifications to an existing financial system.

The agency is engaged in significant e-commerce activity. Data is shared extensively between computer applications.

The IT specialist can help the evaluation team identify risks related to the IT system, document and test controls, design and assist in implementing missing controls, and monitor the continued effectiveness of IT controls.

The successful completion of the IT component of the evaluation project will largely depend on (1) how well the evaluation team leader and agency financial management understand the risks inherent in IT systems, and (2) IT management’s understanding of the financial reporting process and its supporting systems. Ideally, senior IT management should be well-informed concerning the types of IT controls needed to support reliable financial information processing.

"I think there is a world market for maybe five computers."

-- IBM Chairman, Thomas Watson, 1943

6 This subsection was adapted from the example on project team organization presented by Mr. Michael Ramos in his book entitled, How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.

9900-25


6 “The plan”Each agency head should designate one senior manager as the agency’s internal control officer. This person shall be responsible for the agency’s overall internal control review. Working with agency managers and other personnel, the internal control officer’s mission is to develop a cost effective approach that best fits the agency’s size, staff and budget.

To get started, agencies are encouraged to create an internal control team. The team will need to formulate a strategy, establish timelines and set milestones, assign tasks to key personnel and keep the agency head informed of progress. Certain activities that should be undertaken in conjunction with the internal control review include:

Updating/creating policies and procedures to reflect current processes. Updating organization charts. Identifying and listing electronic files. Identifying financial data reports/queries, where they are located and how they are

accessed (SABHRS, Report Distribution System, Doc Analyzer, Manager Reporting Tool, PC based, etc.).

Reviewing the organization of paper filing systems and archiving procedures. Completing an inventory of fixed assets.

There is no single prescribed methodology for conducting an evaluation of internal controls. Agencies that have an internal audit unit may already have adopted one of several risk assessment models. These models generally involve an assessment of administrative controls, as well as fiscal controls. For those agencies that do not have an internal audit function, the balance of this chapter presents a plan to evaluate fiscal internal controls, using a six-step approach. (See Appendix D for a model plan that agencies may modify to fit their needs)

6. Identify who does what; obtain copies of agency governance documents (mission statement, charter of governing boards, code of conduct, human resource policies and personnel handbook, accounting manuals, etc.).

7. Determine what business cycles/processes/activities to evaluate. 8. Document the transaction processing cycles and related controls. Supplement written

sources through inquiries and surveys. 9. Test the controls (how is the work being done versus how should the work be done).10. Evaluate findings and report the results.11. Monitor controls on a continuous basis.

6.1 An internal control evaluation and monitoring plan

6.1.1 Identify who does what12. Introduction: In this section of the internal control plan, identify the agency’s internal

control officer and his/her responsibilities for providing technical support and assistance. Include brief statements that address the frequency of internal control evaluations, the agency’s commitment to maintaining an effective internal control system, and how recommendations for improvement are handled, including those based on the findings of the Legislative Audit Division and federal auditors, if applicable. Identify other internal control contacts/team members.

9900-26


13. Agency Mission: State the agency’s mission and mandate and cite applicable statutory references.

14. Organizational Structure: Include names and titles of executive management. Discuss agency programs, number of employees, internal plan of organization, etc. Insert an organizational chart.

15. Management’s Key Internal Control Concepts: Discuss the key internal control concepts, philosophies and actions already put into effect that significantly strengthen the agency’s overall control environment. Incorporate the agency’s governance documents.

6.1.2 Determine what to evaluate16. Set priorities: Focus first on high risk divisions, business units, programs or activities.

Incorporate management’s special concerns and knowledge. Consideration should be given to the following factors:

The degree of centralization versus decentralization Competency and integrity of personnel Dollar amount of budget Degree to which public purpose may be affected Safeguarding of resources Organizational checks and balances that may provide a type of secondary control Negotiability of the assets involved Legal mandates

Once the high risk divisions, programs and/or activities have been evaluated, a systematic plan should be established to review all other risk areas.

17. Identify financial cycles and sub-cycles: Most agencies have the following basic transaction cycles: Expenditures Revenue Inventory Fixed Assets Payroll Automated transaction processing Agency specific programs and activities

6.1.3 Document the transaction processing cyclesIn this section of the plan, document the types and the flow of transactions, the persons who process the transactions and the related control features, such as reviews and approvals, for each financial cycle identified above. Interview and involve other senior and line managers in the documentation phase, as necessary. Ask them to make the following records available to the members of the internal control team:

Flowcharts Policies and procedure manuals, desk procedure manuals Job profiles Business unit organizational charts Output reports

9900-27


Agencies may find that the documentation phase is best accomplished by using a combination of documentation tools and formats, such as checklists, questionnaires, flow charts, narratives, and software packages. Initially, focus on key processes and key check points. With each successive review, more details can be added.

Review prior internal and external audit reports. If control weaknesses identified in prior audits have not been corrected, it may be an indicator of further problems.

6.1.4 Test the controlsUse a variety of techniques to test internal controls and gather evidence. For example, an agency’s “control environment” may be verified through document reviews, employee surveys, and management inquiries. For transaction-oriented controls, use an employee focus group to help identify the various control points in a processing stream and then perform a “walk-through” to test prescribed procedures against actual operations. See Section 7 for more details on testing procedures and example survey/inquiry tools.

6.1.5 Evaluate findings and report the resultsThe next step is to evaluate your findings and determine whether existing controls are sufficient to manage the risks. The risk questions presented in Section 3 are repeated here:

How important is this risk, both within state government and to the public? How likely is it that this risk will occur? How large is the dollar amount involved? To what extent does the risk potential of one activity affect other activities? Are existing controls (policies and procedures) sufficient to manage this risk? To what degree are secondary controls in place?

Be certain to confirm your findings and evaluation by discussing them with appropriate business unit and agency managers. Ask them to develop corrective action plans and to submit a schedule for completion.

Finally, document your findings, both positive and negative, in a written report that is presented to senior management. Include recommendations for improvements, identify any redundant controls that should be modified or eliminated, and present the business unit’s responses and corrective action plans.

6.1.6 Continuous monitoringReview internal controls for high risk divisions, business units and activities annually, more frequently if warranted. Review areas of lower risk annually by spot checking key controls, with full reviews every five years, unless there are significant changes in the operating environment. Situations involving new programs, changes in personnel, agency reorganizations or new systems increase the exposure to risk and, therefore, require more frequent review. Perform follow up for prior evaluations to make certain that corrective actions have been taken.

"If you can't explain it to a six year old, you don't understand it yourself."

-- Albert Einstein

9900-28


7 Testing, testing, 1-2-37

The COSO framework (described in Section 3) divides internal controls into two different levels, the general, entity-wide level and the specific, activity-level. The approach presented in this Guidebook is to test the effectiveness of entity-level controls first. By understanding entity-level controls, the agency’s internal control team should be better able to develop tests at the activity-level.

7.1 Entity-level testsBecause entity-level controls are indirect and not transaction oriented, they are not easily verified through observation or by re-performing transaction related tests. As a result, the internal control team will need to use other techniques to gather evidence to support their evaluation of entity-wide controls.

7.1.1 Document review

7.1.1.1 Governance documentsTo start, obtain copies of the agency governance documents. The team should review these documents to ensure it understands the agency’s mission. Generally, the governance documents will describe the membership of the governing board, including number of members, their qualifications, independence requirements and selection process and their roles and responsibilities. Throughout this process, the internal control team should keep in mind the importance to the governing board of receiving reliable and accurate information on a timely basis. The team may want to explore and suggest changes to the ways in which information is gathered and communicated to the board.

7.1.1.2 Code of conductA written code of conduct helps establish values, norms and shared beliefs. The form and content of a code of conduct may vary greatly from agency to agency. Nonetheless, a typical code of conduct will include a statement of values, identification of key behaviors that are accepted and not accepted in the workplace, examples of ethical situations that agency personnel are likely to encounter, and information on reporting violations of the code and how they will be investigated.

7.1.1.3 Other documentationMost agencies document their human resource policies and communicate them to their employees in the form of a personnel handbook. For purposes of an internal control evaluation, the internal control team should focus on those policies that demonstrate the agency’s commitment to competence and address expectations regarding integrity and ethical behavior.

The agency’s accounting manual should include important information relating to the procedures used to capture and process accounting information, the documents required and the related control procedures. This information is typically most useful in documenting activity-level

7 The information in this chapter was adapted from the testing strategies and techniques presented by Mr. Michael Ramos in his book entitled How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.

9900-29


controls. However, the accounting manual may also provide important documentation that is relevant for entity-wide controls, such as those related to the annual financial closing process.

7.2 Surveys and inquiries

7.2.1 Employee surveysReviewing the written code of conduct and personnel policies, by themselves, will most likely not be sufficient to determine whether entity-level controls are operating effectively. One way to gather additional information is to conduct an employee survey. See Appendix E for an example survey.

To ensure the most reliable and most valid results, many of the same concepts applicable to statistical sampling methods should be employed.

The more respondents, the more reliable the results. Survey employees in several divisions or locations. In other words, stratify the sample

population. Try to obtain results from different levels of employees, ranging from executive management down to clerical staff.

Each employee within the population being sampled should have an equal chance of being selected.

The internal control team should consider whether it is appropriate to exclude a group from the survey just because they are not directly involved in the financial reporting process. Operational and administrative personnel may provide valuable insights.

Employees will need time to complete the survey and the internal control team will need time to follow up and compile the results. The internal control team should keep this in mind when developing its work schedule.

All responses should be returned directly to the internal control team. To score the survey, assign a numerical value to each of the five possible answers: Strongly Agree = 5; Agree = 4; Neither Agree or Disagree = 3; Disagree = 2; Strongly Disagree = 1. Using the example survey at Appendix D, the results can then be broken down into the following categories:

Awareness: Low scores in this area could mean ineffective communications. The agency should consider (1) increasing the frequency of communication concerning agency policies and procedures, (2) revising existing policies for greater clarity and (3) requiring signed acknowledgements from employees that policies have been read and understood.

Attitudes: Low scores for this category may indicate negative attitudes that require (1) changes in management behavior and/or (2) interactive communications between management and employees in which frank and open discussion is encouraged.

Actions: Low scores may be an indicator that a disconnect exists between what management says and what management does. Either written policies should be revised or the behavior of managers should change. If the latter condition is true, agencies should consider additional training for managers and coaching or mentoring of managers. In some cases, the allocation of additional resources may be required to relieve overburdened managers.

9900-30


7.2.2 Management inquiriesIn addition to employee surveys, the internal control team should plan to interview key financial managers regarding entity-level controls. See Appendix F for sample queries that can be used for interview purposes. Depending on the answers to these questions, it may be necessary to develop follow-up questions. The goal of this exercise is to determine if entity-level controls can be relied on to support the effective operation of day-to-day controls at the activity-level.

The interview process should provide sufficient information to form an opinion on the reliability of entity-level controls:

Limited awareness: Managers demonstrate only a limited awareness of the importance of internal controls, including the perception that internal controls are separate from the agency’s main operations and someone else’s responsibility. Control policies and procedures are ad hoc, generally undocumented, and highly dependent on the skills, competence and ethical values of individuals, rather than the agency, as an integrated whole. There is a lack of formal communication and training.

Knowledgeable: Managers understand that internal controls are an integral part of the agency’s business and maintaining an effective system is one of their primary responsibilities. Substantial resources are devoted to developing formal documentation of policies and procedures. The effectiveness of the system of internal control depends more on the agency’s internal organization taken as a whole than on the capabilities of individuals.

Proactive: Managers are committed to a process of continuous improvement of internal controls. The agency uses automated tools and sophisticated techniques to monitor controls on a real-time basis and makes changes as needed.

7.3 General computer controlsComputer controls consist of both general and application-specific controls. General controls apply to many if not all application systems and help ensure their continued, proper operation; while application controls ensure the proper processing of various types of transactions and include both computerized steps within the application software and manual follow-up procedures.

Before beginning a detailed assessment of computer general controls (see Appendix B), the internal control team or IT specialist should seek answers to the following questions:

Have there been any significant changes to the agency’s IT systems (changes in hardware, software, processes or personnel)? What risks do the changes create? If there have been no significant changes, what previously identified risks remain?

How many different computing platforms or environments exist within the agency? Do the various systems interface with each other? How is the data exchanged and how is the exchange controlled?

What might impair the reliability of the agency’s IT systems or otherwise negatively affect the ability to capture process and store data?

7.3.1 Activity-level testsTransaction processing begins with the capture of raw transactional data and ends with posting to the general ledger. Along the way, the raw data is converted into accounting information. It

9900-31


may be combined with other data, added, multiplied, subtracted and divided, or otherwise manipulated to create new information. Throughout this process, controls are needed to ensure that the information retains its integrity.

Within the information-processing stream, errors can be introduced at various points.

The point in the system where events or transactions are initially identified authorized and captured.

The point where updating and maintenance is performed for databases, master files, or other electronic storage systems.

The processing points in the stream where information is manipulated (matched to or combined with other data; used as part of a calculation) or processed, such as posted to the general ledger, subsidiary ledger, or other accounting records.

The goal of the internal control team is to identify these points in the information processing stream and to test and evaluate the effectiveness of the related control measures. Several different types of tests may be used, including individual or group inquiries, direct observation methods, and re-performance of control procedures and reconciliations.

7.4 Using focus groupsConducting an internal control evaluation provides the opportunity to bring people together in the agency, who may not interact on a regular basis. Hopefully, through participation in a focus group, agency personnel will gain a better understanding of their responsibilities and how these fit into the big picture.

To conduct a group discussion, the following suggestions are offered:

Set an expectation that differences of opinion are acceptable. First, review the policies/procedures and other written documentation for the transaction

cycle or processing stream under evaluation to determine who does what. To the extent possible, include individuals who have experience with every process, control, document, or electronic file described in the documentation. However, too large a group can make it difficult to have a meaningful discussion

A generic flowchart of the processing stream should be prepared in advance on a large piece of paper that allows for revisions. Post the flowchart on the wall and walk the participants through the process.

Use the example questions in Appendix G to facilitate the discussion. The group should reach a decision on what “should happen” and then identify those instances in which exceptions exist. “Stickies” can be used to modify the flowchart so it reflects what really happens.

Establish boundaries. The internal control team should make certain that focus groups understand they are concerned only with the information that flows into the financial statements. In addition, the discussion should be limited to what the agency or business unit does internally, not on how outside parties prepare information that the agency or business unit uses.

Set an expectation that differences of opinion are acceptable. Try to quantify the information gained, whenever possible: “How often do you encounter

. . . ?” About what percentage of transactions . . . ?” At some level, try to reach agreement on the issues.

9900-32


7.4.1 ObservationThe IC Team may be able to observe the application of some control procedures, such as computer edit checks. Another procedure that is easily observed is physical inventory accounts. If the physical count is performed only occasionally, it may be possible to observe the control each time it is performed.

7.4.2 Re-performing control proceduresIn some cases, the internal control (IC) team may decide to test the effectiveness of control procedures by selecting a random sample of transactions and re-performing the procedures.

For example, the process for paying vendor invoices might require:

Physically matching a receiving document with the invoice Determining whether bids and a formal purchase order/contract was necessary. Determining that the invoice was properly approved for payment, as evidenced by an

authorized signature. Determining whether a price agreement was in affect.

To test the effectiveness of the controls over payment processing, a team member might examine the underlying documentation to determine that:

The invoice was physically matched to a receiving document. Bids were obtained and attached; a copy of the signed purchase order is attached or the

underlying contract number is noted, if applicable. The receiving copy of the PO or other receiving document is signed/initialed and dated. Approval signature is noted on invoice.

To determine that the control was performed properly, the team member would ensure that:

The purchase order and/or bids (if any), receiving document and invoice are for the same transaction.

Where a price agreement applies, the appropriate vendor was used. Signers approving payment of the invoice have the appropriate authority.

Before the internal control team begins its test of transactions, the team should clearly define what is considered a control procedure error. To conclude a control has been properly performed, both of the following statements should be true:

There is evidence that the control procedure was performed, and The re-performance of the procedure indicates it was performed properly.

7.4.3 ReconciliationsReconciliations are a common control procedure, such as bank reconciliations or the reconciliation of the general ledger account balance to a subsidiary ledger. The internal control team can test the effectiveness of reconciliation procedures through observation and re-performance:

Review the documentation to determine that the reconciliation was performed on a timely basis throughout the year.

Re-perform the reconciliation to confirm that all reconciling items were identified. Investigate the resolution of significant reconciling items.

9900-33


7.4.4 Application controlsAfter completing the questions contained in Appendix C, the internal control team or IT specialist may decide to test the processing controls related to individual application systems. One method is to prepare a file of test transactions and run them through the system to determine that all pre-defined errors are identified. The internal control team should also review suspense account entries occurring throughout the year to ensure they were properly resolved.

When reviewing IT controls over financial applications, it is important that the internal control team/IT specialist understand the business risks and then identify the key process controls and the relevant automated procedures. In some situations, the internal control team/IT specialist may find a “user” control procedure that management relies on to promptly and effectively detect the failure of a key automated procedure. Although the internal control team/IT specialist should examine evidence that the automated control is operating appropriately, the focus of the team/specialist in this situation would be testing the reliability of the detective control.

7.4.5 SummaryThe amount of testing to be performed is a matter of judgment. It will depend on the internal control team’s assessment of the agency’s overall control environment; the significance of the business cycle, process or activity to the agency’s mission; and the results of the team’s initial testing – all the while bearing in mind that the ultimate goal is to draw a conclusion about the effectiveness of internal control as a whole, not individual controls standing alone.

Finally, it should be reiterated that internal control can provide management with only reasonable assurance that the agency’s goals and objectives will be achieved. Within the context of this Guidebook, the effectiveness of internal controls should be evaluated on the basis of the financial statements and whether any errors that internal controls fail to detect or prevent might be material.

“Most of the important things in the world have been accomplished by

people who have kept on trying when there seemed to be no hope at all.”

--Dale Carnegie

9900-34


8 The bottom lineThe internal control team’s next step is to evaluate its findings and prepare a report for senior management. The report should highlight the positive aspects of the agency’s system of internal control, as well as describe the control deficiencies. Recommended corrective actions and division/business unit responses should also be included. The report should be addressed to the agency’s director and signed by both the agency’s chief fiscal officer and the internal control officer. Copies of the report should be distributed to the agency’s internal audit unit and governing board.

8.1 Judging the severity of internal control deficienciesA control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect financial misstatements on a timely basis.

A significant deficiency is a control deficiency or a combination of control deficiencies that adversely affects an agency’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the State of Montana’s Comprehensive Annual Financial Report (CAFR) that is more than inconsequential will not be prevented or detected.

A material weakness is a significant deficiency or a combination of significant deficiencies that results in more than a remote likelihood that material misstatements in the information provided by an agency for preparation and inclusion in the State of Montana’s CAFR will be not be prevented or detected. 8

From an agency perspective these concepts may be applied to the audited biennial financial schedules and any separately issued financial statements. In these situations the audited financial schedules and separately issued financial statements would be substituted for the CAFR in the above paragraphs.

In determining whether an internal control deficiency is more than inconsequential and should be reported, the internal control team should perform a risk assessment that takes into account the following criteria: 9

8.1.1 Likelihood of misstatementMany factors affect the likelihood that a deficiency, or a combination of deficiencies, could result in a misstatement of an account balance or disclosure. Some of the factors the team should consider include, but are not limited to, the following:

The vulnerability of the related assets or liability to loss or fraud. The complexity or extent of judgment required to determine the amount involved.

8 The definitions in this subsection regarding control deficiencies are based on the definitions set forth in Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, March 9, 2004.

9 The list risk factors in this subsection were adapted from the risk assessment criteria presented by Mr. Michael Ramos in his book entitled How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.

9900-35


The nature of the accounts, processes or disclosures; e.g., suspense accounts generally involve greater risks.

The relative importance of the control and whether the overall control objective is achieved by interaction with other control activities and mitigating factors.

If the deficiency is an “operating” deficiency (rather than a deficiency in the “design” of a control feature), the operating failure rate, i.e., repeated failures versus isolated occurrences.

Whether the control in question is automated and whether it can be expected to perform consistently over time.

8.1.2 Magnitude of misstatementIf the likelihood is high that an internal control deficiency could result in a financial statement misstatement, the next step is to assess the magnitude of the potential misstatement. The following factors should be considered:

The financial statement amounts or total of transactions affected by the deficiency and the financial statement assertions involved.

Whether the deficiency relates to an entity-level or activity-level control. Weaknesses in entity-level controls that seem relatively insignificant, by themselves, could result in material financial statement misstatements because they affect many accounts and classes of transactions.

The volume of activity in the account balance or class of transactions exposed to the deficiency that has occurred in the current period, or that is expected in future periods.

When evaluating the significance of a potential misstatement, the focus should be on the potential for misstatement, not on whether a misstatement has actually occurred.

8.1.3 Strong indicators of a significant weaknessPCOAB Auditing Standard No. 2 suggests that deficiencies in the following areas should be regarded, at a minimum, as significant deficiencies in internal control over financial reporting:

Controls over the selection and application of accounting policies. Antifraud programs and controls. Controls over non-routine and non-systematic transactions. Controls over the year-end financial reporting process, including controls over

procedures used to (1) enter transaction totals into the general ledger; (2) initiate, authorize, record, and process journal entries into the general ledger; and (3) record recurring and non-recurring adjustments to the financial statements.

8.1.4 Strong indicators of a material weaknessIdentification of fraud of any magnitude on the part of senior management should be considered a significant, if not, material weakness. In addition, significant deficiencies that have been communicated to management by the Legislative Audit Division or the agency’s internal auditors that remain uncorrected after a reasonable period of time should be regarded as a strong indicator that a material weakness exists.

9900-36


8.2 Reporting guidelinesOnce the team has evaluated its findings, the next step is to review them with division and business unit managers to reach consensus on the appropriate corrective actions. At the conclusion of this process, the team should be ready to prepare its final report. The report should include:

A statement describing management’s responsibility for establishing and maintaining internal control over financial reporting;

A statement of the framework or criteria used to evaluate the effectiveness of internal control over financial reporting;

A statement about the inherent limitations of internal control systems; The internal control team’s assessment of the overall effectiveness of internal control

over financial reporting, including disclosure of any significant or material control deficiencies identified by the team; and

A summary of the steps each division or business unit plans to take to correct any reported deficiencies and the estimated dates of completion. Corrective actions that management plans to address through a budgetary request should also be noted.

Lastly, the report should address control weaknesses identified in prior reports, commenting on (1) whether the weaknesses have been corrected and (2) whether the new policies and/or procedures have been in place for a sufficient period of time to determine they are operating effectively.

“In business, when things aren't working it's time to mix it up.”

--The Apprentice,

Donald Trump

9900-37


9 ReferencesCOBIT, IT Governance Institute (ITGI), Rolling Meadows, Illinois, USA, July 2000, http://www.isaca.org

Committee of Sponsoring Organizations of the Treadway Commission (COSO), http://www.coso.org

Enterprise Risk Management—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), American Institute of Certified Public Accountants, USA, 2004

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission (COSO), American Institute of Certified Public Accountants, USA, 1992

Internal Control Guide, Vols. 1 and 2, Commonwealth of Massachusetts, Office of the Comptroller, http://www.mass.gov/osc/Homeview/CONTROL/CONTENTS.HTM

IT Control Objectives for Sarbanes-Oxley, Information Systems Audit and Control Association (ISACA) and IT Governance Institute (ITGI), Rolling Meadows, IL, 2004, http://www.isaca.org

Ramos, Michael, How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.

PCAOB Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, Public Company Accounting Oversight Board Release No. 2004-001, March 9, 2004, http://www.pcaobus.org/Standards/Standards_and_Related_Rules.asp

The Standard of Good Practice for Information Security, Information Security Forum (ISF), 2004, http://www.isfsecuritystandard.com

9900-38

http://www.isfsecuritystandard.com/

http://www.pcaobus.org/Standards/Standards_and_Related_Rules.asp

http://www.isaca.org/

http://www.coso.org/



10 Appendix A – Levels of system access and potential risks

System Access Action Allowed Potential Risk

Create transactions

The user records data and documents the transaction.

The data created is:• Misleading• Fraudulent• Used for unintended purposes

Data inquiry The user is given access to “view” data only.

The data is disclosed to unauthorized individuals.

Modify transactions

The user changes existing data.

The integrity of the data is compromised, thereby affecting the reliability of the data for its intended purpose.

The data was changed to conceal a fraudulent transaction.

Delete transactions

The user temporarily or permanently destroys data.

The data is not available to the system owner and other authorized users.

The data was destroyed to conceal a fraudulent transaction.

9900-39


11 Appendix B – IT general control objectives for financial reporting1

1. Financial Systems Are Aligned With IT And Business Strategies

a. Alignment of Financial Systems with IT Strategy and Initiatives

What is the agency’s IT and information systems strategy with respect to financial systems? Does this strategy align with statewide strategies and directives?

What specific IT policies exist, both at the agency level and statewide? What specific federal and state laws, regulations or other pronouncements may apply? Who is responsible for compliance?

b. Organization of the Agency IT Function

How is the agency IT function organized?

Is the IT function centralized or decentralized? Who is responsible for financial systems?

Who is head of the IT organization and to whom does he/she report?

Have there been any significant personnel changes during the year that might affect the amount or quality of support for financial systems?

Does the support of financial systems involve external parties, such as outsourcing, vendors or consultants?

Project Management

Does the IT function have a uniform project management model that is followed for all projects, including acquisition of financial system applications?

Do significant projects require a business benefit assessment?

Are clear deliverables defined in the project?

Are the projects formally controlled against both budgets and quality?

What measures for quality exist?

Are there significant financial systems activities outside the IT function?

c. Staffing Levels

Is the number of IT staff and their skill level in line with the agency’s financial systems requirements?

How much of the financial systems are owned and maintained by the users? Do they have the appropriate knowledge to exercise their ownership?

9900-40


How great is the reliance on key IT staff members or key users?

d. Alignment of Financial Systems to Business Strategies and Objectives

Does the financial system meet the needs of agency management? How accurate and useful is the financial systems information for the agency?

How old are the financial systems? Will they need upgrades or replacements in the near future? How much does it cost for maintenance, staff, and support to keep the financial applications going on a day-to-day basis?

How much does the agency rely on suppliers to perform maintenance?

Who is responsible for financial applications? Do these people have sufficient knowledge?

How is the financial information stored and retrieved? Does the financial system provide for a proper audit trail?

What financial business information demands are not covered by the existing system? What is being done to meet the unfulfilled demands?

Are there back up/recovery procedures and contingency plans to ensure that critical financial processing is maintained and that financial data is safeguarded in times of disaster or emergencies?

2. Significant Changes/Known Problems With Financial Systems Are Documented

a. Financial Systems Changes

What new financial systems have been implemented? How significant are the new systems to the agency’s business? (For example, are key business processes to be performed electronically over the internet?) Is maintenance to be performed internally or by suppliers?

How well did the implementation go? Is there documentation of the testing, problems identified and how they were resolved? Were there any problems with data conversion?

Have there been changes to existing financial systems? Are they significant? Have there been any significant upgrades to the system software? Have there been significant changes to the network? Were any problems encountered? Is there documentation of how the problems were handled?

Have there been changes to the automated controls within the financial system?

Has there been a migration to a new environment? Web-based, for example?

Was the internal audit function involved in the changes? Were any pre- or post-implementation reviews performed?

b. Known Problems in Financial Systems

9900-41


Have significant problems of deficiencies affecting the functionality of financial systems been identified? If so, are work-around procedures in place and have they been documented?

Have there been significant operational failures, security incidents or data corruption? How were these situations handled? Have reports been issued by internal audit or other IT personnel?

3. Development/Implementation Controls Are Clearly Defined And Documented

a. Overall Control Activities

Does the agency have a formal system development life cycle (SDLC) methodology that must be followed?

Has a detailed project plan been developed which has?

i. Clearly defined goals and tasksii. Timelines and milestonesiii. Sponsor approval for each milestonesiv. Projected roles, responsibilities and resources?

Are project status reports to management required on an ongoing basis that include:

i. Assessments of quality assurance reviewii. Actual completion of tasks against planiii. Actual delivery dates against milestones and deadlinesiv. Actual project costs against budgets?

b. Only Appropriate Financial Systems Projects are Undertaken

Does the financial systems project have a clear business objective with well-defined scope and boundaries?

Has a cost-benefit analysis been done? Are the benefits specific and quantifiable or are they vague?

Does the project have a clear sponsor/owner from senior management?

Does the project team have sufficient relevant business and technical expertise to complete the project?

c. Analysis and Design Control Activities

Are the business specifications clearly defined in sufficient detail? Does the project team understand them?

Are technical specifications clearly defined? Do they include requirements for system functionality, capacity and performance, security design and processing controls?

Do technical specifications include requirements associated with interfaces to statewide financial systems?

9900-42


Have appropriate application controls such as robust edits and validations, exception reporting and control totals been included in the design?

Is process and data modeling performed?

Is data conversion necessary?

How are changes to the original design approved and controlled?

d. Control Activities Over Internal Development and Package Selection for New Applications

Does internal development or the package selected for new financial applications employ standard coding methodologies?

What controls or tools are utilized to ensure that all dependencies between integrated applications are identified and considered?

For purchased financial systems software packages, is the package selected widely used and does the vendor have a reputation for providing robust support services?

For purchased financial systems software packages is customization required? How is this controlled?

e. Testing and Quality Assurance Control Activities

To what extent are separate environments maintained for development, testing and production?

Are users involved in the testing? Is user management required to authorize acceptance of the system?

What controls are in place to prevent or detect unauthorized changes to code after testing is complete but before going live? What ensures that configuration options and parameters set meet the business objectives and control requirements?

f. Data Conversion Control Activities

What procedures ensure that the mapping of data fields from the legacy system to the target system is correct?

What ensures the quality of the converted data in terms of:

i. Accuracyii. Integrityiii. Consistencyiv. Completenessv. Accessibilityvi. Existence

What ensures that critical system interfaces are modified to accept the new data model?

g. Control Activities Over Going Live

9900-43


Is approval from the project sponsor/owner and IT management required for authorizing the go-live decision? Is this authorization formal?

Are quality assurance reviews required as part of the go-live decision making process?

Does the agency have a go-live checklist?

How does the agency ensure that only the properly tested, reviewed and approved version of the system is transferred to the live environment?

Does the agency have a process to communicate the specifics of the go-live process?

Have individuals from both the financial organization and IT been designated to support the new system during the go-live period.

Is a post-implementation review planned?

h. Documentation and Training Control Activities

Are there policies to ensure that both user and technical documentation is developed for all new financial systems and is this documentation available at time of implementation?

To what extent have users and computer operators received adequate training on the new financial system? Is there a formal training program to facilitate training?

4. Change Management Controls Are Clearly Defined and Documented

a. Management of Change Activities

Has management established a process with documented policies and procedures for managing changes to financial systems?

How does management monitor progress and ensure that approved changes are implemented on a timely basis?

Does IT management use reports/statistics to review the operational quality of the financial systems?

How does IT accomplish the installation of infrastructure-related patches for hardware and software? Are subcontractors utilized?

b. Control Activities Over Approval and Tracking of Change Requests

Are all requests for changes to existing financial systems captured and managed centrally? Are there controls in place to log all requests and track them?

Who approves and prioritizes the change requests? How is approval and prioritization recorded?

Does the order in which changes are implemented reflect the priorities assigned to them?

9900-44


Are developers in close contact with users? To what extent are there adequate procedures in place to ensure that developers understand the users’ requirements before making program changes to financial applications?

c. Control Activities Over Construction of System Changes

Are programmers following standard coding methodologies?

What controls are in place to ensure the source code used is the most recent version and modifications by more than one programmer are coordinated?

What controls or tools are utilized to ensure that all dependencies between integrated applications are identified and considered?

How do programmers ensure that a standard configuration is used across all maintenance efforts?

d. Testing and Quality Assurance Control Activities Related to System Changes

To what extent are separate environments maintained for development, testing and production?

Are users involved in the testing? Is user management required to authorize acceptance of the system?

What controls are in place to prevent or detect unauthorized changes to code after testing is complete but before going live? What ensures that configuration options and parameters set meet the business objectives and control requirements?

e. Control Activities Over Going Live with System Changes

How are scheduled and non-emergency changes migrated into the production environment?

How are emergency changes migrated into the production environment? What is the process by which users authorize the emergency changes?

To what extent do developers have “write” access to the production environment and is this access logged?

What processes and controls ensure that current production libraries/directories are updated with the correct version of the program?

What processes and controls ensure that changes do not compromise security controls (e.g., checking software to ensure it does not contain malicious code, such as a “Trojan Horse” or a virus)?

What procedures exist to ensure that all changes have adequate back-out procedures defined with management approved escalation steps?

f. Documentation and Training Control Activities Related to System Changes

9900-45


Are there procedures to update user documentation/procedures for changes to financial systems?

Are there procedures to update technical documentation/procedures for changes to financial systems?

To what extent have the users and computer operators received adequate training concerning the newly implemented changes?

5. Security Control Activities Are Clearly Defined and Communicated

a. Security Organization and Management

Has management considered the appropriate segregation of duties among personnel involved in the IT security function? Have roles and responsibilities been clearly defined and communicated?

Is the financial system’s business owner management appropriately included in the design of the IT security function from a data ownership perspective?

b. Security Policies and Procedures

Has management published a complete set of policies and procedures that support the information integrity objectives of the agency?

Does management have a controlled process in place to update the security policy and procedure documentation on a periodic basis?

Has management established a process to ensure that IT and business users receive adequate, appropriate, education and training regarding security policies and procedures, as well as their specific security responsibilities, on a periodic basis?

c. Security Over Financial Applications

Is a formal documented security administration process in place to ensure that all application access, including access to financial applications, is approved?

Does the security administration process require business unit management approval of all access to financial applications and financial data “owned” by that business unit?

Does the centralized security administration function facilitate periodic reviews of user access by business unit management to ensure that access remains commensurate with job responsibilities over time?

d. Security over Financial Data

Has management implemented a formal process for changing financial data access settings (i.e., data file permissions) in a controlled manner?

Has management implemented a formal security administration process for granting, changing and removing direct access to financial data in a controlled manner?

9900-46


Does management periodically review direct financial data access (i.e., Database Administrator access) to ensure that the access remains commensurate with job responsibilities?

If direct financial data access is controlled using special system utilities, is the use of such utilities documented, logged and reviewed on a regular basis?

Are appropriate monitoring and audit trail controls designed to allow management to monitor the data environment for potential unauthorized activity?

Does management periodically review monitoring reports to identify potential unauthorized activity? What actions are taken when potential unauthorized activity is identified?

Has management complied with federal and state laws, regulations and rules regarding the privacy and confidentiality of financial data collected from customers, vendors, employees?

Does each system produce a report showing all authorized users and their associated roles/permissions?

Has the responsibility for transactional records retention been assigned to the application owners?

e. Physical Security Over Financial Systems

How is physical access to agency buildings/sites restricted (consider any location where computer facilities are located; also any locations connected to those facilities via the agency’s internal networks)?

How is physical access to data centers restricted?

How is physical access to remote data centers/server rooms restricted?

How is physical access to wiring closets and other sensitive physical network locations/components restricted?

How is physical access to removable storage media (e.g., tapes, optical discs, etc.) restricted?

How well secured is sensitive financial system documentation?

9900-47


12 Appendix C – IT application control objectives for financial reporting2

1. Data Processed Are Properly Authorized

a. All Financial Application Users are Appropriately Identified and Authenticated

Are passwords and personal user IDs required? Are passwords required to be changed at regular intervals? Are users notified that passwords will expire soon?

Do sign-on mechanisms limit the number of unsuccessful sign-on attempts?

Do sign-on mechanisms advise users of the date/time of their last successful sign-on?

Do sign-on mechanisms display and validate sign-on information only after it has all been entered?

Are “nonrepudiation” controls in place that prevent senders and receivers of information from denying that they sent or received the information?

Is the agency exploring emerging technologies such as digital certificates or smart cards?

b. Access to Financial Application and Related Data Files is Restricted

Is a logical access control system in place that restricts access to the application and data to authorized users based on the users’ individual roles?

Are system administrators subject to strong authentication controls?

Are access rights authorized by the application “owner”?

Are access rights revoked promptly when the user in no longer entitled to them?

Have firewalls been established to protect the application and data from unauthorized use?

Do terminals automatically disconnect from the system when not used after a specified period of time?

Is the computer equipment located in physically secure locations?

Is manual intervention minimized by designing automated processes?

Is information about the internal workings of the financial application (e.g., application responses or error messages) prevented from being disclosed?

Do access logs include sufficient information to provide a satisfactory audit trail (including users’ identities and locations, dates/times of access, and particular files or system utilities accessed) which is reviewed periodically to identify dubious activity and determine responsibility for particular events?

Are access logs retained for the specified period needed to comply with legal and

9900-48


regulatory requirements?

c. All Data Are Authorized Before Entering the Financial Application

Is critical input information tested against predefined criteria? Are exceptions reviewed by an individual with proper authority to approve them?

Is paper-based information reviewed and approved prior to input?

2. Data Processed Are Complete

All Authorized Data is Entered and Processed by the Application.

Are transactions numbered prior to entry? Is the sequence checked periodically?

Are control totals, hash totals, and record counts used to ensure that all data are processed?

Is transaction data matched with the data in a master or suspense file? Are unmatched items from both the transaction data and master or suspense file reported for investigation?

Is the completeness (and accuracy and validity) of processed information confirmed by an independent means, such as comparing to bank statements, customer/supplier records, or physical stock?

3. Data Processed Are Accurate

a. Data Entry Design Features

Are data entry screens preformatted?

Is the data input process menu-driven?

Is information input electronically?

b. Data Validation and Editing

Are automated validation and edit checks (such as check digits, limit tests, reasonableness checks) included in the application design?

c. Erroneous Data

Are suspense files used to capture and control errors?

Are the suspense files reviewed regularly and errors appropriately resolved?

Are error and exception reports built into the application?

Are key fields or files write-protected, so that information cannot be accidentally overwritten?

Are plausibility checks performed to ensure output is reasonable?

9900-49


4. Confidential Information Is Protected

Access to Financial Application Output is Restricted

Is access to confidential information limited to authorized individuals consistent with the entity’s confidentiality policies?

Are data encryption technologies used to protect the transmission of user authentication, verification, and confidential information?

5. Change Management Controls Are in Place

Change Management Process

i. Is there a change management process in place that is documented?

ii. Are change requests documented? Are possible impacts evaluated in terms of risk? Are changes approved by the application “owner”?

iii. Prior to going live are changes tested and reviewed to ensure they do not contain malicious code or a virus that would compromise security controls?

iv. Are back-out positions established so that changes can be backed out if they fail?

v. Once changes have been made, are there arrangements to ensure that version control is maintained, a record is maintained showing what was changed, when and by whom, and the details of the changes are communicated to relevant individuals?

vi. Are checks performed on a regular basis to confirm that only approved changes have been made (by using code comparison programs or checking “before and after” contents of key records, such as customer master files)?

6. Incident Management Controls Are In Place

Incident Management Process

Does an incident management process exist that is documented and covers reporting, investigating and resolving incidents (including malicious attacks, abuse/misuse of financial systems by staff, loss of power/communications services and errors by users or computer staff)?

Are incidents reported to a single point of contact, such as a help desk, documented and prioritized?

Does the resolution of incidents include investigating root causes, planning corrective actions, and performing a review to ensure that the security of the financial application has not been affected?

Are patterns of incidents reviewed to identify potential security breaches and to minimize the chances of disrupting other applications?

9900-50


7. Business Continuity Plan Is Documented And Tested

a. Business Continuity Planning

Is the financial application supported by a documented business continuity plan?

Does the business continuity plan specify recovery tasks to be carried out, responsibilities of specified individuals, and arrangements for safe storage of plans and their retrieval in emergencies?

Does the business continuity plan address the prolonged unavailability of key business information and backup files; computer or network equipment; key personnel; power, communications and other vital services; access to buildings and facilities?

b. Business Continuity Testing

Have steps been taken to ensure business continuity arrangements will work within critical timeframes by testing alternative processing arrangements and carrying out realistic simulations?

8. Essential Information/Software Used By Financial Applications Are Backed Up

Backup Procedures

Are backups performed on a regular basis according to a defined cycle?

Are backups performed using a back-up management package?

Are backups verified to ensure that back-up versions can be restored successfully?

Are backups protected from loss, damage and unauthorized access?

Are backups maintained at an off-site location for disaster recovery?

9. Business Requirements for Service Providers are Defined

Service Agreements

Are documented service agreements used to define the computer and network services required to support the financial application?

Does the service agreement specify the roles and responsibilities of the service provider and the financial application “owner”?

Does the service agreement specify capacity requirements, such as normal and peak loads, response times, and maximum permissible down-time?

Does the service agreement specify security controls, including:

i. Access restrictionsii. Authentication methods

9900-51


iii. A change management processiv. An incident management processv. Continuity of services arrangementsvi. Segregation of duties?

Is independent confirmation of the operation of the service provider’s security controls obtained?

Is the achievement of service targets periodically reviewed?

10. Financial Applications Are Subject to Security Audits

Independent and Regular Security Audits

Is the financial application subject to independent and regular security audits/reviews that assess the status of information security in all key areas, including application management, the user environment, system management and special areas (e.g., third party access, cryptographic key management)?

Is security audit activity controlled by restricting, monitoring and logging the activities of the audit team?

Are the recommendations resulting from security audits reviewed with the financial application owner and reported to top management?

11. Third Party Connections Are Subject to Additional Controls

Third Party Access Arrangements

Are third party access arrangements subject to risk assessment, approved by the financial application “owner,” and agreed by both parties in a documented agreement?

Do risk assessments of third party access arrangements take the following conditions into account?

i. Criticality and sensitivity of information and systems to be accessedii. Status of the third party (well established versus new, relatively

unknown)iii. Type of business process to be performed by third parties (e.g.,

information retrieval, order submission, funds transfer or remote maintenance)iv. Technical aspects of connectionv. Vulnerabilities in third party networks, applications or operating systemsvi. Restrictions imposed by legal or regulatory requirementsvii. Lack of control over the staff and system components employed by third

partiesviii. Obligations to third parties to provide reliable service and timely,

accurate information

Do third party agreements include the following?

i. Timeframes for completion of transactions and arrangements for ensuring that transactions cannot be repudiated (e.g., by using “digital signatures”)

ii. Agreed security controls (e.g., access mechanisms, virus protection and back-up)

9900-52


iii. Arrangements for managing changes and incidentsiv. The right to audit security arrangements within the third partyv. Non-disclosure of informationvi. A requirement to return or destroy information or software at an agreed pointvii. The respective liabilities of the parties to the agreementviii. Protection of intellectual property rightsix. The right to monitor and revoke user activity

12. Cryptographic Keys Are Tightly Managed

Standards, Procedures and Responsibilities

Are cryptographic keys managed in accordance with documented standards and procedures?

Do the standards and procedures cover:

i. Selection of sufficient lengths of cryptographic keysii. Secure distribution, storage and periodic updatingiii. Revocation of cryptographic keys when a recipient changes jobiv. Recovery of cryptographic keys that are lost, corrupted or expiredv. Management of cryptographic keys that have been compromisedvi. Archival of cryptographic keys and maintenance of cryptographic key historyvii. Defined activation/de-activation dates?

Have responsibilities for protecting cryptographic keys against unauthorized access or destruction been clearly assigned?

13. Public Key Infrastructure (PKI) Used by the Financial Application is Protected

a. Standards, Procedures and Responsibilities

Are documented standards/procedures established, which define

i. The process required to manage cryptographic keys/digital certificates within the PKIii. Methods required to operate the PKIiii. Actions to be taken in the event of a compromise?

Are PKI users fully aware of the purpose and function of PKI, their responsibility to protect private keys, and how to use the “digital signatures”?

b. Certification Authority

Has an internal Certification Authority (people, processes and tools) been established to create issue and manage the public key certificates that are used within a PKI?

Is the Certification Authority protected by strong access control mechanisms and strong authentication?

Has the Certification Authority been protected by “hardening” underlying operating systems?

c. Disaster Recovery

9900-53


Has a contingency plan been developed for the financial application supported by the PKI that includes methods of recovering the PKI in the event of a disaster?

14. Web-Enabled Applications Are Supported by Specialized Technical Controls

a. Accreditation

Have business practices and privacy policies applicable to the web sites associated with the financial application been independently accredited (for example, by Web Trust or TRUSTe)?

b. Web Servers and Connections Between Web Servers and Back-Office Systems

Are the web servers that support the financial application

i. Located in an area that is isolated from the Internet and internal networks by firewalls?ii. Run on one or more dedicated computers?iii. Run with “least privileges,” meaning that high-level privileges are excluded, such as

“Administrator” for Windows NT systems or “Root” for UNIX systems?iv. Prevented from initiating network connection to the internet?v. Configured so that scripts can only be run from specified locations?

Is the connection between web servers and back-office systems

i. Protected by firewalls?ii. Restricted to those services that are required by the application?iii. Restricted to code generated by web server applications, rather than by client

applications?iv. Based on documented application programming interfaces (APIs)?v. Supported by mutual authentication?

Are user accounts on back-office systems used by web servers to make connections run with “least privilege”?

c. Validation/Encryption of Information and Transaction Processing

Is information used by the application protected against corruption or disclosure by

i. Performing input validation at the server, rather than just on the client application?ii. Encrypting sensitive data in transit (e.g., by using SSL or HTTPS)?

Are transaction processing monitors used to manage the execution, distribution and synchronization of transactions?

9900-54


13 Appendix D – A model internal control plan

13.1 Introduction and background information

13.1.1 Introduction[Name of Individual], Director of the [Name of Agency], has designated [Name of Individual], Administrator, [Name of Division], as the agency's Internal Control Officer. As Internal Control Officer, [Name of Individual], in addition to his/her regular duties, has the responsibility to ensure that:

The written documentation of the [Name of Agency]’s internal control system over financial reporting is on file and available for review by agency personnel and auditors.

The [Name of Agency]'s internal control system is evaluated at least annually or more often as conditions warrant.

The results of audits and recommendations to improve agency internal controls are promptly evaluated by the [Name of Agency] management and that appropriate measures are implemented on a timely basis.

All action determined by the [Name of Agency] management as necessary to correct or otherwise resolve matters will be addressed by the agency in its budgetary request to the Governor and Legislature.

[Name of Internal Control Officer] is responsible for communicating the contents of the plan to operational managers and for providing the necessary technical guidance and assistance to implement the plan.

The [Name of Agency] is committed to maintaining an effective internal control system. The annual review and update of the Internal Control Evaluation and Monitoring Plan is an important component of the agency's overall internal control structure.

13.1.2 General information

13.1.2.1 Agency missionThe Montana [Name of Agency] administers:

13.1.2.2 Statutory references (Montana revised statutes):

13.1.2.3 Executive staffInsert names of the Director, Deputy Directors, Administrators and other Executive Staff.

9900-55


[Name of Individual], [Title], [Name of Division]



13.1.2.4 Designated internal control officer


13.1.2.5 Other internal control contacts/team members [name of individual], chief fiscal officer, financial services

[Name of Individual], Chief, Office of Internal Audit Services

[Name of Individual], Title, Financial Services

[Name of Individual], Internal Control Team Member – Expenditures

[Name of Individual], Internal Control Team Member – Revenue

[Name of Individual], Internal Control Team Member – IT Specialist

13.1.3 Organization chartInsert agency organization chart here.

13.2 Management’s key internal control concepts

13.2.1 Concept 1: Risk assessments should be conducted.Designated Unit: In general, the [Name of Division] is charged with conducting risk

assessment within the Agency. [Name of Division] is responsible for the Office of Internal Audit Services.

The Office of Internal Audit Services (Internal Audit) develops an annual internal audit plan for the [Name of Agency] based upon the following factors:

Risk assessments of critical systems Reviews of internal, financial, and administrative systems and procedures Executive staff’s assessment of existing risks Past internal audit experience Review of the risks inherent with the implementation of new processes

Internal Audit evaluates internal controls by analyzing the control environment, identifying and prioritizing functions and activities most likely to have control problems, and then analyzing the potential risks to determine whether existing controls are sufficient to manage them.

Upon completion of an audit, [Name of Individual], Chief Audit Executive (CAE), reviews the audit team’s findings. A final report, including management’s proposed corrective action plan, is forwarded to the Director and the Deputy Director for the area audited. Internal Audit performs follow-up reviews to ensure corrective action has been taken.

The process by which internal audit reports are issued and corrective actions monitored is detailed in the Internal Audit charter entitled, [Conducting Internal Audits And Management Responsibilities Related To Internal Audits]. In addition, the CAE reviews the audit reports

9900-56


issued by external agencies (e.g. State Audits Division and federal auditors) and advises Executive Staff of the audit findings. Executive Staff directs operational line management to prepare responses and corrective action plans.

13.2.2 Concept 2: Internal control plan should be documented and communicated.Designated Units: Executive Staff, Internal Control Officer, Division Administrators,

Business Unit Managers and Supervisors

[Name of Internal Control Officer], in his/her duties as Internal Control Officer, has the overall responsibility of developing and communicating to the [Name of Agency’s] management the content of the agency's written internal control plan. The [Name of Agency’s] Internal Control Evaluation and Monitoring Plan is updated annually.

Each Administrator is responsible for ensuring compliance with all requirements that pertain to his/her area of responsibility, including the development and maintenance of applicable written policies and procedures.

In addition, each Administrator is responsible for ensuring that copies of the internal control plan are made available for Bureau Chief and Section Supervisors to review. Bureau Chiefs and section Supervisors are responsible for communicating the importance of internal controls to their staffs.

13.2.3 Concept 3: Duties should be segregated.Designated Units: Executive Staff, Administrators, Bureau Chiefs and Supervisors

All members of [Name of Agency] Executive Staff and all Administrators and their staff are responsible for complying with internal control policies concerning segregation of duties for tasks and functions under their jurisdiction.

Consistent with the Department of Administration’s Internal Control Guidebook, the [Name of Agency] adheres to the following principles:

The individual responsible for hiring, terminating and approving promotions is not directly involved with preparing payroll or inputting data.

Individuals approving time sheets are not involved in preparing payroll. Individuals involved in payroll data entry do not have payroll approval authority. Individuals responsible for data entry of encumbrances and payment vouchers do not

have authority to approve them. Individuals responsible for acknowledging the receipt of goods are not also responsible

for purchasing and/or accounts payable activities. Individuals who monitor physical inventory do not have the authority to approve

withdrawals of items maintained in inventory. Individuals responsible for billing are not responsible for collecting and processing cash

receipts. Individuals responsible for maintaining accounts receivable are not involved with cash

receipts. Individuals receiving cash into the office are not involved in making deposits. Individuals receiving cash or making deposits are not involved in reconciling the bank

accounts. The person signing manual checks is not the person who reconciles the bank accounts.

9900-57


If any of the above duties cannot be segregated, compensating controls have been implemented and are being followed.

13.2.4 Concept 4: Internal control systems should be supervisedDesignated Units: Executive Staff, Administrators, Bureau Chiefs and Supervisors

Managers are required to establish clear lines of authority and responsibility. The effectiveness of internal controls depends upon the thoroughness, consistency and timeliness of supervision. [Name of Agency] Executive Staff and all Administrators and their staff are responsible for ensuring that their jurisdictions have qualified and continuous supervision. This supervision is provided to ensure that internal control objectives are achieved.

The duties of the manager/supervisor in carrying out their responsibilities include:

Clearly communicating the duties, responsibilities and accountabilities assigned to each staff member.

Systematically reviewing each member's work to the extent necessary. Approving work at critical points to ensure that work flows as intended.

The methods used to perform these duties include:

Holding regularly scheduled staff meetings. Assigning tasks and establishing written procedures for completing assignments. Providing guidance and training (or opportunities to attend training) when necessary. Regularly reviewing appropriate management reports. Providing appropriate recognition of employee suggestions for control improvements.

13.2.5 Concept 5: Transactions should be documentedDesignated Units: All processing units within Financial Services and any other work unit

involved in Records Management and Archiving, Cash Receipting, Cash Disbursements; Accounts Receivable, Accounts Payable; and other processing activities

All transactions must be supported by appropriate documentation. The documentation must be complete and accurate and should allow tracing a transaction or event from the source documents, while it is in process, through its completion. The documentation should be readily available for examination.

Regardless of format, the supporting documentation should indicate the purpose or reason for the transaction and that the transaction was properly authorized. The transaction amount should be clearly evident or easily verified upon recalculation. The documentation should fully support the information entered in other key data fields in accordance with requirements specified by the Montana Operations Manual (MOM) Volume II. In cases where estimates are used, the underlying methodology (trend analyses, ratios, assumptions, etc.) should be documented and readily available for audit. For system-generated transactions, documentation that clearly describes the methodology, formulas and calculations, and the applicable system links and processes should be maintained.

The Agency's records management policies and guidelines are contained in the Agency Retention Schedule. The Secretary of State Records and Information Management Division (Records Management) maintains the Agency Retention Schedule and distributes it to all [Name of

9900-58


Agency] divisions. The purpose of the schedule is to establish standards and procedures that are consistent Montana Administrative Rules (MAR). The Agency Retention Schedule is updated on a periodic basis and dated amendments are issued when a new form is created or when a form becomes obsolete or is revised. Each Division appoints a Records Coordinator who works with Records Management to ensure effective records management throughout the agency.

The Records Coordinator for each division/bureau is responsible for ensuring that all original documents and records in support of the Agency’s accounting transactions are imaged or otherwise retained in accordance with the Agency Retention Schedule and that a detailed accounting of all financial records sent to Records Management is maintained.

13.2.6 Concept 6: Transactions should be authorizedDesignated Units: Executive Staff, Division Administrators, Business Chiefs and Section

Supervisors

Transactions and other significant events are authorized and executed only by persons acting within the scope of their authority. The Director of [Name of Agency] delegates authority to Division Administrators to perform the operations of the Agency. Division Administrators may also delegate restricted signature authority to other employees within their reporting structure. A delegation form signed by both the appointing authority and the delegate is required. The form should describe the type of authority being delegated and may specify the dollar and/or other limits. Division administrators or their delegates must review them periodically to ensure that authorizations and signatures are up-to-date. In addition, the Department of Administration Accounting Bureau provides periodic training to managers and staff on their fiscal responsibilities.

Financial statement adjustments and interfund/interagency transfer transactions are also subject to management review and approval. Designated individuals with appropriate experience and background have been authorized to approve these transactions. The supporting documentation should clearly show that adjustments and transfers have been properly reviewed and authorized before they are entered into the accounting system.

The [Name of Agency]'s Executive Staff, Division Administrators and Bureau Chiefs are responsible for complying with all laws and regulations that in any way relate to their job functions. This includes, but is not limited to, federal and state laws and regulatory requirements, the administrative guidelines and accounting policies issued by the Department of Administration, directives issued by the Governor’s Office, Administrative Rules and the agency’s own policies and procedures.

13.2.7 Concept 7: Access to resources should be controlledDesignated Units: Executive Staff, Financial Services, Information Technology Services,

[Other Business Units]

13.2.7.1 Access to physical resourcesThe Department of Administration General Services Division is responsible for managing and safeguarding both owned and leased buildings, building-related equipment and land used to conduct agency business. The Department of Transportation Motor Pool is responsible for management and safeguarding of autos and other vehicles within the State Motor Pool fleet. The Department of Administration Information Technology Services Division manages the

9900-59


acquisition and safeguarding of central computer hardware and software. The various business units are responsible for acquiring and managing other machinery and equipment. Acquisition and disposition procedures are aligned with fixed asset policies and procedures published in MOM Volume II.

Annually, [Name of Division] must conduct an inventory of all capital assets (over $5,000) and all high risk assets (under $5,000), such as computers and accessories. Discrepancies are investigated and adjusted. The inventory serves two purposes. It ensures the accuracy of fixed asset information reported in the fixed asset module for use in the annual financial statement and to DofA Risk Management Division for insurance purposes.

The [Name of Division] uses a manual system to track its inventory of [supplies/products] sold/issued to customers/clients. Quarterly physical counts are performed in order to verify the accuracy of the balances on hand. An automated inventory supply system is used to track parts, etc. for operation of the [Central Shop]. It provides a continuous record of all additions and deletions of individual items, as well as to whom the items were issued. Physical counts are performed every [frequency] to verify the accuracy of the system's balances. Variances are investigated and corrected for both systems, as needed.

All losses, including those that appear to be caused by fraud or dishonesty, are reported immediately to Attorney General and the Legislative Audit Division.

13.2.7.2 Access to monetary resourcesThe agency's policies on segregation of duties are designed to assist management in deterring employee theft.

Cash handling is separated from record keeping. Customer billing is separated from cash collection. No one person is allowed to handle a cash transaction from beginning to end. Passwords are changed monthly for access to automated accounting records. Cash receiving is centralized to the extent possible. Reconciliation of the accounting records to State Treasury accounts and other authorized

bank accounts is performed promptly by individuals who have no responsibility for handling cash.

Cash or checks that are not deposited within one day of receipt are locked in a safe overnight.

The issuance and the inventory of blank check stock are strictly controlled. Check stock is kept in a locked safe.

13.2.7.3 Access to personnelThe [Name of Section] is responsible for evaluating the physical security and safety of [Name of Agency] employees at all facilities and for suggesting corrective action when necessary. The [Name of Section] responds to threats made to employees.

Building security for [Name of Agency] locations at [address] is provided by security guards and card-access systems.

9900-60


13.2.7.4 Access to informationAn access control policy exists for all agency systems that defines the strategy to prevent unauthorized access. Employees, consultants, and contractors, who design, develop, operate, or maintain IT systems, are subject to background investigations and must be authorized to access the systems. All visitors to restricted premises, not previously cleared or identified by badge, are escorted.

All users of IT systems must receive appropriate clearance to use a system (from appropriate IT security management and/or the application administrators). This permission must be written and includes assignment of a User ID and Password. All users of an IT system must receive security awareness training either in a formal classroom setting or by other means, such as [user awareness brochures, on-line or electronic mail training, or individual instruction from IT personnel who install or set up the workstation].

All IT system use is restricted to official business purposes, except for [describe exceptions, if any]. Users are encouraged to report suspicious behavior to their supervisor or IT security personnel.

As required by DofA Information Technology Services Division policy the agency security officer, [Name of Person], is responsible for security issues involving access and use of statewide systems.

[Describe other systems applications with special access requirements. Examples might include an e-commerce application.]

13.2.8 Concept 8: Employees must adhere to the agency’s code of conductDesignated Units: Executive Staff, [Name of Division]

The [Name of Division] has been delegated a significant role in ensuring employee integrity. It is responsible for all internal affairs matters, internal audits, investigations, physical and computer security, employee safety, employee background checks and employee activity. [Name of Division] is also responsible for administering and working with management to promulgate the agency's Code of Conduct.

13.2.8.1 Office of Internal Affairs or similar organizationThe Office of Internal Affairs or similar organization with in [Name of Division] is responsible for safeguarding employee integrity within the [Name of Agency]. The three primary functions of this office are:

Educating employees on the risks of misconduct. Conducting background investigations of [Name of Agency] job applicants and

appointees. Investigating allegations of misconduct by [Name of Agency] employees or others

attempting to cause agency employees to violate the law or the Code of Conduct.

13.2.8.2 Code of conductAll new [Name of Agency] employees must attend a Code of Conduct training session supervised by the [Office of Internal Affairs]. On an annual basis, all employees are required to attend ["Name of Course"], a Code of Conduct refresher course. The training and materials provide employees with knowledge and awareness of the following:

9900-61


Employees must avoid any actual conduct which constitutes a conflict of interest or conduct which gives a reasonable basis for the perception of a conflict of interest between their private and public interests

Employees are prohibited from taking action, performing any duty, or giving any preferential treatment from which they would benefit personally.

Employees are prohibited from taking action which would result in illegal receipt of public or private funds.

Employees may not participate in any official action relating to any entity or individual in which they or their immediate family has a financial interest.

Current or former employees or officers must comply with restrictions regarding other employment, unwarranted privileges or self-exemptions, or improper exemptions.

Employees must adhere to other standards of conduct described in Code of Conduct handbook.

Executive Staff is responsible for administering policies regarding political activity by [Name of Agency] personnel. The Director's Office periodically issues guidelines to all Divisions to ensure compliance with federal and state laws and regulations pertaining to allowable political activity by public employees. The employee handbook addresses political activity in the Workplace Guidelines chapter.

13.2.8.3 Office of Internal Audit ServicesThe Office of Internal Audit Services within [Name of Division] is responsible for reporting suspected, unauthorized browsing of customer, employee or [other stakeholder] records to Executive Staff.

13.3 Transaction cycles

13.3.1 Expenditure cycle The focus of this section is on disbursements processing. As agencies gain proficiency in evaluating accounting/financial systems, they should expand their review to include each of the subsystems which comprise the expenditure cycle, e.g., purchasing, travel claims, construction contracts, interagency purchases, grants, petty cash, electronic data interchanges, etc.

13.3.1.1 Overriding control objectives All expenditures are lawful, properly authorized, and represent a responsible and

appropriate use of State funds. All expenditures are for goods or services where the full value of such goods and services

was actually received. Obligations for goods and services are paid in a timely manner as required by law or

contractual terms, in sufficient time to take advantage of early payment discounts. All expenditures are sufficiently documented, accurately and completely recorded,

charged to the proper accounting period (fiscal year) and properly classified as to category of expense.

Accounts payable are properly classified by type (due to other funds, due to other governmental agencies, etc.). If yearend accrual entries involve accounting estimates, the estimates are reasonable and sufficiently documented.

9900-62


13.3.1.2 Applicable statutes, rules, policies, and procedure manuals Montana Code Annotated Statewide purchasing polices issued by State Procurement Bureau within DofA MOM VOLUME II Montana Administrative Rules SABHRS manuals and guides [Agency-specific standards and procedural manuals]

13.3.1.3 Automated information systems in use SABHRS [Agency-specific systems and interfaces]

13.3.1.4 Key reportsControl and Requestable reports:

APY1010 Voucher Register APY1020 Posted Voucher Listing APY2000 Payment History by Vendor MTAP1701 Voucher Status Report MTGL7008 Trial Balance - Fund GLS7002 General Ledger - Activity GLS3000 Open Items MTGL0106-O Organizational Detail Report - Org MTGL0106-P Organizational Detail Report - Project MTGL0111-O Organizational Summary MTGL0111-P Organizational Summary Report - Project GLS8020 Budget Status Report MTGL_APPROP_BUDGETS_AND_BAL Appropriation Budgets and Bal MTGL_ORG_BUDGETS_AND_BAL Org Budgets and Bal GLS7011Journal Edit Errors GLC7501Journal Entry Detail FIN2001Journal Entry Detail MTGL1101 Inter-Unit Journal In-Progress

Other reports:

[Agency-specific systems and interfaces]

13.3.1.5 Questions for determining risk Are employees required to attend training on the agency’s purchasing, contracting and

disbursements policies? Does a hierarchy exist which distinguishes the types of payments and the type of review

or approval required for each payment type based upon dollar threshold or program specific concerns?

How does the person responsible for approving the payment know that the goods or services were received or were provided in accordance with contract specifications?

What procedures are in place to make certain that employees routinely check for the availability of appropriate Statewide Price Agreements?

9900-63


What procedures are in place to ensure that all items purchased using PRO cards were authorized and are appropriate?

Do strong cut-off procedures exist to ensure that unbilled goods/services received prior to year end are properly recorded as expenditures for the current fiscal year?

Are there any individuals who have both recordkeeping and approval responsibilities? Are there any individuals handling cash disbursements that also have duties related to

cash receipts or the reconciliation of bank statements? Are bank statements delivered unopened directly to general accounting? Are

warrants/checks compared in appropriate detail to the disbursement records? Is the numerical sequence of warrants/checks accounted for?

Is the bank statement reconciliation reviewed, approved and signed by a manager who has no responsibility for cash receipts or disbursements?

Is there periodic investigation of warrants/checks outstanding for a considerable time?

13.3.1.6 Questions the approving officer should answer Are there adequate budget resources available now to allow me to incur this obligation? Will this obligation or expenditure pass the "public perception" test? That is, would I be

comfortable if I saw this transaction written up on the front page of the local newspaper? Am I willing to approve this obligation knowing that I am fully responsible?

13.3.1.7 DocumentationDescribe the processing activities, both manual and automated, and the document flow. Identify control check points and control activities. Use either a narrative approach or provide flowcharts and diagrams, or a combination of both.

The narrative and flowchart which follow are provided as examples only. Their purpose is to give agencies a starting point. Agencies are encouraged to modify them as necessary to document their own processing activities.

9900-64


Disbursements Processing – Narrative

Operational Units/Sections Activities

Documents, Reports, Screens

Delegation of Authority

Agency Executive Staff

1. Agency director determines delegation of expenditure authority. Signature delegation forms completed/submitted to Financial Services – Disbursements Unit. Copies maintained in Business Unit offices. Delegation forms updated as personnel are hired or depart or duties change.

Approved Signature List

Document Matching, Coding and Payment Authorization

Agency Business Units

1. Vendors instructed to mail/deliver invoices to Business Units responsible for initiating and approving payment.

Vendor invoices

2. Incoming mail, including invoices, date stamped upon opening.

3. Business Unit administration (admin) staff performs 3-way match: invoice, receiving record and, if applicable, purchase order/other purchasing authorization.

Voucher package (invoice, receiving record, purchase authorization; other supporting documentation)4. Admin staff verifies accuracy of invoices; documents any

adjustments to invoice totals; calculates applicable discounts; completes coding block.

5. Admin supervisor reviews voucher package to ensure State and agency purchasing rules have been followed. Notifies Bureau Chief of any noncompliance.

6. Bureau Chief or Supervisor with signature authority reviews voucher package for appropriateness and completeness; adds explanation for unusual items; and signs approval for payment.

Final Document Review, Data Entry and Release for Payment

Agency Disbursements Unit

1. Documentation group reviews voucher packages; verifies authorized signature; verifies coding, including correct 1099 status and compliance with capitalization policies; documents any changes and communicates with Business Unit; verifies account codes; prioritizes payments based on established criteria.

Voucher packages

2. Data entry group enters payment information into system. Selects and inputs due dates to maximize cash management. Payments are flagged for return to Disbursements Unit only when special handling is required.

Invoice batches/data entry screen

9900-65


Disbursements Processing – Narrative

3. Authorization group reviews accuracy of document input. Releases batches for payment.

Online authorization

Operational Units/Sections Activities

Documents, Reports, Screens

Accounting System - Data Processing

Information Systems Unit

1. Unique operator ID numbers and user classes are assigned to each person with access to accounting system. Each invoice is uniquely identified by batch ID, batch date and document number.

Data processing files and control reports

2. System posts A/P; records expenditures; and issues warrants/checks on due date.

A/P and general ledger reports

3. Warrants/checks flagged for special handling are returned to Disbursements Unit.; otherwise, warrants/checks mailed directly to vendor from warrant writing unit.

Warrants/checks

Checks Requiring Special Handling and Archiving

Disbursements Unit

1. Non-mailer warrants/checks matched to remittance advice and mailed, or held for pick up by Business Unit. Stored in locked safe overnight. Signature of Business Unit employee obtained when warrant/check picked up.

Warrants/checks

2. Paid voucher packages forwarded to Archiving Unit for imaging (or maintained in records center, as appropriate).

Paid voucher packages

Compliance Auditing

Financial Services Staff

1. Financial Services employees not involved in purchasing functions, accounts payable or disbursements processing perform quarterly audits to ensure agency expenditures:

Comply with state/agency expenditure guidelines and purchasing policies, including Statewide Price Agreements;

Are approved by personnel with appropriate authority; and

Are properly coded for accounting and program purposes.

Electronic transactions file and imaged documents

9900-66


9900-67

PO orOtherPurchaseAuthorization

ReceivingDocument

Invoice

VoucherPackage

Post A/P; recordexpenditures;

issue warrants/checks on due

date

Warrants/Checks

BUSINESS UNITS

VoucherPackage

InvoiceBatches

Flagged forreturn to A/P?

Warrants/checksmatched with

remittance or heldfor pick-up bybusiness unit

Warrants/checksmailed directly to

vendor

Yes No

DISBURSEMENTSUNIT

ACCOUNTINGSYSTEM

ExpenseAccts PayableCash

S-1

S-2

S-3

W-1

S-4Review

accuracy ofdata input;

release for pmt.

Matchdocuments,

check accuracy,code

Manager reviewand approval

Reviewcoding, verify T-code, prioritize

pmts

Enter invoicesbatches into

system; select/input due dates

DISBURSEMENTS PROCESSINGFLOWCHART


[Agency Name]Disbursements Processing

Control FindingsJune 30, 2XXX

Strength/Weakness ExplanationS-1 3-way document match and

reviewReceiving documentation and purchasing documentation originate in separate units and are matched to the vendor’s invoice and reviewed by Business Unit administration staff that has no responsibility for receiving and purchasing.

S-2 Manager review and approval

Voucher package (invoice, receiving document, purchasing documentation, etc.) is reviewed for appropriateness and completeness prior to authorization for payment.

S-3 Disbursements Unit review and verification

A final review is performed to ensure proper documentation and coding and to verify authorized signatures.

S-4 Payment release process is independent of data entry.

Disbursements Unit employees who enter invoice batches into the accounting system are not authorized to release batches for payment. An individual who has no ability to input or modify payment data reviews and releases the batches. Security access differentiates between data input responsibilities and payment release responsibilities.

W-1 Warrants/checks returned to Disbursements Unit

Checks requiring special handling should be returned to personnel in Financial Services who have no direct access to Disbursement Unit processes to reduce the possibility of fraudulent payments.

13.3.2 Revenue cycle The focus of this section is on cash receipts and accounts receivable processing. As agencies gain proficiency in evaluating accounting/financial systems, they should expand their review to include each of the subsystems which comprise the revenue cycle, e.g., interagency receivables, NSF checks, customer refunds and credits, liquidated and delinquent accounts, electronic funds transfers, etc.

13.3.2.1 Overriding control objectivesCash Receipts

Procedures for handling and processing cash receipts are carefully designed, well-documented and clearly communicated.

No one person is allowed to handle a cash transaction from beginning to end. Responsibilities for collection are adequately segregated from those for recording cash receipts and general ledger entries.

Cash receipts are safeguarded at all times. The cash collection function is centralized to the extent possible. Cash receipts are immediately secured, control totals developed, and collections deposited daily intact. Any exceptions must conform to the requirements established by MOM VOLUME II.

Accounts Receivable

An accounts receivable transaction is recorded only when goods/services have been provided or a claim established and corresponding earnings are measurable.

The method of recognizing accounts receivable and the corresponding revenue (including year-end accrual procedures) is consistently applied.

9900-68


Receivables are accurately recorded in the appropriate accounting period (fiscal year), properly classified as to type (due from other funds, due from other governmental agencies, etc.), and properly classified between short-term and long-term.

Detail subsidiary ledger records are accurately maintained and protected from unauthorized manipulation. Billings, adjustments and collections are properly recorded in individual receivable accounts. The subsidiary ledger records are reconciled to the general ledger control account.

Billing documentation (such as delivery records, purchase orders, copies of judgments) is independently maintained and not accessible to parties outside of the billing function, especially those who might have access to cash collections or the detail records of parties being billed.

Sales Income and Other Revenues

All revenues are recognized as soon as they are measurable and available. All revenues are accurately and completely recorded in the proper accounting period

(fiscal year) and they are properly classified according to source. Appropriate records are maintained for all businesses, users of government services,

and individuals or entities against whom taxes or fees are assessed. Charges for goods, services, licenses/permits, taxes, etc. are promptly and accurately

billed. Self-assessed taxpayers are properly monitored. Exemptions are provided only to those authorized.

Interest and penalties on delinquent taxes, past due licenses/permits, etc. are properly calculated and timely billed.

13.3.2.2 Applicable statutes, rules, policies, and procedure manuals Montana Code Annotated Statewide purchasing polices issued by State Procurement Bureau within DofA MOM VOLUME II Montana Administrative Rules SABHRS manuals and guides [Agency-specific standards and procedural manuals]


13.3.2.4 Key reportsControl and Requestable reports:

AR20001 Deposit Control By Entry Date AR20003 Payment Summary AR32000 Customer Sratements AR35000 Finance Charges MTAR_ITEMS_BAL Customer Balances MTAR_ITEMS_DIST Item Distribution for Customers MTAR AGEBU Business Unit Aging Report MTGL7008 Trial Balance - Fund

9900-69


GLS7002 General Ledger - Activity GLS3000 Open Items MTGL0106-O Organizational Detail Report - Org MTGL0106-P Organizational Detail Report - Project MTGL0111-O Organizational Summary MTGL0111-P Organizational Summary Report - Project MTGL_REVEST_BUDGETS_AND_BAL Reports Budgets and Balances

Other reports:

[List agency subsystem reports]

13.3.2.5 Questions for determining riskSegregation of Duties

Are responsibilities for cash receipts adequately segregated from those for handling cash disbursements and reconciliation of bank statements?

Are responsibilities for billing for services and fees adequately segregated from those for collecting and recording cash receipts?

Are responsibilities for collecting cash receipts and deposit preparation adequately segregated from those for maintaining detail accounts receivable and posting general ledger entries?

Cash Receipts

Is a secure area provided for opening mail and processing incoming cash receipts? Is it restricted to authorized personnel only? Is it locked when not occupied?

Is the mail opened in the presence of two or more employees? Are checks restrictively endorsed as soon as received? Are cash receipts secured in a cash drawer, vault, etc.?

Are each day’s receipts deposited intact, even if proper disposition is unknown? Are pre-numbered receipts, a cash register or equivalent method/mechanism used to

control the receipt of cash payments made in person? Are copies of the receipts, cash register tapes or other records accounted for and balanced to daily collections?

Is timely notice of cash receipts from separate collection centers given to central accounting and are reported receipts compared to general accounting records?

Is all pertinent information related to cash receipts maintained, such as deposit tickets, remittance advices, copies of receipts and other memoranda.

Accounts Receivable

Do accounts receivable procedures include reconciling aggregate collections on accounts against postings to individual receivable accounts?

Are adequate records maintained to assure correct handling and final disposition of items posted to a suspense account? Is every effort made to ensure that fund distribution is immediately determinable?

Are “not sufficient funds” (NSF) checks delivered to someone independent of those who process and record cash receipts or reconcile bank statements?

9900-70


Are all non-cash credits to customer accounts initiated by the program unit and authorized by a financial services manager who has no responsibility for recording the credits?

Are disputes of billing amounts reported by taxpayers or service recipients investigated by individuals independent of accounts receivable recordkeeping?

Is there an independent periodic review of accounts receivable for credit balances?

Sales Income and Other Revenues

Are periodic physical counts of merchandise inventory taken by individuals who do not maintain the inventory to assure all sales of merchandise are recorded? Are all credit entries to the inventory control account (other than sales transactions) reviewed by the internal audit unit or the chief fiscal officer?

For sales of items controlled by serial numbers (permits, licenses, tickets, food stamps, etc.), is the number of items issued reconciled to the number of items available for issue and sold by an individual not involved in sales and collections?

Are revenue accounts analyzed for unusual fluctuations by comparing to prior year data, multi-year trends, forecasts, and other monthly internal reports?

Are procedures in place that ensure that records are organized and integrated in such a way that probable taxpayers, licensees, etc. are identified as the result of other governmental activities?

Are databases updated for new registrants and withdrawals and are the updated records used as the basis for billing for annual licenses, fees and permits?

Are amounts collected on behalf of other governmental units segregated and timely remitted?

General Controls

Are detailed receivable records reconciled to the GL control account and are reconciling items investigated by someone other than accounts receivable personnel?

Are bank statements delivered unopened directly to general accounting? Does the general accounting unit compare deposits per bank statement to cash receipts entries as part of its bank reconciliation procedures?

Is the bank statement reconciliation reviewed, approved and signed by a manager who has no responsibility for cash receipts or disbursements?



9900-71


Cash Receipts/Accounts Receivable Processing – Narrative

Operational Units/Sections

Activities Documents, Reports, Screens

Processing Over-the-Counter Receipts

Program Unit 1. Program unit cashier uses cash register to process payments received over-the-counter; a single cash register is authorized and in use.

2. Cash register is locked and cannot be turned back.

3. Checks restrictively endorsed upon receipt.

4. Administration (admin) staff supervisor counts daily receipts and balances to register. Register tapes retained and filed chronologically by admin support staff with no cashiering responsibilities.

5. Admin staff supervisor forwards register report/readings with daily receipts to Cashiering unit for recording and deposit.

Over-the-counter receipts and cash register tapes, readings and report

Processing Mailed Receipts

Mailroom 1. Payment notices, applications and other forms instruct customers to mail payments for licenses, permits, etc. to designated PO boxes.

2. Contents of PO boxes delivered by DofA to agency mailroom.

3. Envelopes are examined for suspicious packaging; then run through automatic opening machine only; contents are not removed. Opened envelopes are delivered immediately/directly in locked containers to Cashiering unit (secured area) for processing.

Mailed remittances

Cashiering Unit 4. Checks, payment coupons, license applications, etc. are removed from remittance envelopes in presence of two or more Cashiering unit employees. Upon removal, checks are immediately restrictively endorsed. Payments are sorted into batch types. Coupons, applications, etc. are date stamped.

Entering Receipts into System

Cashiering Unit 1. Cashiering personnel scan all checks and bar coded coupons and remittance advices into cashiering system. Non-bar coded documents are keyed into system. Over-the-counter receipts are keyed into system from data provided by cash register report.

2. Checks from new customers or checks without a remittance advice are credited to suspense account for later

Cash receipts batches/scanning device/data entry screen

9900-72





disposition.



Cashiering Unit 3. Cashiering supervisor runs tape of checks/currency ready for deposit and compares to total dollars per batch summary sheets (including credits to suspense account). Reviews accuracy of other data input. Releases batches for processing when all errors are cleared.

Online authorization

4. Coupons, license applications, etc. are forwarded to program unit for appropriate action and archiving.

Coupons, license applications, other customer paperwork

Making Deposits

Cashiering Unit 1. Receipts are deposited daily intact. Cashiering personnel prepare the deposit slips in triplicate.

2. Cashiering supervisor reviews deposit totals to ensure they match batch totals (including credits to suspense account).

3. Cashiering supervisor physically secures deposit in locking deposit bag. Deposit is kept in locked safe until picked up by armored car each afternoon.

4. Second copy of deposit slip is forwarded to GL Accounting unit. Third copy is kept on file in Cashiering unit, along with batch sheets and cash register reports.

Daily cash receipts; deposit slips

System Processing

Information Systems Unit

1. Cash receipts data from the Cashiering system and billing information from the Program unit’s internal system are separately interfaced to the accounting system; the accounting system uploads the information and automatically updates detailed A/R records.

2. Batch balancing controls and procedures (total documents, total items and total monetary amounts) are in place.

3. Unique operator ID numbers are assigned to each person with access to the accounting system or the cashiering and billing subsystems. The systems maintain logs of user activity for those individuals with “update” capabilities.

(1) Data processing files and control reports; (2) A/R and cash receipts activity reports

9900-73





4. Input documents are uniquely identified by batch ID, batch date and document no.

5. Invoice numbers are automatically generated in sequence. Once posted; invoiced amounts can be adjusted only through a credit memo or authorized adjustment transaction.

Invoices

GL Accounting Unit

6. Personnel in GL accounting unit, with no responsibilities for cash receipts, billing or account receivable functions, maintain valid value tables (e.g., accounting codes, taxes and fee rates).

Value table reports

Accounts Receivable Maintenance

Accounts Receivable Unit

1. Accounts receivable (A/R) unit reconciles aggregate collections on accounts receivable against postings to individual receivable accounts.

2. A/R unit investigates/resolves suspense account items and posts to appropriate A/R detail records

3. A/R unit is responsible for updating the customer database.

4. A/R unit reviews aging reports and follows up on past due accounts. Monthly, the accounts receivable aging report is independently reviewed by the Financial Services manager and the Program unit.

5. All non-cash credits processed by the A/R unit are initiated by the Program unit and approved by the Financial Services manager prior to processing.

A/R listings, aging reports, customer database reports

Mailing Invoices/Customer Questions

Accounts Receivable Unit

4. Invoices are automatically prepared and printed as the result of the billing interface and delivered to A/R unit for mailing.

Invoices

Program Unit 5. Undeliverable mail is returned to the Program unit; customer questions and complaints are directed to the Program unit.

General Control Activities

9900-74





General Ledger Accounting Unit

1. GL accounting unit compares payments received in cashiering system to payments posted to general ledger and reconciles detailed agency receivable records to GL control account.

2. Bank statement is delivered unopened directly to GL accounting. GL accounting unit compares deposit detail to bank statement as part of bank reconciliation process.

3. Bank statement reconciliation reviewed, approved and signed by GL accounting manager.

4. GL accounting unit controls monthly closing process/roll forward, so no transactions can be posted inappropriately to a prior period.

(1) A/R and cash receipts activity reports; (2) general ledger reports; (3) bank statements and copies of deposit slips; (3) systems control reports

General Ledger Accounting Unit

5. GL accounting unit periodically reviews the number of licenses, permits, etc. issued with revenues collected; other revenues types are compared to prior year data and multi-year trends.

Licenses/permits activity reports

Program Unit 6. Program unit reviews (1) A/R aging report, (2) a report of all non-cash credit adjustments processed for month, and (3) a report of customer accounts with ending credit balances.

A/R aging report; credit adjustments and credit balance reports

9900-75


Cash Receipts and Accounts Receivable Processing -- Flowchart

9900-76

MailroomAccounting

SystemProgram Unit

Update A/Rsubsystem;post cashreceiptsjournal

CounterSales

CashAccts ReceivableRevenue

Cashier GL Accounting

Pickedup by

armoredcar

Reconcile A/Rsubsystem to GL& reconcile bank

statement.

Billinginformation

interfaced fromProgam Unit’s

system

Reviewundeliverablemail; answer

customerquestions

Resolve postingsto suspense acct;update customer

database

Slit openautomatically;delivered in

lockedcontainer to

Cashier

Mailedreceipts

Checks,currency

Electronicallyscan all checks &payment coupons;

key in non-barcoded receipts

Remittanceenvelopes

Transmittaldocuments

Receipts

Receipts

Deposit Slip #1

Balance cashcollected to

register total;prepare

transmittaldocuments

Deposit Slip #2

Cashregisterused to

collect cashreceipts

Invoices

Review accuracyof data input;

authorize batches;compare depositsto batch sheets.

Preparebank

deposit

A/R listing &aging reports

GL andcontrol reports

Suspenseacct reports

Contact pastdue accounts

& performother collection

activities

Mailinvoices

Tocustomer

Batchsheets

Bank statement

Deposit Slip #3

File

ToGL Accounting

Deposit Slip #2

From theCashier

From thebank

AccountsReceivable

Receipts

Post activity toGL controlaccounts:

cash, A/R andrevenue

S-2

S-1

S-4

S-3*

S-5

S-7

S-8

S-6

S-9

W-1

S-3*


[Agency Name]Cash Receipts/Accounts Receivable Processing

Control FindingsJune 30, 2XXX

Strength/Weakness ExplanationS-1 Cash register used for over-

the-counter receiptsCash register (locked; cannot be turned back) used to process over-the-counter receipts. Register tape and register readings balanced to daily collections by Admin staff supervisor, who has no responsibility for cashiering duties.

S-2 Mail handling procedures Remittances are mailed to designated PO boxes. DofA picks up mail; delivers to agency mailroom. Mailroom examines for suspicious packaging; then slits open automatically. Slit mail immediately/directly delivered to Cashier Unit (in a secured location) in locked container. Contents removed in presence of two or more cashiering employees. Checks immediately restrictively endorsed.

S-3 Daily collections deposited intact, even if disposition unknown

Processing of checks from new customers or checks without remittance advice is not delayed. Deposited with other receipts collected for that day and credited to a suspense account for later resolution by A/R unit.

S-4 Independent verification of cash receipts batches and deposits

Cashiering supervisor reviews accuracy of data input, verifies deposit amount, compares totals to batch summary sheets (including credits to suspense account), and releases batches for processing.

S-5 Responsibilities for cash collection and deposits segregated from A/R record keeping

Cash receipts information maintained in separate cashiering system; data is uploaded to accounting system, which automatically updates detailed receivable records.

S-6 Billing documentation independently maintained; not accessible to others.

Billing information initiated in and maintained by Program unit. Billing information uploaded to accounting system, which automatically updates detailed receivable records and generates customer invoices.

S-7 Control over invoices and credit memos

Invoices automatically generated in sequential order as result of billing system upload. Once posted to accounting system; invoiced amounts cannot be changed; can be adjusted only by authorized credit memo or adjustment transaction.Program unit reviews report of all non-cash credit adjustments posted for month and listing of accounts receivable with credit balances.

S-8 Undeliverable mail and customer questions

Returned mail containing invoices and customer questions directed to Program unit for resolution.

S-9 Performance of independent reviews comparisons, and reconciliations

GL accounting unit (1) reconciles A/R detail records to GL control account; (2) compares deposit detail to bank statement; (3) reconciles bank statement; (4) performs year-to-year revenue comparison; (5) reviews number of permits/licenses issued to revenues collected.

W-1 Controls over customer database

A/R unit updates customer database. To reduce the possibility of fraudulent activity, update capabilities should be limited to specific personnel within the A/R unit who have no responsibilities/no system access for posting cash receipts, credit memos or other adjustments to the detail receivable records.

9900-77


13.3.3 Payroll cycle The focus of this section is on the payroll transaction cycle. This cycle includes authorization to update the SABHRS for new and terminated employees and wage/salary adjustments; the recording of daily work time and attendance by employees; supervisory review and approval of time records; data input into the central payroll system; monthly payroll processing and paycheck preparation; and paycheck distribution. Agencies may also decide to review in greater detail the related processes, e.g., employee receivables resulting from overpayments.

13.3.3.1 Overriding control objectives No payments are made to fictitious employees. No overpayments are made to bona fide employees. Payroll related expenses are properly accrued and classified in the financial statements.

13.3.3.2 Applicable statutes, rules, policies, and procedures MOM Volume III SABHRS Manuals [Agency-specific standards and procedural manuals]


13.3.3.4 Key reports

Report Name Title

Time Validation Reports MTTL1202 & MTTL1202P

Payable Status Report TL001

Payroll Register PAY002

Employee Compensation Changes PER013

One Time Deduction Overrides MTBA3516

Payroll Error Messages PAY011

Payroll Summary PAY018

Advice Register DDP004

Check Register PAY004

Leave Accrual MTBA2101

Deduction Register PAY001

Deductions in Arrears PAY007

Tax Deposit Report TAX001

Over 5000 and % Pay Audit MTPY5104

Pay Rate Audit MTPY5105

Special Conditions Report MTPY4401

Payroll Expenditures Report MTPY5103

MT_TL_RPTD_HRS_MORETHAN_80

MT_TL_NO_PAYABLE_TIME

9900-78


Report Name Title

MT_TL_TR_STATUS_YES

MT_TL_TTL HRS_BY_Payable_STATUS

MT_TL_TTL_RPTLHRS_ SUBM_ APPR

13.3.3.5 Questions for determining riskSegregation of Duties

Are responsibilities for personnel (human resources), time recording and supervisory review, payroll processing/paycheck preparation, paycheck distribution and general ledger functions assigned to provide a division of duties?

Are responsibilities for payroll processing adequately segregated from the general ledger function?

Is payroll distribution supervised by employees, who: Take no part in timekeeping (data input) and payroll processing/paycheck

preparation? Have no update access to the SABHRS?

Is reconciliation of the payroll bank account done regularly by employees independent of all other payroll transaction processing activities?

Personnel Controls

Do personnel procedures and controls include the following? All changes in employment (additions and terminations), salary and wage rates,

and payroll deductions are properly authorized and documented. Payroll processing function is promptly notified of additions, separations, changes

in salaries/wages and deductions. Appropriate records are maintained for accumulated employee benefits (vacation,

sick leave, etc.).

Time Recording/Supervisory Controls

Do time recording/supervisory procedures and controls include the following? Maintenance of detailed records of hours worked and approved, when

appropriate. Procedures established to ensure that supervisory personnel verify hours worked,

including overtime hours. Written procedures for authorizing, approving and recording vacation, holidays,

sick leave, personal business leave, shift differential, etc. and for approving and controlling compensatory time?

Procedures established for timekeeping (inputting time and attendance into payroll system).

Additional timekeeping procedures that include reviewing time records for supervisor’s approval and completeness and accuracy.

Payroll Processing Controls

Do payroll processing procedures and controls include the following?

9900-79


Approval and documentation of all changes to the master payroll file. Limiting access to the master payroll file to employees who are authorized to

make changes. Review and approval of completed payroll registers before disbursements are

made. Review for reasonableness of comparisons of gross pay for current to prior period

payrolls by a knowledgeable person not otherwise involved in payroll processing. Balancing the distribution of dollars and hours of gross pay with payroll registers. Procedures to ensure that requests for payroll advances to officials and employees

comply with policy.

Payroll Disbursement and Paycheck Distribution Controls

Do payroll disbursement procedures and controls include the following? Strong encouragement for all employees to receive payroll disbursement through

“direct deposit” to their bank account or through prepaid payroll cards. Controls to secure the signature plates and payroll check-signing machines. A log is maintained to reconcile the counter on the check-signing machine with

the number of checks issued. A separate payroll bank account is maintained. The payroll bank account is reconciled by someone independent of payroll

processing. The supply of unused payroll checks is secured. A formal process to control and dispose of unclaimed paychecks. A formal process to control and verify returned W-2s. Review and approval of gross pay adjustment report by non-payroll manager

before paychecks and direct deposit stubs are distributed to employees. Distribution of paychecks and direct deposit stubs by non-payroll staff. Periodic distribution of payroll checks by the internal auditors or other

independent party, to ascertain employees exist for all checks prepared.

General Ledger Controls

Do general ledger procedures and controls include the following? Adequate account coding procedures for classification of employee compensation and

benefit costs, so such costs are recorded in the proper general ledger account. Proper recording or disclosure of accrued liabilities for unpaid employee

compensation and benefit costs. Reconciliation of payroll data posted to general ledger to the payroll reports.

Controls Related to Grants

Do payroll and personnel policies/controls include the following? Controls to ensure that payroll costs charged to grants are in compliance with

grant agreements. Payroll and personnel policies governing compensation are in accordance with the

requirements of grant agreements.

9900-80




9900-81


Payroll Processing – Narrative


Activities Documents, Reports, Systems

Initiating Transactions in Personnel Database

Agency Human Resources Unit

1. Human resources unit consults with hiring manager on salary/wage rate, any special hiring conditions and/or contractual obligations related to open position. Upon acceptance of job offer, hiring manager completes hiring form and forwards to human resources unit to add employee to SABHRS.

(1) Applications, union contracts, Personnel Action forms, disciplinary documentation; (2) SABHRS

2. Human resources unit also serves as a consultant to management for disciplinary problems and provides counsel concerning warnings, probation and termination. Upon termination or resignation, employee’s manager completes form and forwards to human resources unit to remove employee from active status in SABHRS.

3. Only State Personnel Division (SPD) at DofA and agency HR personnel have access to update SABHRS and then transmit employee status and pay rate information to the central payroll processing system.

4. Human resources unit provides timely notice of new hires and terminations/resignations to payroll processing unit.

Supervision and Timekeeping

Agency Business Units

1. Employees record time worked/attendance using manual timesheets or the electronic time capture system. Employees are required to sign manual timesheets.

(1) Manual time records; (2) electronic time capture system, OSPA2. Supervisors timely review and approve time records,

verifying hours worked, (including overtime hours). Supervisors also verify that holidays, sick leave, vacation, etc. have been appropriately recorded. Supervisors indicate approval by signing manual time records or by approving the electronic record. Manual timesheets are forwarded directly to the timekeeping function.

3. Timekeepers manually input time/attendance data from manual timesheets into the central payroll processing system on SABHRS. Timekeepers enter approved time records only. Correction of errors must be reviewed and approved by the appropriate supervisor.

NOTE: Timekeeping function (data entry) may also be performed by agency payroll unit and into an agency system.

9900-82





4. Work time/attendance entered and “locked” in the electronic time capture system is automatically interfaced to SABHRS.

Agency Payroll Processing

Agency Payroll Unit

1. Payroll unit processes W-4s/W-5s, direct deposit enrollment forms, garnishments and other miscellaneous deductions and updates SABHRS; payroll unit has established procedures to ensure timely payment/accurate calculation of garnishments, child support and similar deductions.

(1) Documentation for voluntary and involuntary deductions, benefit forms, expense reimbursement claims, time records; (2) SABHRS

2. Payroll unit also processes manual benefit forms received from field office locations and enters data into SABHRS.

3. Payroll unit/accounts payable unit have established procedures to ensure expense reimbursement claims processed through payroll represent bona fide business expenses and not additional income.

4. Payroll unit reviews time/attendance records, YTD accumulated payroll information, and control reports for errors and obtains appropriate approvals to make corrections and update SABHRS.

5. Payroll unit has established procedures to ensure documentation of time records, misc. deductions, salary changes, garnishments, adjustments, etc. is retained in accordance with state retention guidelines.

Central Payroll Processing

Central Payroll Processing Unit

1. State Payroll and the SABHRS bureau at DofA processes bi-weekly payrolls. Personnel and voluntary/involuntary deductions are entered directly into SABHRS by agency payroll units.

(1) OSPA, access controls, reasonableness limit tests; (2) paychecks & direct deposit pay stubs; (3) YTD earnings records, tax reports, W-2’s, other control reports

2. Access to SABHRS controlled by separate Systems Security Officers; passwords reset every 90 days; failed attempts to access SABHRS reported by system.

3. Batch control requires manual override of net pay amounts over a set dollar amount; special report identifies paychecks

9900-83





more than 2 times monthly salary.

4. Checks and direct deposit stubs delivered by central mail services to agencies and released only to agency personnel listed on log of approved signers maintained by SPD.

5. Daily off-cycle checks delivered only to authorized agency personnel (re-certified annually). SPD personnel who process these payments cannot receive/distribute the checks. Check numbers assigned by the system and tracked/compared against check stock.

6. SPD reconciles YTD earnings records with quarterly/annual tax reports, W-2s and control reports.

7. SPD uses CobiT standards for authorization, documentation, testing and approval of system changes.

Paycheck Distribution and Related Processes

Agency Payroll Unit and Business Units

1. Paychecks and direct deposit pay stubs distributed to employees by agency personnel who have no update access to SABHRS no responsibility for manual timekeeping, and are not involved in payroll recordkeeping/paycheck preparation.

Paychecks & direct deposit pay stubs, check registers, unclaimed paychecks, returned W-2s

2. Payroll unit distributes copies of check register to managers showing them employees paid under their authority and responsibility.

3. Payroll unit has established formal processes to control and dispose of unclaimed payroll checks and verify returned W-2s.

General Control Activities

General Ledger Accounting Unit and Financial Services Units

1. SPD personnel compare payroll data interfaced from Agency systems to SABHRS using payroll reports.

2. Agency financial services units reconcile their payroll reports to postings in SABHRS and agency subsidiary accounting systems.

Payroll, general ledger reports, payroll reports, subsidiary system reports

9900-84

Hire /fire

Agency HR

Employment Application

Termination Notice

Union contract /oOther approval

Compensation Determination

SPD *

Annual open enrollment & other

benefit updates

Update SABHRS * for New,

employees

terminated employees

, and pay structure

Benefit forms

Update PEBB

* system for employee

benefit choices

Agency Payroll

Review timesheets

; obtain approval to make corrections ;

update SABHRS

calculate & process paychecks

; *

Business Unit

Timekeeping records

Attendance and work ; employee signs time record

Supervisor reviews and

approves

Timekeeping records

SPD *

Checks registers & mgmt reports

Paychecks & check stubs

W-4's/W-5's

Direct deposit enrollment

Garnishments

Misc deductions

YTD earnings records

Payroll taxes and reports

Employee W 2s

Deliver to agencies

; paychecks & stubs

distributed by agency personnel who have no access to SABHRS HR

/

Salary & Other PR Related Expenses

Payroll Tax ExpenseLiabilitie

s

Update SABHRS

* for voluntary/Involuntarydeductions

Benefit forms

Update SABHRS for manual

benefit forms received from field offices

File

File

File

Deliver to agencies for mailing to employees

Mail to taxing authorities

Cash

Timekeeper enters into

SABHRS

File

Vendor check

Mail to vendors

S-1

S-2

S-3

S-4

S-5

S-6

S-7

S-8

S-9

W-1

PayrolProcessing Flowchart


9900-85


[Agency Name]Payroll ProcessingControl Findings

June 30, 2XXX

Strength/Weakness ExplanationS-1 Segregation of duties Responsibilities for initiating updates to the personnel database,

recording work time/attendance and supervisory approval, payroll processing and paycheck preparation, and paycheck distribution are appropriately segregated.

S-2 Timesheets forwarded directly to timekeepers

After manager reviews and approves timesheets, original copies are not returned to employees to avoid unapproved changes.

S-3 Data integrity Timekeepers input only approved timesheets into payroll system and obtain approval for adjustments and corrections from appropriate managers.

S-4 Agency payroll unit review procedures

Agency payroll unit has established review procedures to ensure (1) deductions for garnishments, child support, etc., are timely paid and accurately calculated and (2) employees claims for expense reimbursement processed through payroll do not represent duplicate payments.

S-5 Access controls to payroll system

Access to SABHRS controlled by separate Systems Security Office. Passwords reset every 90 days.

S-6 Controls over paycheck distribution and data integrity

Paychecks/direct deposit stubs delivered directly from print to agencies by central mail services and released only to pre-approved agency personnel. Prior to distribution, the Gross Pay Adjustment report reviewed/signed by an agency manager not connected to payroll function. Paychecks/direct deposit stubs distributed to employees by non-payroll staff.

S-7 Controls over unclaimed paychecks and returned W-2s

Agency payroll unit has established formal procedures to control and dispose of unclaimed payroll checks and to verify returned W-2s.

S-8 Control over removal of terminated employees

Copies of check registers distributed to managers showing employees paid under their authority and responsibility.

S-9 Performance of independent comparisons and reconciliations

State Payroll reconciles payroll agency fund and compares data posted in SABHRS to payroll reports. Agency financial services units reconcile their agency payroll reports to postings in SABHRS and agency subsidiary systems.

W-1 Lack of statewide policy The statewide accounting policy does not contain a payroll policy that requires all state agencies to distribute copies of the payroll register to managers for review.

9900-86


14 Appendix E – Example employees survey on agency culture and personnel policies3

Strongly Agree Agree

Neither Agree or Disagree Disagree

Strongly Disagree

Agency Ethical ValuesAwareness

1. I have read the agency’s code of conduct.

2. The agency’s code of conduct helps me identify unacceptable business practices.

Attitude3. If I observe unacceptable behavior on the job

and report it to a member of the management team, I believe that the matter will be investigated.

4. For the most part, agency employees act in an ethical manner.

5. For the most part, agency management acts in an ethical manner.

Actions6. I believe that employees who act in an

unethical manner will be dealt with appropriately (e.g., through diminished compensation, lack of advancement or termination).

7. In the past three years, I have been asked by someone senior to me to take action that would be considered unethical.

8. I know someone at the agency who, in the last three years, has been asked by someone senior to them to take action that would be considered unacceptable.

Agency Personnel PoliciesAwareness

9. My job responsibilities have been communicated to me.

10. I understand my job responsibilities.

11. The criteria for assessing my performance have been communicated to me.

Attitude12. The feedback I receive on my performance

helps me improve.

9900-87


Strongly Agree Agree

Neither Agree or Disagree Disagree

Strongly Disagree

13. The training I receive helps me do a better job.

Actions14. The information I need to perform my job is

received or communicated to me:

Accurately

Timely

Completely

15. I have been delegated the decision-making authority necessary to effectively perform my job.

16. For the most part, I have been provided with the following resources necessary to perform my job effectively:

Budget/funding

Personnel

Supervisory guidance

17. If a friend was considering employment at your agency and asked, “What is it like working there?” how would you respond?

All responses should be returned directly to the Internal Control Team.

The questions may be reworded to refer to the agency’s “stated” ethical or personnel policies. It is also a good idea to include a copy of the agency’s policies as part of the survey package.

9900-88


15 APPENDIX F – Example of management inquiries regarding entity level controls4

Agency Culture Notes

1. As a manager, how do you incorporate the code of conduct into employee performance reviews?

2. If management becomes aware of an allegation of unacceptable behavior, what is the process for investigating the matter?

What feedback mechanisms exist for reporting such behavior?

Do you have any specific examples of actions taken by management?

If yes, how was management’s action communicated to and perceived by employees?

3. Has management identified incentive or other policies that may motivate unethical behavior by employees?

What are they? How do you monitor these policies for unintended consequences?

4. Has management become aware of any control deficiencies in the last three years?

How did you become aware?

What action was taken?

5. Do you receive all the information needed to perform your job effectively?

Is it reliable? Timely? Is anything missing?

6. Does senior management periodically discuss the agency’s culture and “tone at the top” and how these affect the overall effectiveness of controls?

What observations have been made?

What prevents this discussion?

9900-89


Agency Personnel Notes

7. Are internal control and financial reporting matters considered when establishing the organizational structure?

Does the delegation of responsibilities consider the need to segregate incompatible activities?

Are boundaries of authority established and communicated?

Alignment between Strategic Objectives and Controls

8. Are internal control and financial reporting implications considered in the strategic planning process?

9. What internal control issues were identified in the most recent strategic planning process?

10. How is progress in resolving control issues measured and monitored?

Risk Assessment

11. In the past three years, what new risks has the agency encountered?

Were the sources of the risks internal or external?

Were these risks anticipated?

How did the agency respond?

Anti-Fraud Programs and Controls

12. What steps does management take to instill a culture of honesty and high ethics that mitigates the risk of fraud from within the agency?

13. In what ways is the agency vulnerable to fraud?

9900-90


Anti-Fraud Programs and Controls (Cont’d) Notes

14. Are internal control policies and procedures designed to specifically address identified fraud risks?

15. Do personnel policies minimize the chance that dishonest employees will be hired and promoted?

Top-Level Reporting Processes

16. What is the process for handling nonsystematic, nonroutine transactions?

17. At what point in the process does management become involved in the accounting treatment for these items?

18. What process does the agency follow for making its significant accounting estimates?

What factors are considered when making significant assumptions about the estimate?

How do you know the information is reliable?

How is senior management involved in the review and approval of significant estimates?

19. How are accounting policies documented and communicated to those that may affect their proper implementation?

System-Wide Monitoring

20. What steps does management take to

Periodically evaluate the design of internal control policies and procedures?

Understand the underlying causes for identified internal control deficiencies?

Take appropriate corrective action.

9900-91


16 Appendix G – Example questions for individuals or focus groups5

1. Design of the Processing Stream is Effective

What documents or electronic files are necessary for you to perform your job? Who is the source of the documents? How do you access the electronic information?

In what ways to do you add to, combine or otherwise manipulate the information?

What happens to the file or document when you’re finished?

When you discover errors, how do they get corrected?

What checks do you perform on the information you use to make sure it is accurate?

How do you know that you have received all of the transactions that you should receive?

How do you make sure you have processed everything you received and that no transactions are accidentally omitted?

When you’re processing the information, what steps do you take to make sure that no errors are introduced into the system? Are controls built into the system itself?

What signatures or other types of documentation are required before you process a transaction? How do you know that the transactions presented to you for processing are valid?

2. Control Procedures Operate Effectively

Consistency What kinds of situations do you encounter for which agency policies or procedures do not exist?

How often to these kinds of situations occur?

If you encountered a situation or transaction for which no written policy exists, what would you do? Can you describe a specific situation(s)?

In what ways do written policies and procedures not make sense?

How do you work around these policies? How often do you do this? If you were in charge, what changes in policies and procedures would you make to improve their efficiency?

Although it might not be written, when is it “okay” to not follow written policies exactly? How do you know it is okay?

Do you think that others in the agency with the same job functions as your perform the job in the same way? If differences exist, what are they? What causes these differences?

Have you performed the procedures every day since the last annual evaluation of internal control effectiveness? Who took your place when you were not available to perform the procedures?

9900-92


Have there been any changes to the procedures since the last internal control evaluation?

Qualifications of Personnel Do you feel adequately trained to perform your duties?

If you could design the training for your position, what topics would you be sure to include? How did you learn these things? How long did it take you to learn these things? What else would you like to be trained in that would help you do your job better?

Incompatible responsibilities exist when one individual is in a position where they must both process data (for example, prepare invoices and post them to the accounts receivable subledger) AND check their own work for errors AND no one else checks their work. Have you observed situations like that in your department?

Indirect questions:a. Suppose that someone was inclined to deliberately create an error in the reporting

process, for example, by introducing a fictitious or unauthorized transaction. How would they do it without getting caught?

b. Which company assets are most vulnerable to employee theft? How could these assets “disappear” without someone finding out?

3. Overall Assessment of Effectiveness of Internal Control System

Overall, how effective are your control procedures at preventing or detecting and correcting errors? Consider the reliability of your system. If you had to give it a letter grade, what grade would you give it? What recommendations would you make to improve the system?

Indirect question:a. Suppose that you leave the agency, and shortly after you leave, you learn that there was a

serious error in the financial information submitted to the State Controller’s Division at year end that pertains to your department. What would that error be? Why was it never detected?

9900-93


17 Internal controls over financial reporting – self-assessment tools

ENTITY LEVEL CONTROLS.........................................................................................98

EXPENDITURES/DISBURSEMENTS.........................................................................105

FINANCIAL CLOSE PROCESS..................................................................................110

PAYROLL PROCESSING...........................................................................................113

Revenue/Cash Receipts/Accts Receivable..................................................................117

9900-94


Progress Status

Successfully meets standard.

Does not meet standard, but making satisfactory progress towards attainment.

Does not meet standard; underlying issues have not been addressed.

INTERNAL CONTROLS OVER FINANCIAL REPORTING

SELF-ASSESSMENT TOOL

ENTITY LEVEL CONTROLS

Period Ending:_____________________

Manager’s Signature / Date

Control Objectives Resources

1. Transactions are valid and documented.

2. All valid transactions are recorded; none are omitted.

3. Transactions are authorized according to agency policy.

4. Transaction documentation is accurately prepared.

5. Transactions are properly classified.

6. Transaction accounting and posting is complete and proper.

7. Transactions are recorded in the proper fiscal period.

8. The risk of fraud or legal noncompliance is considered.

MOM Volume II 0900 – Basic Encoding Specifications

Montana Internal Control Guidebook

Control Environment

Description of Control N/A Comments Responsible Individual

1. A code of conduct and policies exist regarding acceptable business practices, conflicts of interest, and expected standards of ethical behavior.

2. The code of conduct includes a clear anti-fraud statement.

9900-95



3. The importance of ethical behavior and strong controls is discussed with newly hired employees.

4. Periodically, employees are required to attend refresher training on the code of conduct.

5. Executive management has established an appropriate “tone at the top” that has been communicated to and is practiced by executives and management throughout the agency.

6. Management takes appropriate disciplinary action in response to departures from the code of conduct; employees understand the consequences of violating the code of conduct.

7. The agency has a planned, integrated and documented approach to managing the risk of fraud; responsibility for the anti-fraud program is specifically assigned.

8. A structured process for incident investigation and remediation has been developed. Investigative roles and responsibilities are clearly delineated, and a tracking mechanism allows management to report on material fraud events.

9. Specific anti-fraud policies and training have been developed; periodically, employees receive training on fraud awareness and appropriate actions to take when fraud is suspected.

10. The agency follows up on and investigates allegations of fraud in a timely manner.

11. Personnel responding to suspected fraud have been appropriately trained and work cooperatively with Secretary of State Audits Division, DAS Risk Management and the Department of Justice.

12. As part of the anti-fraud training, employees are

9900-96



informed they may anonymously report suspicion of fraud/financial misconduct through the online fraud reporting system at http://[email protected] or by calling the Fraud Hotline at 1-800-222-4446.

13. As part of the anti-fraud training, employees are informed that public employees who report fraud are protected against retaliatory or disciplinary action under the provisions of state law.

14. Management acknowledges the importance of the data processing and accounting functions, and shows concerns about the reliability of financial reporting and safeguarding of assets.

15. Accounting operations and budgeting are strategically linked to enable strong synchronization and coordination between the budgetary function and financial accounting.

16. Staffing levels are adequate with respect to the data processing and accounting functions; people possess the requisite skill levels relative to the size, nature and complexity of the agency’s activities and systems.

17. There are policies and procedures for authorization and approval of transactions, including acquisitions, dispositions, disbursements, cash receipts/deposits.

18. Incompatible duties within significant accounts or significant processes are segregated.

19. The agency has established appropriate lines of authority and responsibility that ensure important decisions are directed to senior executives through proper approval channels.

9900-97



20. Management provides personnel with access to relevant training.

21. Standards exist and are enforced that call for hiring the most qualified individuals based on skills, knowledge and experience, and evidence of integrity and ethical behavior.

22. Screening procedures include thorough background checks, particularly for personnel to be hired into senior or sensitive positions.

23. Job performance is periodically evaluated and reviewed with each employee.

Information & Communication

24. Internal information is generated and reported regularly by the agency’s financial information systems.

25. Operating results are reviewed and compared against budgets at regular intervals.

26. Pertinent financial information is identified, captured, processed and reported to the right people in sufficient detail and in a timely fashion, allowing them to carry out their responsibilities.

27. Mechanisms are in place to ensure changing information needs are met.

28. Management adequately staffs and designs the IT department to support the agency’s overall business objectives; the strategic plan for IT systems is linked to the agency’s overall strategies.

29. There are defined responsibilities for personnel responsible for implementing, documenting, testing, and approving changes to computer

9900-98



programs and systems.

30. There is regular back-up of application programs and data files.

31. The agency has a disaster recovery plan in place that allows for the timely recovery of information. The plan is tested regularly and updated as the operations change.

32. Overall, there is a high level of user satisfaction with the IT systems, including reliability and timeliness of reports.

Monitoring

33. Management monitors relevant external and internal information and considers the impact on the internal control structure.

34. Procedures are in place to monitor when controls are overridden and to determine if the override was appropriate.

35. Management takes appropriate action on exceptions to policies and procedures.

36. Management responds timely to weaknesses identified by the external auditors; there are no repeat material control weaknesses reported in the Statewide Single Audit Reports.

37. Management responds timely to internal audit findings and recommendations.

38. Internal and external audit findings and comments are provided to the audit committee/governing board.

39. Complaints of improper financial matters by suppliers, regulators or other external parties are fully investigated and documented.

9900-99



40. Controls that should have prevented/detected a problem are reassessed when problems occur.

41. Supervisory personnel perform various random and structured reviews to ensure control procedures are functioning as expected.

42. Personnel with requisite skills evaluate appropriate portions of the internal control system.

43. Mechanisms are in place for employees to report deficiencies in internal control to management on a timely basis.

44. Periodically, access to financial systems is reviewed by management and modified as needed.

Risk Assessment

45. Management has established a strategic planning process that guides the organization as a whole. Entity-wide goals and objectives are linked to budgeting, operating and reporting functions.

46. Activity-level objectives are linked with entity-wide objectives and strategic plans; program managers are held accountable for achieving activity-level objectives within budgetary constraints.

47. Management has established a process to periodically review and update entity-wide strategic plans and objectives.

48. Management identifies risks related to each of the established objectives and evaluates them as part of the business planning process.

49. Management identifies financial reporting risks that result from operations or compliance with laws and regulations.

9900-100



50. Management identifies fraud risk factors, with particular attention given to management override of controls and the potential that senior management is the perpetrator.

51. Management involves appropriate personnel and conducts brainstorming sessions to identify specific fraud schemes.

9900-101


Progress Status






EXPENDITURES/DISBURSEMENTS

Period Ending:_____________________











MOMII 8100 – Fiscal Year End Procedures

MOM II 0600 – Expenses/Expenditures/Payables

MOM 1 0300 – Travel

Procurement Card Acceptable use Policy

General


1. No one individual is allowed to control all key aspects of an expenditure transaction, meaning the following responsibilities are performed independently: expenditure authorization; purchasing; receiving; invoice approval; invoice payment; verification and batch release; mailing of checks/warrants; and reviews and reconciliations.

2. Refresher training is provided periodically to agency personnel on policies/procedures related

9900-102



to cash disbursements, including travel claims and procurement cards (e.g., Procard Card program), and on transactions requiring purchase orders and/or contracts.

3. A mechanism for delegating expenditure authority exists; it is documented, easily accessible and up to date.

Purchasing

4. Procedures are in place to ensure items are procured using statewide term contracts, when applicable.

5. Thresholds and procedures for obtaining competitive bids/quotations for items not available through statewide term contracts are in place and conform to statewide policies, administrative rules and statutory authority.

6. Procedures for using sole source vendors exist and conform to statewide policies, administrative rules and statutory authority.

7. Open purchase orders are reviewed periodically by individuals independent of the purchasing and receiving functions.

Receiving

8. Contents of incoming shipments, as listed on the packing slip/bill of lading/vendor invoice, are compared to physical products received.

9. Procedures are in place to ensure adequate cut-off of receipts at year end, so that expenditure accruals are recorded only for goods/services received in the current period.

Processing Invoices for Payment

9900-103



10. Policies and procedures exist that describe documentation requirements and are readily accessible by agency personnel.

11. Only original invoices are processed for payment; special processes exist to deal with electronic invoices and lost/missing original invoices.

12. Invoices are matched to supporting documents (receiving records, purchase orders or other forms of purchase authorization); prices, extensions and discounts are checked for accuracy; expenditure coding is completed.

13. Completed invoice/voucher packages are reviewed and approved by appropriate manager.

14. Authorized signatures, account coding, T-codes, etc. are independently verified prior to data entry.

15. Individual with no update access reviews accuracy of data input; then releases batches for payment.

16. Security access differentiates between data input and payment release responsibilities.

17. Paid invoices are stamped or perforated to prevent duplicate payments.

18. Post-payment audit procedures and exception reports have been developed for detection of duplicate payments.

19. Warrants/checks are mailed directly from printing location; procedures are in place to ensure that once signed, manual checks are not returned to the disbursements unit for mailing.

20. Warrants/checks flagged for special handling are returned to non-disbursements personnel to be logged and held for pick up. Stored in locked safe overnight. Signature of business unit employee

9900-104



obtained when warrant/check picked up. Logs are independently reviewed for unusual patterns.

21. Procedures are in place to ensure credit is received for goods returned to vendors; credit adjustments are accurately calculated and recorded; refunds are obtained from vendors if appropriate.

22. Periodically, employees not involved in purchasing functions or invoice processing perform post-payment audits to ensure agency expenditures/disbursements:

Are made to appropriate suppliers and comply with agency and statewide purchasing policies;

Are approved by personnel with appropriate authority;

Are made only for goods/services received;

Are accurately calculated;

Are recorded in the appropriate period; and

Are properly coded for accounting and program purposes.

23. There are no individuals handling cash disbursements who also have duties related to cash receipts or the reconciliation of bank statements.

24. Blank check stock is stored in a secure location and inventoried on a regular and spot-check basis. The numerical sequence of issued checks is reviewed for missing check numbers.

25. Cut-off procedures are in place to ensure that amounts for unbilled goods and services received prior to fiscal year end are computed and accrued as current year liabilities.

9900-105



System Controls

26. Access to the vendor master file is limited to appropriate individuals and is monitored.

27. Valid changes to the vendor master file are input and processed in a timely manner.

28. The function to update the vendor master file is separate from processing invoices for payment and signing and distributing checks.

9900-106


Progress Status






FINANCIAL CLOSE PROCESS

PeriodEnding: ______________________











MOM II 0200 - Introduction

MOM II 8100 – Fiscal Year End Procedures

Policies, Procedures and Responsibilities


1. Accounting personnel responsible for recording transactions, making adjustments and performing year end closing activities have the requisite accounting knowledge, skills and experience to perform their duties in accordance with GAAP and governmental accounting and reporting standards.

2. Agency accounting policies and procedures exist, are kept current and are communicated to appropriate personnel; agency accounting policies

9900-107



conform to the MOM II and GAAP authoritative guidance.

3. Agency account and object classifications are aligned with policies and are consistently used.

4. Accounting personnel are included in statewide mail lists.

5. Agency year end close procedures exist, are kept current and are communicated to appropriate personnel; agency close procedures conform to the Agency Guide to Year End Closing and include responsibilities, checklists, due dates and disclosure updates.

6. Appropriate accounting personnel attend statewide year end close training, conduct timely preclosing reviews, and respond promptly to questions from APFRS accounting staff.

7. Duties are appropriately segregated in the closing process.

8. Access to agency accounting and reporting applications is limited to appropriate individuals and is password protected.

9. Journal entry input is restricted to authorized personnel.

10. Standardized journal entries are used for recurring journal entries.

11. A checklist exists to document the standard closing journal entries made at month-end, quarter-end and year-end.

12. Journal entries have adequate supporting documentation and are independently validated and approved by the appropriate level of

9900-108



management before being posted.

13. Procedures detailing the calculation of specific accruals and rules regarding reserves and write-offs are clearly defined, consistently applied and monitored.

14. A procedure is in place to identify and communicate transaction/events that have significant accounting and/or reporting implications to the accounting unit.

15. Material nonroutine and nonsystematic transactions (e.g., prior period adjustments, debt issuance, debt refundings) are reviewed by the appropriate level of manager; the manager’s signature on a journal entry log or supporting documentation serves as evidence of the review.

16. All account balances are reconciled prior to closing the books, including confirmation that interagency transactions are in balance and that subledgers have been reconciled to general ledger control accounts.

17. Account reconciliations are reviewed and approved by the appropriate manager; current year balances are compared to the prior year; significant variances and reconciling items are investigated and resolved timely.

18. The CAFR Questionnaire is submitted by an employee with commensurate knowledge and experience to APFRS.

9900-109


Progress Status






PAYROLL PROCESSING

Period Ending:_____________________









7. Transactions are recorded in the proper period.

8. The risk of fraud/financial misconduct is considered.

Montana Statewide Personnel and Payroll Services home page

http://hr.mt.gov/HRServices/policies.asp

Access Controls


1. Access to SABHRS is based on the individual user’s role and job responsibilities.

2. Access to SABHRS for approving payroll adjustments is restricted to a lead worker or manager/supervisor only.

3. Dual “update” access to SABHRS personnel database is not allowed.

9900-110

http://hr.mt.gov/HRServices/policies.asp



4. Human resources unit processes new hires and terminations in SABHRS in a timely manner and provides timely notification to payroll processing unit.

Time and Attendance

5. Employees are required to record actual time worked and attendance; when manual timesheets are used, employees are required to sign their timesheets.

6. Each employee’s direct supervisor/manager verifies that hours worked (including overtime hours) and leave time are accurately recorded, indicating approval by signing manual time records or by “locking” the electronic record.

7. Supervisors/managers forward manual timesheets directly to the timekeeping function.

8. Timekeepers enter approved timesheets only.

Payroll Processing

9. Payroll unit has established procedures to ensure timely processing and accurate calculation of direct deposit enrollment forms, garnishments, child support and other miscellaneous deductions.

10. Payroll unit/accounts payable unit have established procedures to ensure expense reimbursement claims processed through payroll do not duplicate claims paid through accounts payable.

11. Payroll unit reviews time/attendance records, YTD accumulated payroll information and control reports for errors and obtains appropriate approvals to make corrections and update

9900-111



SABHRS.

12. Payroll errors affecting employees’ YTD totals for wages and withholdings are promptly corrected (within 30 days).

13. Employees are given timely notice (within 30 days) of payroll-related overpayments and a method of recovery is established.

14. Controls that should have prevented/detected payroll overpayments and other payroll errors are reassessed when problems occur.

Paycheck Distribution

15. A non-payroll manager/supervisor reviews and approves (by signing) the Gross Pay Adjustment report prior to release of paychecks to employees. Items identified during the review that appear to be unusual, potentially erroneous or otherwise questionable are brought promptly to the attention of the payroll staff, payroll manager or other manager who supervises the agency’s payroll function.

16. Paychecks and direct deposit pay stubs are distributed to employees by agency personnel who have no update access to SABHRS, no responsibility for manual timekeeping, and are not involved in payroll recordkeeping/paycheck preparation.

17. Payroll unit distributes copies of check register to managers showing them employees paid under their authority and responsibility.

????????

18. Payroll unit has established formal processes to control and dispose of unclaimed payroll checks and verify returned W-2s.

9900-112



Reconciliation, Confidentiality and Archival Requirements

19. State Payroll Bureau reconciles SABHRS payroll reports to agency postings and agency subsidiary accounting systems.

20. Procedures have been developed that are closely monitored to ensure confidentiality of employee personal information.

21. Payroll unit has established procedures to ensure documentation of time records, misc. deductions, salary changes, garnishments, adjustments, etc. is retained in accordance with state retention guidelines.

http://arcweb.sos.state.or.us/rules/OARS_100/OAR_166/166_300.html

9900-113




Progress Status






REVENUE/CASH RECEIPTS/ACCTS RECEIVABLE

Period Ending:_____________________











MOM II, Chapter 1200 – Cash

MOM II, Chapter 1100 – Revenues and Receivables

http://doaforms.mt.gov/AccountingForms/default.asp

Additional procedures to assist with bank reconciliation and other management memos

http://doaforms.mt.gov/AccountingForms/mgtmemos.asp

Order Processing/Shipping


1. Order entry data is transferred completely, accurately and promptly to the shipping and invoicing activities.

2. Inventory is released for shipping/delivery only upon the authorization of the customer order.

3. Shipped orders are transferred promptly for invoicing.

4. Period-end procedures exist and are followed to

9900-114

http://doaforms.mt.gov/AccountingForms/mgtmemos.asp

http://doaforms.mt.gov/AccountingForms/default.asp



ensure proper cutoff of shipping activity and that sales are recorded in the appropriate period.

5. Shipping documents are pre-numbered; the sequence is checked for missing documents.

6. The shipping function is properly segregated from the invoicing and accounts receivable functions.

Invoicing

7. All goods shipped/services provided/penalties levied during the period are invoiced.

8. All invoices issued relate to valid shipments, levies or services provided.

9. All invoices issued are recorded; invoices are pre-numbered and the sequence is checked for missing documents.

10. Invoices issued are recorded as revenue and accounts receivable when not paid at time of delivery.

11. Invoices are recorded in the appropriate period.

12. Undeliverable invoices are returned to the program unit; customer questions and complaints are directed to the program unit.

13. Processes are in place to ensure that invoices are accurately calculated.

14. Once posted to accounts receivable, invoiced amounts can be adjusted only through a properly authorized credit memo or other adjustment transaction.

15. A process has been established to ensure that all credit adjustments are valid, properly calculated and recorded.

9900-115



Revenue Analysis

16. Periodically, the no. of licenses/permits issued or the no. of products sold per the physical inventory count is compared to recorded sales to ensure all sales have been recorded.

17. Other revenues types are compared to prior year data and multi-year trends.

Cash Receipts

18. Responsibilities for collecting cash receipts are adequately segregated from those for recording and depositing cash receipts and posting general ledger entries.

19. Employees with responsibilities for collecting cash receipts are not allowed to process cash disbursements, post detail accounts receivable or reconcile bank statements.

20. Processing of cash receipts is centralized to the extent possible.

21. Control over cash receipts is established as quickly as possible; checks are restrictively endorsed upon receipt and are secured in a cash drawer or safe.

22. Over-the-counter cash receipts are independently balanced to cash register tapes or pre-numbered cash receipts book; cash registers are placed so customers can observe amounts as recorded.

23. Remittances received through the mail are opened in a secure area (ideally by two or more employees) that is restricted to authorized personnel and is locked when not occupied.

24. Mailed receipts are manually logged or

9900-116



immediately scanned into the cashiering system.

25. The mail room log, cash register tape, pre-numbered receipts or other record is compared to the deposit slip by someone other than the cashier; a duplicate copy of the deposit slip is maintained.

26. Cash variances are accounted for by employee and, if material or a pattern is visible, investigated and documented. (MCA 5-13-309 (3) requires any cash shortages suspected to be from employee dishonesty to be promptly reported in writing to the Attorney General and Legislative Auditor.)

27. Daily cash receipts are deposited intact even if proper disposition is unknown.

28. Cash receipts are deposited daily, when the total coin and currency exceeds $200, or the total collections exceed $750, unless approved by the Department of Administration and Board of Investments. Receipts are physically secured until deposited. See MCA 17-6-105.

29. Cash receipts are recorded in the period in which they are received.

30. Unknown cash receipts are credited to a clearing account; clearing account items are investigated and resolved promptly.

Accounts Receivable

31. Accounts receivable (A/R) subsidiary records are maintained by employees who have no access to cash.

32. The A/R unit reconciles aggregate collections on accounts receivable against daily postings to individual receivable accounts.

9900-117



33. Unapplied customer payments credited to a clearing account are resolved promptly and posted to appropriate A/R detail records.

34. The A/R aging report is reviewed monthly for past due accounts and unusual items.

9900-118


18 Sample Internal Control Checklists

AGENCYCYCLE SYSTEMPREPARED BY Date:

18.1 Sample self-assessment questionsTo assess the effectiveness of control, an organization may find it helpful to express the criteria as questions tailored to its circumstances. The following is a simple example of questions a group might use to conduct a self-assessment. In each case, the answer to the question would be followed by "How do we know" to trigger identification and discussion of the control processes.

18.1.1 Purpose Do we clearly understand the mission and vision of the organization? Do we understand our objectives, as a group, and how they fit with other objectives in the

organization? Does the information available to us enable us to identify risk and assess risk? Do we understand the risk we need to control and the degree of residual risk acceptable to

those to whom we are accountable for control? Do we understand the policies that affect our actions? Are our plans responsive and adequate to achieve control? Do we have manageable performance targets?

18.1.2 Commitment Are our principles of integrity and ethical values shared and practiced? Are people rewarded fairly according to the organization’s objectives and values? Do we clearly understand what we are accountable for, and do we have a clear definition

of our authority and responsibilities? Are critical decisions made by people with the necessary expertise, knowledge and

authority Are levels of trust sufficient to support the open flow of information and effective

performance

18.1.3 Capability Do we have the right people, skills, tools and resources? Is there prompt communications of mistakes, bad news and other information to people

who need to know, without fear of reprisal? Is there adequate information to allow us to perform our tasks? Are our actions coordinated with the rest of the organization? Do we have the procedures and the processes to help ensure achievement of our

objectives?

9900-119


18.1.4 Monitoring and learning Do we review the internal and external environment to see whether changes are required

to objectives or control? Do we monitor performance against relevant targets and indicators? Do we challenge the assumptions behind our objectives? Do we receive and provide information that is necessary and relevant to decision

making? Are our information systems up to date? Do we learn from the results of monitoring and make continuous improvements to

control? Do we periodically assess the effectiveness of control? Do we periodically review employee position descriptions to determine if they still

describe the current duties and responsibilities of the employee? Do we perform regularly scheduled performance reviews of our employees on a timely

basis?

Cash Receipts Yes No N/A

Are current written policies and procedures used with respect to collection, recording, safeguarding, and depositing cash receipts?

Are responsibilities for cash receipt functions segregated from those for cash disbursement?

Are responsibilities for collecting, depositing, and accounting for receipts performed by different individuals?

Are responsibilities for preparing and approving bank account reconciliations segregated from other cash receipt or disbursement functions?

Are all local bank accounts reconciled within 30 days of the statement date?

Are copies of reconciliations submitted to the agency controller's office?

Are cash receipts recorded properly, deposited timely (daily or weekly per State policy) and intact?

Is a balance and summary of all cash receipts prepared daily?

Are current written policies and procedures used with respect to collection, recording, safeguarding, and depositing cash receipts?

Are all shortages or overages investigated and, to the extent possible, corrected?

Are physical security safeguards maintained where cash is stored and processed?

Are cashiers prohibited from cashing personal checks or notes of personal indebtedness?

Are cash, check-signing machines, signature plates, and blank, partially prepared, mutilated, and voided checks protected from unauthorized use?

Are “chain of custody forms” used when transferring cash between custodians?

9900-120


Petty Cash Yes No N/A

Are petty cash accounts other than change accounts established and maintained as bank checking accounts whenever possible?

Are petty cash accounts accounted for on an imprest basis?

Is responsibility for each petty cash account vested in only one person?

Are only original vouchers or receipts (no photocopies) used to support petty cash disbursements?

Are petty cash checking accounts reconciled monthly by a person other than the custodian?

Are surprise counts of petty cash made periodically by a person other than the custodian?

If a postage meter is used:

Is a postage meter book properly maintained?

Are purchases of postage made only by check or warrant?

Are purchases of postage compared periodically to postage meter usage?

If a postage meter is not used, are proper controls exercised over postage stamps?

Disbursements--General Yes No N/A

Are controls established for disbursements to ensure that:• The proper funds and accounts are charged? • Appropriations or funds from which payments will be made are

available for that purpose? • Disbursements are made in accordance with purchase orders and

contract?• Disbursements are used only for authorized purposes? • All laws, rules, and regulations governing the disbursements are

followed?

Is the responsibility for authorization of disbursements clearly defined and assigned to specific personnel?

Are controls established to assure that all payments are made on a timely basis and that the most favorable terms of the billing document sought and followed?

Are quantities, charges, name of the payee, and amount of the payment verified to be correct before payment is authorized?

Is there a periodic supervisory review for program coding, pricing, and extending vendor's invoices?

Are controls established to ensure that duplicate payments are not made?

Are only original invoices (no photocopies) totaling the amount of the disbursement attached to each voucher before payment?

Are employee duties in the handling of disbursements segregated to the extent possible with regard to:

The initiation of purchase requisitions and field orders?

The approval of vouchers, invoices, and warrant registers?

The mailing of warrants/checks?

The recording of disbursements? (To the extent possible, are employee duties in this area complementary to or checked by another employee?)

Is each cash disbursement properly vouched and approved by the proper

9900-121


Disbursements--General Yes No N/A

authorities before the actual disbursement occurs?

Except for disbursements properly made from petty cash, are all disbursements made by warrant or check?

Are disbursements recorded properly and on a timely basis?

Are written procedures established and being followed to control access to and the receipt, issue, and inventory of blank warrants and checks?

Has the agency designated in writing a custodian and an alternate for blank warrants and checks?

Are blank warrants and checks kept in locked storage under the control of and accessible only by the designated custodian or the alternate?

Are procedures in place to control warrants and checks to be voided or destroyed?

Is a physical inventory of the entire stock of blank warrants and checks performed at least monthly by the custodian and supervisor and any variances properly investigated?

Are written procedures established for authorization and payment of transportation by common carrier?

Are unused credit cards and blank stock of Transportation Reimbursement Request forms inventoried at least quarterly and kept under lock?

Disbursements--Travel Yes No N/A

Are written procedures established consistent with the Montana Travel Policy contained in MOM Volume I?

Are formally adopted, written internal policies and procedures established to control the utilization of meals, coffee, and light refreshments at meetings and formal training sessions?

Is authorization of out of state travel exercised through use of a travel authorization form?

Are travel reimbursement requests signed by the employee and approved by the employee’s supervisor or a supervisor with the most knowledge regarding the travel?

Are travel reimbursement expense forms of agency heads signed by the Chief Financial Officer or designated official certifying that the reimbursement complies with state travel regulations?

Are travel reimbursement expense forms and supporting documentation of agency heads not reporting to the governor submitted for review to the appropriate appointing authority or delegated officials?

Are written procedures established for authorization and payment of official transportation by common carrier such as charter services?

Are air transportation purchases made in accordance with the Montana Purchasing requirements and the MOM I Travel Policy?

Is reimbursement for air transportation in an amount greater than that approved in writing in advance by the agency head or authorized designee?

Is reimbursement for non-air transportation in greater than tourist class or its equivalent approved in writing in advance by the agency head or authorized designee?

Has written approval for travel outside the continental USA been obtained

9900-122


Disbursements--Travel Yes No N/A

and documented?

Is, prior to payment, is the agency copy of the travel reimbursement request matched to the appropriate merchant vendor receipts or is matched to the monthly statement from the credit card company?

Are unused credit cards inventoried at least quarterly and kept under lock?

Are persons who authorize commercial transportation not to receive tickets or use the transportation?

Is written approval of the agency head or designee obtained prior to authorizing direct billing to the agency and direct payment by an individual of the agency responsible for payment of travel allowances?

Disbursements--Local Checking Account Yes No N/A

Has the checking account been approved by SAD as documented on a Form DA 105?

Are checks prenumbered?

Is physical control of checks maintained by someone other than persons originating disbursement requests?

Are spoiled or voided checks retained and the signature blocks on the checks removed?

If a check-signing machine is used, is the signature plate and the use of the check-signing machine kept under the control of the official whose name appears on the signature plate or an authorized designee?

Are dual signatures required on all checks?

Are bills or vouchers presented with checks for signature?

Are bills or vouchers marked "Paid" only at the time check is signed?

Are checks mailed by someone other than the person preparing the check?

Does someone approve bills for payment other than the persons who signs checks?

Are bank statements reconciled at least monthly?

Does a person not involved in the cash receipt or disbursement function reconcile bank accounts?

Purchases Yes No N/A

Are pre-numbered purchase and field order forms used and strictly accounted for by number?

Are invoices matched with purchase orders and receiving reports before approval for payment?

Are invoice computations and pricing verified before approval for payment?

Are all invoices paid in a timely manner so that discounts may be taken?

Are monthly statements from vendors compared with accounts payable balances?

Are purchases made by competitive solicitation?

Are Payable Subsidiary Ledgers reconciled to the control accounts monthly?

Are copies of order forms distributed to receiving and accounting

9900-123


Purchases Yes No N/A

departments?

Are claims filed promptly for goods damaged in shipment?

Investments and Securities Yes No N/A

Is the authority to purchase, exchange, or sell investments and securities clearly defined?

Is the custodian of securities not authorized to purchase, exchange, or sell securities?

Are securities kept in a fireproof safe deposit box, safe, or vault?

Are combinations and keys to these security devices restricted to a limited number of people and changed when employees rotate or leave their jobs?

Does access to securities require the presence of at least two designated officers?

Are safe or vault contents inventoried at least monthly?

Do the accounting department and the custodian maintain detailed records of all investments and securities?

Are employees that handle and have access to securities closely supervised or reviewed by other employees?

Are periodic checks made to verify that all income due on investments has been received?

Receivables Yes No N/A

Are responsibilities for billing, collection, cash receiving, receivables, accounting, and the maintenance of general ledger control accounts assigned to provide division of duties?

Are receivables recorded promptly in the proper funds and accounts when goods and/or services are provided?

Are separate accounts maintained for each major category of receivables to ensure the clear and full disclosure of the agency's resources in its financial reports?

Are accounts receivable records adequately safeguarded and access to these records restricted to only authorized employees?

Are control accounts balanced with the detailed ledgers at least monthly?

Does an individual independent of receivable record keeping promptly investigate disputed billing amounts?

Do the proper authorities approve credit adjustments?

Are pre-numbered credit memorandum forms used?

Are receivable accounts reviewed periodically for credit balances?

Is there an independent verification of quantities, prices, and clerical accuracy of billing invoices?

Are billings prepared fully and promptly, and statements sent to all customers on a regular basis?

Are receivable accounts aged monthly and reviewed by authorized personnel?

Are written collection procedures established and being utilized to promptly follow up on past due receivables?

9900-124


Receivables Yes No N/A

Are procedures developed to address uncollectible accounts and the write-off of such accounts, and do write-offs receive the proper level of authorization in accordance with state law and MOM Volume II?

Supplies and Merchandise Inventories Yes No N/A

Are only authorized individuals responsible for receiving and issuing supplies and merchandise for the agency; for inspecting all goods received to verify that they conform to specifications; and for the enforcement of all policies necessary for the internal control of these assets?

Is responsibility for purchasing, receipt of merchandise or services, and invoice approval assigned to provide division of duties?

Have specific central points been identified for receiving and issuing supplies?

Are receiving reports and issue reports prepared for all receipts and issues?

Are quantities received compared to the bill of lading and receiving report?

Are effective control procedures established to ensure that state supplies and fixed assets are used properly and for authorized purposes?

Are actual physical inventory counts of all agency supplies and equipment made periodically in accordance with MOM Volume II Accounting policies?

Are personnel other than those who take inventories responsible for inventories

Are perpetual or periodic inventory records maintained to reflect dollar value and quantities of merchandise for resale and significant supplies inventories?

Are supplies and merchandise arranged so that the earliest received or produced will be issued first (FIFO)?

Are damaged and obsolete goods physically segregated?

1 Sources used for the contents of this appendix:



2 Sources used for the contents of this appendix:



3 This survey was adapted from the survey tools presented by Mr. Michael Ramos in his book entitled How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.4 These questions were adapted from the management inquiry tools presented by Mr. Michael Ramos in his book entitled How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.5 These questions were adapted from the example inquiries presented by Mr. Michael Ramos in his book entitled How to Comply with Sarbanes-Oxley Section 404 – Assessing the Effectiveness of Internal Control, John Wiley & Sons, Inc., Hoboken, NJ, 2004.

9900-125






Supplies and Merchandise Inventories Yes No N/A

Are supplies and merchandise kept neat?

Payroll Yes No N/A

Are responsibilities for supervision and time keeping, personnel, payroll processing, disbursements, and general ledger functions assigned to provide division of duties?

Does a person other than the employee’s immediate supervisor distribute payroll warrants?

Do personnel other than employees connected with preparation of payroll distribute Forms W-2?

Are detailed records of hours worked maintained and approved, when appropriate?

Are completed payroll charges reviewed before disbursements are made?

Are payroll charges, including fringe benefits, recorded and distributed accurately and promptly?

Are there written procedures for approving, recording, and controlling sick leave, vacations, holidays, overtime, compensatory time, and stand-by time?

Are procedures established to ensure that supervisory personnel verify attendance and payroll reports?

Are confidential payroll records and reports adequately safeguarded?

Automated Data or Information Processing Yes No N/A

Is the information services (IS) department independent of the accounting and operating departments for which it processes data?

Is there an appropriate segregation of duties within the information services function for system development (design and programming), technical support (maintenance of systems software), and operations?

Are there controls over preparation and approval of input transactions outside the IS department and prohibiting the department from initiating and processing transactions without the approval of the affected users?

Are there controls over the completeness and accuracy of input, processing and output?

Are there controls over error correction of rejected transactions?

Is access to terminals and data entry restricted to authorized employees?

Is password security over computer systems set-up on an individualized basis?

Do controls include user reconciliation of output totals to input totals for all data submitted, internal reconciliation of file balances, and the review of outputs for reasonableness?

Are there appropriate controls over use and retention of tape and disk files, including provisions for retention of adequate records to provide backup capabilities?

Are adequate controls exercised over changes to system software?

Is access to computer equipment and system documentation limited to authorized employees?

9900-126


Automated Data or Information Processing Yes No N/A

Is there adequate documentation of procedures to be followed by computer operators?

Is there a written and tested contingency plan providing for continued processing of critical applications in the event of a disaster to the computer facility?

Have appropriate controls been established for the use and contents of personal computers?

Sales Yes No N/A

Are printed standard price lists used and being reviewed and approved periodically by an authorized person?

Are written orders from customers required, when appropriate?

Are sales invoices pre-numbered?

Does a person other than the preparer check invoice computations?

Is the numerical sequence of sales invoices accounted for periodically and are monthly credits to sales reconciled with charges to accounts receivable?

Are over-the-counter cash sales controlled by a cash register which generates a sequentially numbered transaction log and a customer receipt, both indicating the mode of payment (e.g., cash, check, etc.)?

Are customer complaints handled independently of the sales department?

Are discounts taken by customers checked for propriety, and if not qualified, are discounts taken added to the customer's next billing?

Are sales returns receiving reports prepared for all sales returns?

Are sales returns credit memos pre-numbered?

Are quantities listed on credit memos compared with receiving reports?

Are prices on credit memos compared with prices on sales invoices covering merchandise returned?

Safeguarding Capital and Non-Capital Assets Yes No N/A

Does the agency have written procedures for controlling capital and non-capital assets?

Has the agency head designated, in writing, one or more individuals responsible for the maintenance of the agency’s capital asset inventory?

Does the agency have written internal policies defining non-capital assets that have a high risk of loss?

Does the agency’s definition of assets having a high risk of loss include those non-capital assets considered by MOM II policy to be at high risk of loss?

Does the agency have written internal policies specifying control measures applicable to assets at high risk of loss?

Are assets at high risk of loss maintained on an automated inventory system?

Does the agency maintain all the data elements required for assets at high risk of loss?

Do written procedures exist for safeguarding equipment against improper

9900-127



or unauthorized use?

Are responsibilities for the property record function segregated from the general ledger function?

Are only authorized individuals responsible for receiving and issuing capital assets for the agency; for inspecting all goods received to verify that they conform to specifications; and for the enforcement of all policies necessary for the internal control of these assets?

Are there adequate provisions for safely storing equipment?

Is responsibility for purchasing, receipt of capital asset, and invoice approval assigned to provide division of duties?

Have specific central points been identified for receiving and issuing capital assets?

Are receiving reports and issue reports prepared for all receipts and issues?

Are quantities received compared to the bill of lading and receiving report?

Are detailed records kept of capitalized and inventoriable capital and noncapital assets in accordance with MOM II and agency policy?

Are detailed property records reconciled quarterly to the general ledger?

Are actual physical inventory counts of all agency equipment made periodically in accordance with MOM II policies?

Are all inventoriable capital assets and non-capital assets at high risk of theft subject to a physical count, at least, every two years?

Is the physical inventory subject to verification or conducted by a person who is neither directly responsible for the assets nor supervised by the person responsible?

Do the physical inventory procedures include instructions for noting obviously unserviceable assets?

Are personnel assigned responsibility for counting capital assets provided with a listing of items to be counted?

Are written physical inventory instructions developed, distributed, and explained to each person participating in the inventory process?

Does physical inventory instructions include directions as to how and where each item counted is to be recorded, what information is to be recorded, what to do when questions arise, and what procedures are to be followed when equipment is located but is not listed?

Does the person counting the assets attest to the accuracy of the count by signing her/his name at the bottom of each inventory page?

Does the inventory officer perform the reconciliation between the physical inventory and the property management system?

Does the inventory officer certify the reconciliation with a statement and signature that it is correct?

Are damaged and obsolete goods physically segregated?

Is state equipment permanently tagged and/or identified in accordance with MOM II and agency policies?

Is one individual appointed the responsible controlling official for the agency’s control tags?

Is the inventory control officer responsible for maintaining a permanent list of lost or destroyed control numbers?

Is a permanent list of lost or destroyed control (tag) numbers maintained?

9900-128



Does the agency’s inventory officer, in a sequential order, assign control (tag) numbers?

Are all control (tag) numbers accounted for?

Is an annual reconciliation between the control (tag) numbers and the inventory records made to determine if all tagged assets are properly entered in the inventory?

Are items transferred from another state agency retagged according to the agency’s numbering system?

Does a designated individual affix state tags at a central receiving point?

Are unrecorded assets tagged and entered into the inventory system as soon as possible after discovery?

Do controls exist to ensure capital leases of equipment are included in the capital asset records?

Are there procedures for recording transfers of equipment within the agency?

Are capital assets classified as infrastructure recorded in the accounting records of the agency?

Are controls established to ensure that state of Montana regulations and procedures are followed in the sale or disposition of state property or in reporting the loss or theft of such assets?

Does the agency have formal notification procedures for notifying agency personnel of suspected loss of capital assets?

Have appropriate controls been established for the use and contents of personal computers?

Does the Agency report actual and suspected losses in accordance with 5-13-309, Montana Coed Annotated (MCA)?

General Yes No N/A

Are accounting records neat and in proper order?

Are accounting records kept current?

Are employees required to take periodic vacations and, in their absence, do other employees perform their work?

Are internal audits performed?

Do authorized personnel approve all journal entries?

Is a current organizational chart maintained and followed?

Does appropriate documentation of procedures exist for all agency systems and functions such that the organization could continue to operate if key employees leave?

Does agency management regularly review accounting report summaries, monitoring any unusual levels of revenues, expenditures, or FTEs?

Are employees required to maintain desk manuals that could be used by a knowledgeable person to perform the employee’s duties?

9900-129

The Internal Control Guidebook

Documents

Transcript of The Internal Control Guidebook