ALL AGENCIES, DEPARTMENTS, AND DISTRICTS GOVERNED
BY THE BOARD OF SUPERVISORS
EFFECTIVE: 01/86
REVISED: 09/2000
_________________________________
David E. Sundstrom, Auditor-Controller
1.
POLICY
All County departments/agencies shall maintain
effective internal control systems as an integral
part of their management practices. This is because
management has primary responsibility for establishing
and maintaining the internal control system. All
levels of management must be involved in assessing
and strengthening internal controls. Effective internal
control systems should provide management with reasonable,
but not absolute, assurance that assets are safeguarded
from unauthorized access, use or disposition; transactions
are executed in accordance with management’s
authorizations; financial and statistical records
and reports are reliable; applicable laws, regulations
and policies are adhered to; and resources are efficiently
and effectively managed.
Control systems shall be continuously evaluated
and weaknesses, when detected, must be promptly
corrected. New programs shall be designed to incorporate
effective systems of internal control.
1.1
Purpose
To prescribe policies and standards to be
followed by departments/agencies in establishing
and maintaining internal control systems in
their operations and administrative activities.
1.2
Authority
1.2.1
Committee of Sponsoring Organizations
of the Treadway Commissions(COSO)
Internal control-integrated framework
dated February 1992, which set criteria
for evaluating an entity’s internal
control structure.
1.2.2
Board of Supervisors' Resolution No.
82-162, dated February 2, 1982
Authorizes the Auditor-Controller
to prescribe the accounting policies
for all offices, departments, and institutions
under the control of the Board of Supervisors.
1.2.3
Board of Supervisors’ Resolution
No. 85-337, dated March 12, 1985
Establishes that all County departments/agencies
maintain effective internal control
systems, as an integral part of their
management practices. Also, establishes
that all levels of management shall
be involved in evaluating control systems
on an on-going basis and, when detected,
ensuring weaknesses are promptly corrected.
(Responsibility for periodic reviews
of control systems now belongs to the
Internal Audit Department, rather than
the Auditor-Controller Department, per
Board Resolution No. 95-271.)
1.2.4
Board of Supervisors' Resolution
No. 95-271, dated April 25, 1995
Establishes the Internal Audit Department
as independent from the Auditor-Controller
Department, and authorizes the Internal
Audit Department to perform the Auditor-Controller’s
legally required audits, if requested
by the Auditor-Controller.
1.3
Definitions
1.3.1
Internal Control
A process – effected by an entity’s
board of supervisors, management, and
other personnel – designed to
provide reasonable assurance regarding
the achievement of objectives in the
following categories:
Effectiveness and efficiency
of operations
Reliability of financial reporting
Compliance with applicable laws
and regulations
1.3.2
Standards of Internal Controls
Elements of a satisfactory system
of internal controls. (See Section 3
for specific standards.)
1.3.3
Documentation of Internal Controls
Any material used to describe the
internal control system, which communicates
responsibilities and authorities and
serves as a reference for persons reviewing
the internal controls and their function.
Such material can include written policies,
organization charts, procedural write-ups,
manuals, memoranda, flow-charts, software,
and related written materials.
2.
COMPONENTS OF INTERNAL CONTROL
Internal control consists of five interrelated
components, which are control environment, risk
assessment, control activities, information and
communication, and monitoring.
2.1
Control Environment
Sets the tone of an organization, influencing
the control consciousness of its people. It
is the foundation for all other components
of internal control, providing discipline
and structure. Control environment encompasses
the following factors: integrity and ethical
values, commitment to competence, board of
supervisors or audit committee participation,
management’s philosophy and operating
style, organizational structure, assignment
of authority and responsibility, and human
resource policies and practices.
2.2
Risk Assessment
The entity’s identification and analysis
of relevant risks in regards to the achievement
of its objectives and to form a basis for
determining how the risks should be managed.
Risks can arise or change due to circumstances
such as the following: changes in operating
environment, new personnel, new or revamped
information systems, rapid growth, new technology,
new activities, restructuring, or changing
accounting pronouncements.
2.3
Control Activities
The policies and procedures that help ensure
management that necessary actions are taken
to address risks to achieve the entity’s
objectives, which include:
Performance
Reviews – Comparisons and
analysis of actual performance versus
budgets, or program objectives to actual
outcomes.
Information
Processing – Controls to
check accuracy, completeness, and authorization
of transactions, which include computer
system general controls and application
controls.
Physical
Controls – Activities encompassing
the physical security of assets, including
adequate safeguards such as secured facilities;
security over access to assets and records;
security management over information systems
(e.g. protection against computer viruses
and "hacking"); and periodic
counting and comparison with amounts shown
on control records.
Segregation
of Duties – Assigning different
people the responsibilities of authorizing
transactions, recording transactions,
and maintaining custody of assets with
the intent to reduce the opportunities
to allow any person to be in a position
to both perpetrate and conceal errors
or irregularities.
2.4
Information and Communication
The identification, capture, and exchange
of information in a form and time frame that
enable people to carry out their responsibilities.
Information
- Includes the accounting system, which
consists of the methods and records established
to record, process, summarize and report
transactions and to maintain accountability
for the related assets, liabilities, and
equity (funds). Information systems produce
reports containing operational, financial,
and compliance-related information that
makes it possible to run and control an
organization. An information system encompasses
methods and records that
Identify and record all valid transactions.
Describe timely and sufficiently
detailed transactions to permit
proper classification for financial
reporting.
Measure the value of transactions
to permit recording their proper
financial value in the financial statements.
Determine the time period in which
transactions occurred to permit
recording of transactions in the proper
accounting period.
Present properly the transactions
and related disclosures in the
financial statements.
Communication
- Involves providing an understanding
of individual roles and responsibilities
pertaining to internal control over financial
reporting. Communication takes such forms
as policy manuals, accounting and financial
reporting manuals, memoranda, oral communication,
and management actions.
2.5
Monitoring
A process that assesses the quality of internal
control performance over time. It involves
assessing the design and operation of controls
on a timely basis and taking necessary corrective
actions. This process is accomplished through
ongoing monitoring activities of internal
controls and separate evaluations of internal
controls, or a combination of the two. Ongoing
monitoring activities should be built into
the normal recurring activities of an entity
and should include regular management and
supervisory duties. Internal auditors or personnel
performing similar functions contribute to
the monitoring of an entity’s activities
through separate evaluations. However, the
entity’s management is ultimately responsible
for effectively monitoring controls.
3.
STANDARDS OF INTERNAL CONTROLS
A satisfactory system of internal control shall
include, but not be limited to, the following standards:
3.1
Segregation of Duties
A plan of organization that provides segregation
of duties appropriate for proper safeguarding
of County assets. Key duties such as authorizing,
approving or recording transactions, issuing
or receiving assets, making payments, and
reviewing or auditing shall be assigned to
separate individuals to minimize the risk
of loss. A satisfactory internal control system
depends largely on the elimination of opportunities
to perpetrate and then conceal errors or irregularities.
This in turn depends on the assignment of
work in such a fashion that no one individual
controls all phases of an activity or transaction.
3.2
Access to Assets
Access to County assets should be limited
to authorized personnel who require these
assets in the performance of their assigned
duties. Access includes both direct physical
access and indirect access through the preparation
or processing of documents that authorize
the use or disposition of resources.
3.3
Authorization, Execution, and Recording
of Transactions
A system of authorization and record-keeping
procedures is needed to provide effective
accounting control over assets, liabilities,
revenues, and expenditures. Independent evidence
shall be maintained to document that authorizations
are issued by persons acting within the scope
of their authority and that transactions conform
with the terms of the authorizations. Documentation
shall provide an adequate audit trail. Transactions
shall be accurate, timely, properly recorded,
and properly classified. Computer system controls
should be utilized to safeguard records and
preserve data integrity.
3.4
Documentation of System
All departments/agencies should have an
established system of policies and procedures
to be followed in the performance of duties
and functions. Such a system shall include,
but not be limited to, documentation of internal
controls, accountability for resources and
recording of financial transactions, and such
documentation shall be communicated and made
available to all employees and auditors.
3.5
Integrity and Competent Personnel
Key personnel should have high standards
of integrity, and be competent through education,
training, or experience to accomplish their
assigned duties.
3.6
Supervision
Qualified and continuous supervision shall
be provided to assure that approved procedures
are followed and are operating as intended.
Lines of personal responsibility and accountability
shall be clear. Supervision should be competent
and continuing so as to ensure the achievement
of internal control objectives.
3.7
Monitoring Controls
An effective system of internal review by
both the department/agency and the Internal
Audit Department should be established. Managers
should take action when control deviations
requiring action are noted.
3.8
Reasonable Assurance
Internal control systems shall provide reasonable,
but not absolute, assurance that the internal
control objectives will be achieved. This
standard recognizes that the cost of internal
controls should not exceed the benefits derived
therefrom, and that the benefits consist of
reductions in the risks of failing to achieve
the stated objectives.
3.9
Supportive Attitude
Executives, managers and employees should
maintain a supportive attitude towards internal
controls.
3.10
Control Objectives
Control objectives are to be identified
or developed for each organizational activity.
4.
RESPONSIBILITIES OF DEPARTMENT/AGENCIES AND DISTRICTS
GOVERNED BY THE BOARD OF SUPERVISORS
4.1
Establish and Maintain a System or Systems
of Internal Control.
4.1.1
Responsibility
Designate specific responsibility
for determining that department/agency
internal control systems are developed,
maintained, reviewed and improved as
necessary.
4.1.2
Coordination
Provide for coordination between organizational
units within the department/agency and
with other departments/agencies' in
matters concerning internal control.
4.1.3
Standards
Require each internal control system
to meet the standards of internal control
described in Section 3. (Standards of
Internal Controls).
4.1.4
Guidelines
4.2
Determine that the System is Functioning
as Prescribed and is Modified, as Appropriate,
for Changes in Conditions.
4.2.1
Review
Review internal control systems on
an ongoing basis to determine whether
controls are operating as intended and
are effective.
4.2.2
Resolution of Deficiencies Identified
by Department/Agency Personnel
Provide prompt and proper resolution
of deficiencies identified by department/agency
personnel.
4.2.3
Resolution of Deficiencies Identified
by Other Parties
Provide prompt and proper resolution
of deficiencies noted during audits
by the Internal Audit Department, external
auditors, and/or consultants.
4.3.4
Risk Identification
On an on-going basis, identify potential
risks that could hinder the department/agency
from realizing management’s objectives
(i.e., effectiveness, efficiency, compliance
with laws and regulations, and proper
financial reporting) and determine how
to manage those risks.
4.3
Document and Communicate the System of Internal
Control to all Employees.
4.3.1
Written Policies and Procedures
Establish written policies and procedures
that supplement the policies and procedures
in the Auditor-Controller’s County
Accounting Procedures Manual, to assure
intended functioning of internal control
systems. These policies and procedures
should set forth in writing the specific
procedures to be followed, and should
be communicated and made available to
all employees.
4.3.2
Performance Appraisals
Reflect effectiveness in developing
internal controls and in resolving and
implementing appropriate audit recommendations
in the performance appraisals of personnel.
5.
RESPONSIBILITIES OF THE INTERNAL AUDIT DEPARTMENT
The Internal Audit Department shall assist management
in the monitoring of internal controls through:
5.1
Periodic Reviews
Make periodic reviews of internal control
systems including documentation and compliance
to determine whether policies and standards
established by a department/agency are adequate,
properly implemented, and being followed.
5.2
Written Reports
Prepare written reports summarizing deficiencies
in existing internal control systems accompanied
by recommendations for improving those deficiencies.
Distribute the reports in accordance with
Audit Oversight Committee procedures.
5.3
Follow-up Audits
Conduct follow-up reviews of department/agency
efforts to respond to audit findings and recommendations.
6.
RESPONSIBILITIES OF THE AUDITOR CONTROLLER DEPARTMENT
The Internal Audit Department shall assist management
in the monitoring of internal controls through:
6.1
Policies
Develop and maintain County Accounting Procedures,
and make them available to all departments/agencies.
6.2
Procedures
Prepare written reports summarizing deficiencies
in existing internal control systems accompanied
by recommendations for improving those deficiencies.
Distribute the reports in accordance with
Audit Oversight Committee procedures.
6.3
Systems
Develop financial accounting systems with
built-in controls that safeguard and maintain
the integrity of the accounting information
that is submitted.
Legal