Child Care Bureau: State Assessment of Internal Controls Final Report, May 2007

State Assessment of Internal Controls Final Report, May 2007

Download Guide in Word (1,622 KB) or PDF (676 3KB) format.

Appendix N. STATE INTERNAL CONTROL SELF-ASSESSMENT INSTRUMENT

(Original)

STATE INTERNAL CONTROL SELF-ASSESSMENT INSTRUMENT

STATE

DATE

STATE INTERNAL CONTROL SELF-ASSESSMENT INSTRUMENT

STATE TEAM (Insert State Name)
(List all members of the State Team, their organization, title, Phone, Fax, and E-mail addresses)
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:
NAME:	ORGANIZATION/TITLE:
PHONE:	FAX:	E-MAIL:

Add additional pages to capture all staff involved in the assessment process.

STATE INTERNAL CONTROL SELF-ASSESSMENT INSTRUMENT

GENERAL INSTRUCTIONS

This tool is a State Internal Control Self-Assessment Instrument to be used for management control and evaluation of the Child Care program. The tool can be used to help both State and Federal managers determine how well an agency’s internal controls are designed and functioning and help them to determine what, where, and how improvements can be implemented. States can use this tool specifically for the Child Care Program or more broadly where the Child Care Program is one of many program components.

The tool contains five sections corresponding to the five standards for internal control outlined by the General Accountability Office (GAO) in its document, GAO-01-1008G – Internal Control Management and Evaluation Tool (8/01). The third standard, Control Activities, is further broken down into three additional sections, one dealing with Common Activities and two dealing with Information Systems. The standards are:

Control Environment;
Risk Assessment;
Control Activities:

Common Categories of Control Activities;
Control Activities Specific for Information Systems—General Control;
Control Activities Specific for Information Systems—Application Control;

Information and Communications; and
Monitoring.

Each section contains a list of major elements and criteria for consideration when reviewing internal controls as they relate to the particular standards. These elements represent some of the more important issues addressed by the standard. Included under each element are criteria that States should consider when addressing the element. States should use the criteria to consider specific items that indicate the degree to which internal controls are functioning.

States need to evaluate how well their agency meets each element and criterion and identify those areas where they may be deficient. The States should then take the opportunity to begin formulating a plan of action to address the identified deficiencies.

States should view this tool as a living document, a starting point that can fit the circumstances, conditions, and risks relevant to their agency. Not all of the elements or criteria will be applicable for every agency. States should attempt to complete all of the sections, but should feel free to note those areas that they do not consider relevant. If a State chooses to use the tool to assess the whole agency, then the sections specific to Child Care (and other program areas) should be completed by the appropriate areas and the sections that apply to all areas (such as HR or IT) would be completed by those program areas.

The goal is for this tool to be useful in assessing internal controls as they relate to the achievements of the objectives of the agency, identifying areas of concern, and providing a documented way of addressing those concerns. Ultimately, this tool can help States become more effective and efficient in their internal controls. This tool may also be useful in identifying issues with respect to safeguarding assets from improper payments caused by mistakes, inadequate controls, fraud, waste, or abuse.

STATE INTERNAL CONTROL SELF-ASSESSMENT INSTRUMENT
I. CONTROL ENVIRONMENT
The Control Environment is the first Internal Control Standard. This standard addresses how the State establishes and maintains an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. The State reviews and addresses each of the key factors that affect the accomplishment of this goal. State managers and evaluators consider each of these control environment factors as they determine if there is a positive control environment in their State. States should view the elements and criteria contained in this Instrument as a beginning point and not as an all inclusive set of elements and criteria. Some of the elements and criteria are subjective in nature and require the State to use judgment when assessing them. States should examine each of the elements and criteria, as they are important and can help in achieving control environment effectiveness.

Integrity and Ethical Values
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. The agency has established and uses a formal code or codes of conduct and other policies communicating appropriate ethical and moral behavioral standards and addressing acceptable operational practices and conflicts of interest.	Codes of conduct are comprehensive in nature and include such issues as appropriate use of resources, conflicts of interest, political activities of staff, acceptance of gifts or donations or foreign decorations, and use of due professional care. The agency periodically reviews codes of conduct and obtains signatures from all staff members. Staff members indicate that they know what kind of behavior is acceptable and unacceptable, what penalties unacceptable behavior may bring, and what to do if they become aware of unacceptable behavior.
2. The agency established an ethical culture at the top of the organization and it has been communicated throughout the agency.	Management emphasizes the importance of integrity and ethical values through oral communications in meetings, via one-on-one discussions, and by example in daily activities. Management takes quick and appropriate action as soon as there are any signs that a problem may exist.
3. The agency ensures that it employs high ethical standards in dealings with the public, Legislature, staff, suppliers, auditors, and others.	Financial, budgetary, and operational/programmatic reports to the Legislature, Federal Government, and the public are proper and accurate. Management cooperates with auditors and other evaluators, discloses known problems to them, and values their comments and recommendations. The agency has a well-defined and understood process for dealing with claims and concerns in a timely and appropriate manner.
4. Management takes appropriate disciplinary action in response to departures from approved policies and procedures or violations of the code of conduct.	Management takes action when there are intentional violations of policies, procedures, or the code(s) of conduct. Management communicates the types of disciplinary actions taken throughout the agency.
5. Management establishes internal controls and intervention.	Management provides guidance on when to intervene and the management levels which may take such action. Management fully documents the reasons for any intervention or overriding of internal control and specific actions taken. Management prohibits overriding of internal control by low-level management staff except in emergency situations. Notification and documentation to upper-level management occurs immediately.
Commitment to Competence (CE_2)
1. Management has identified and defined the tasks required to accomplish particular jobs.	Management analyzes the tasks and competencies needed for particular jobs, such things as the level of judgment required and the extent of supervision necessary. Management establishes formal job descriptions or other means of identifying and defining specific competencies required for job positions and keeps them up-to-date. Management identifies the knowledge, skills, and abilities needed for various jobs and makes them known to staff. Evidence exists that the agency makes every effort to assure that staff selected for various positions have the requisite knowledge, skills, and abilities.
2. The agency provides training and counseling to help staff maintain and improve job competency.	The agency provides appropriate training program to meet the needs of staff. The agency emphasizes the need for continuing training and has a control mechanism to ensure that staff received appropriate training. Supervisors have the necessary training and management skills to provide effective job performance counseling. Management bases performance appraisals on an assessment of competencies and clearly identifies areas in which staff are performing well and areas that need improvement. Management provides staff candid and constructive job performance counseling.
Management Philosophy and Operating Style (CE_3)
1. Management analyzes the risks of new ventures or operations and determines appropriate mitigation and minimization strategies.
2. Management endorses the use of performance-based management.
3. Management analyzes agency staffing.	Management analyzes patterns of staff turnover, including loss of key staff or excessive turnover. Management develops transitions plans.
4. Management supports financial, administrative, and operational functions.	Management uses accounting, financial, and programmatic data from its systems for decision-making and performance evaluation. Management reviews and coordinates financial management, accounting operations, and budget with external entities. Management supports efforts to make improvements in the systems as technology advances. Personnel operations have a high priority. Management supports and uses the work of quality assurance, internal audits, external audits, and other evaluations and studies.
5. Management safeguards valuable assets and information from unauthorized access or use.
6. Senior management and operating/program management interact to carry out the mission.
7. Management ensures sound financial, budgetary, and operational programmatic reporting.	Management is responsible for critical financial reporting and conservative application of accounting principles and estimates. Management financial and budgetary information is provided to the appropriate entities. Management ensures that short-term goals are consistent with long term strategies.
Organizational Structure (CE_4)
1. Management defines and communicates key areas of authority and responsibility.	Staff members understand their areas of responsibility. Staff members understand their internal control responsibilities.
2. Management establishes clear internal reporting relationships.	The organization structure facilitates the flow of information throughout the agency. Management makes staff aware of the established reporting relationships.
3. Management periodically evaluates the organizational structure and makes necessary changes to respond to changing conditions.
4. Management supports appropriate staffing levels to carry out the mission of the agency.	Staff members have time to carry out their duties and responsibilities. Staff members do not have to work excessive overtime or outside the ordinary workweek to complete assigned tasks. Management and supervisors are not fulfilling more than one role.
Assignment of Authority and Responsibility (CE_5)
1. The agency appropriately assigns authority and delegates responsibility to the proper staff.	Management communicates the assigned authority and responsibility to staff. Management holds individuals accountable for decisions and outcomes within their responsibility and authority. Management has effective procedures to monitor results. Management appropriately balances the delegation of authority between senior staff and staff at lower levels to get the job done.
Human Resource Policies and Practices (CE_6)
1. Policies and procedures are in place for hiring, orienting, training, evaluating, counseling, promoting, compensating, disciplining, and terminating staff.	Management participates in the hiring process. Management ensures that position descriptions and qualifications meet State Personnel rules and are standardized throughout the agency for similar jobs. Management establishes a training program that includes orientation programs for new staff and continuing education for all staff. Management supports promotion, compensation, or rotation of staff based upon periodic performance appraisals. Management links performance appraisals to its goals and objectives. Performance appraisal criteria reflect the importance of integrity and ethical values. Staff receive appropriate feedback and counseling on their job performance. Management responds to violations of policies or ethical standards with appropriate discipline or remedial action.
Oversight Groups (CE_7)
1. The agency has mechanisms in place to monitor and review operations and programs.	An independent entity audits and reviews agency activity. An audit committee or senior management council reviews the internal audit work and coordinates closely with the independent entity and external auditors. The Internal audit unit reports to the agency head. The internal audit function reviews agency activities and systems and provides information, analyses, recommendations, and counsel to management.
2. The agency works closely with Executive Branch oversight organizations.	The agency works with the State’s Budget Office and key officials. The agency provides financial and budgetary reporting and information on internal controls and management’s performance. High-level agency staff maintain good working relationships with other executive branch agencies that exercise multi-agency control responsibilities.
3. The agency maintains a close relationship with the Legislature.	The agency provides the Legislature with timely and accurate information to allow monitoring of agency activities. This includes review of the agency’s mission and goals, reports on agency performance, and reports on finances and operating issues. High-level agency officials meet regularly with staff from the Legislature and Governor’s office to discuss major issues affecting operations, internal control, performance, and other issues affecting major agency activities and programs.

II. RISK ASSESSMENT

The second internal control standard is Risk Assessment. Clear, consistent agency goals and objectives at both the agency and program level are essential for the agency to operate efficiently and effectively. When an agency has established and articulated objectives, the agency may be able to identify actual or potential risks/problems—internal and external—that could impede the accomplishment of those objectives in an efficient manner. When an agency identifies potential risks/problems and their possible effect on the organization, they may be able to prevent those problems or reduce their impact. This section is designed to help agencies in this process.

Once again, this is not an all-inclusive list. It is a starting point from which States can begin to build a dynamic assessment of actual or potential risks/ problems and mitigation strategies. Some of the elements and criteria are subjective in nature. Nevertheless, each of the elements and criteria are important and it is recommended that the State examine them closely.

Establishment of Entity-wide Objectives (RA_1)
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. Management establishes agency specific objectives.	Management establishes a strategic plan that includes agency mission, goals, and objectives. Management establishes objectives based on program requirements.
2. Management communicates objectives to all staff and obtains feedback.
3. Operational strategies support entity-wide objectives.	Strategic plans address resource allocations and priorities. Management designs strategic plans and budgets with an appropriate level of detail for various management levels.
4. Management has an integrated management strategy, risk assessment, and control structure to address risks.
Establishment of Activity (RA_2)
1. Program strategies support agency objectives.	Management reviews program strategies periodically to assure that they have continued relevance.
2. Program strategies are relevant, complementary.	Management establishes program strategies for the key operational and support activities.
3. Program outcome criteria include measurements.
4. Management allocates sufficient resources to meet objectives.
5. Management identifies and reviews Mission Critical program strategies to address objectives.	Management reviews and monitors critical activity-level objectives regularly.
Risk Identification (RA_3)
1. Management identifies risk using appropriate methodologies.	Management uses qualitative and quantitative methods to identify risk and quantify relative risk rankings on a scheduled and periodic basis. Risk identification and discussion occur at all levels of the agency. Risk identification includes, but is not limited to, findings from audits, evaluations, and other assessments.
2. Management considers external factors when identifying risk.	External factors include but are not limited to: Technological advancements and developments; Changing needs or expectations of the Legislature, agency officials, and the public; New legislation or regulations; Natural catastrophes or criminal or terrorist actions; Business, political, and economic changes; Major suppliers and contractors; and Other entities.
3. Management considers internal factors when identifying risk.	Internal factors include, but are not limited to: Downsizing of agency operations and staff; Business process reengineering or redesign of operating processes; Disruption of information systems and disaster recovery plans; Decentralized program operations; Qualifications and training of staff; Reliance on contractors or other parties to perform critical agency operations; Major changes in managerial responsibilities; Unusual staff access to vulnerable assets; Succession planning and retention of key staff; Competitive compensation and benefit programs; and Availability and adequacy of funding.
4. Management considers other risk factors.
Risk Analysis (RA_4)
1. Management develops a risk tolerance process.	Management sets specific tolerance levels. Each agency and program area are assigned specific levels and expected to implement control activities. They are also expected to monitor results.
Managing Risk During Change (RA_5)
1. Management has a mechanism for reacting to risks presented by changes that can have a dramatic and pervasive effect.	Management gives special consideration to: Staffing of key positions or staff turnover; Introduction and training of new or changed information systems; Rapid growth and expansion or rapid downsizing; New technological developments; New outputs or services; and Geographical realignment.

III. CONTROL ACTIVITIES

Internal control activities are used by States to mitigate the risks identified during the risk assessment process. These activities are an integral part of the agency’s planning, implementation, and review processes. Internal control activities are essential to holding programs accountable for effective and efficient program results.

Control includes a wide range of diverse activities, such as approvals, authorizations, verifications, reconciliations, performance reviews, security activities, and the production of records and documentation. They are guided by the agency’s management directives on how to address the risks associated with program missions and objectives. Therefore, a manager or evaluator will assess whether control activities are appropriate and adequate for the risk-assessment process and are being applied effectively and efficiently. This analysis would include controls for computerized information systems.

The control activities in one agency may vary considerably from those used in another agency. This difference may result from (1) variations in missions, goals, and objectives of the agencies; (2) differences in agency environments and how in which they operate; (3) differing degree of organizational complexity; (4) differences in agency histories and culture; and (5) variations in the risks each agency faces and is trying to mitigate. Even if two agencies have the same missions, goals, objectives, and organizational structures, they would probably use different control activities. Control activities vary by individual judgment, implementation strategies, and management approaches.¹

These elements and criteria are a beginning point. They are not an all inclusive set of elements and criteria.

¹ Government Accountability Office. (August 2001). Internal Control Management and Evaluation Tool. (GAO Publication No. GAO–01–1008G). Washington, DC: U.S. Government Printing Office.

General Application (CA_1)
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. Management establishes appropriate policies, procedures, techniques, and mechanisms with respect to each of the agency’s activities and those activities related to the Child Care Program.	Management establishes objectives and associated risks, identifies the actions and control activities needed to address the risks, and directs their implementation.
2. For identified control activities, management evaluates their agency’s overall activities and those activities related to the Child Care Program.	Staff applies control activities properly and understands their purpose. Staff review established control activities and provide input. Management takes timely action on exceptions, implementation problems, or information that requires follow-up.
Common Categories of Control Activities (CA_2)
1. Senior management tracks major agency achievements in relation to its plans with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Senior management regularly reviews actual performance against budgets, forecasts, and prior period results and compliance with applicable Federal regulations. Senior management develops performance plans, measures and reports results, and takes follow-up action as necessary.
2. Management reviews performance with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Managers at all levels review performance reports, analyze trends, measure results and compliance with the ACF approved State plan. Financial and program managers review and compare financial, budgetary, Federal financial compliance, and operational performance to planned or expected results. Managers use appropriate control activities such as reconciling summary information to supporting detail and checking the accuracy of summaries.
3. The agency effectively manages the organization’s workforce to achieve results with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Management incorporates the agency mission, goals, and values in its strategic plan and other guiding documents and communicates this information to all staff. The agency has a workforce planning strategy which identifies current and future staffing needs. The agency has a process in place to ensure performance management and compliance with applicable Federal regulations. The agency has a formal recruiting, hiring, and retention process to ensure a competent workforce. The agency provides orientation, training, and tools for staff to perform their duties and responsibilities, improve performance, enhance their capabilities, and meet the demands of changing organizational needs. The compensation system is adequate to acquire, motivate, and retain staff. Staff receive incentives and rewards to encourage them to perform at maximum capability. The agency provides workplace flexibilities, services, and facilities (e.g., career counseling, flextime, casual-dress days, and child care) to help it compete for talent and enhance staff satisfaction and commitment. The agency provides qualified and continuous supervision to ensure the achievement of internal control objectives. Management provides timely, meaningful, honest, and constructive performance evaluations and feedback to help staff. This is designed to help staff understand the connection between their performance and the achievement of the agency’s goals. Management conducts succession planning to ensure continuity of needed skills and abilities.
4. The agency uses a variety of control activities suited to information processing systems to ensure accuracy and completeness with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Edit checks are used in controlling data entry. The system performs accounting for transactions in numerical sequences. The system performs file totals that compares control accounts. The system identifies exceptions or violations indicated by other control activities for further management review and action.
5. The agency employs physical control to secure and safeguard vulnerable assets with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	The agency has physical safeguarding policies and procedures developed, implemented, and communicated to staff. The agency regularly updates and communicates its disaster recovery plan to staff. The agency secures and controls vulnerable assets such as cash, securities, supplies, inventories, and equipment. The agency periodically counts assets and compares the count to control records and exceptions such as cash, securities, supplies, inventories, and equipment. The agency maintains cash and negotiable securities under lock and key with access strictly controlled. Forms such as blank checks and purchase orders are sequentially pre-numbered, physically secured, and access to them is strictly controlled. Inventories, supplies, and finished items/goods are stored in physically secured areas and protected from damage. The agency secures facilities from fire with fire alarms and sprinkler systems. The agency controls access to premises and facilities.
6. The agency has established and monitors performance measures and indicators with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	The agency periodically reviews and validates the propriety and integrity of both organizational and individual performance measures and indicators. The agency periodically reviews and ensures that organizational and individual performance measures link to agency mission, goals, and objectives, while complying with law, regulations, and ethical standards. The agency analyzes and reviews performance measures and indicators for both operational and financial reporting control purposes. The agency compares actual performance data with expected outcomes and differences. The agency takes corrective action if necessary. The agency compares different sets of data to one another to analyze their relationships and implement corrective actions if necessary.
7. Management divides key duties and responsibilities among different people to reduce the risk of error, waste, or fraud and those activities related to the Child Care Program.	The agency does not allow one individual to control all key aspects of a transaction or event. Examples include: Separation of responsibilities and duties involving transactions and events among different staff with respect to authorization, approval, processing and recording, making payments or receiving funds, review and auditing, and the custodial functions and handling of related assets; Duties are assigned systematically to a number of individuals to ensure that effective checks and balances exist; No one individual can work alone with cash, negotiable securities, or other highly vulnerable assets without prior authorization or monitoring; Individuals responsible for opening mail cannot have responsibility for or access to files or documents pertaining to accounts receivable or cash accounts; Staff with responsibility for case receipts or disbursements cannot reconcile those accounts; and Management reduces the opportunity for collusion to occur.
8. Management authorizes appropriate staff to perform transactions and other significant events with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Management establishes appropriate controls. Management ensures the terms of authorizations are in accordance with directives, within limitations established by law and regulation, and communicated to staff.
9. Management ensures the proper classification and timely recording of significant events with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Proper classification and recording take place throughout the entire life cycle of each transaction or event, including authorization, initiation, processing, and final classification in summary records. Proper classification of transactions and events includes appropriate organization and formatting of information on original documents (hardcopy or electronic) and summary records from which reports and statements are prepared. The agency maintains accurate records to minimize adjustments.
10. Management limits access and assigns custody to resources and records with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Managers review and maintain access restrictions, clearly assign custody, and communicate with those responsible. Management compares resources with records.
11. Management ensures all transactions and other significant events are clearly documented with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Management maintains written documentation that is readily available, complete, useful, properly managed, maintained, and periodically updated.
12. Management ensures that policies and procedures are in place to adequately monitor sub-recipients, vendors or providers for compliance with applicable Federal regulations with respect to each of the agency’s overall activities and those activities related to the Child Care Program.	Management establishes appropriate controls. Management ensures the terms of authorizations are in accordance with directives, within limitations established by law and regulation, and communicated to the sub-recipients, vendor or provider. Management maintains written documentation that is readily available, complete, useful, properly managed, maintained, and periodically updated.

III. Control Activities Specific for Information Systems—General Control

Many State agencies use information systems. This section of the Instrument addresses two areas of information systems control activities--general control and application control.

The General Control subsection addresses the structure, policies, and procedures that govern the agency’s computer operations. These elements and criteria apply to all aspects of the agency’s computer operations, ranging from mainframe, servers, and networks, all the way to the end user environment with personal computers, laptops, and other devices.

The General Control section governs how a State’s computer function operates. There are six areas that are examined in the Information Systems General Control activities. They are:

Entity wide security management program;
Access control;
Application software development and change;
System software control;
Segregation of duties; and
Service continuity.

As with the other sections of this Instrument, these elements and criteria are a beginning point, They are not an all inclusive set of elements and criteria.

Entity-wide Security Management Program (CAGC_1)
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. The agency periodically performs a comprehensive, high-level assessment of risks to its information systems.	Management performs and documents risk assessments regularly and whenever systems, facilities, or other conditions change. Risk assessments consider data sensitivity and integrity. Management documents final risk determinations and managerial approvals are kept on file.
2. The agency has developed a plan that clearly describes its security program, policies, and procedures.	The agency security plan should include physical security of all hardware, software, and peripheral equipment, as well as e-mail and Internet access. A comprehensive set of security software is in place and kept current.
3. Senior management establishes and communicates a clearly defined structure for implementing and managing the security program throughout the agency and defines security responsibilities.
4. The agency implements effective security-related personnel policies.
5. The agency monitors the security program’s effectiveness and makes changes as needed.	The agency implements, tests, and monitors security policy, compliance, and corrective actions.
Access Control (CAGC_2)
1. The agency classifies critical and sensitive information resources.
2. The agency has established physical and logical controls to prevent or detect unauthorized access.
3. The agency monitors information systems access, investigates apparent violations, and takes appropriate remedial and disciplinary action.
Application Software Development and Change Control (CAGC_3)
1. The agency authorizes information system processing features and program modifications.
2. The agency tests and approves new and revised software.
3. The agency has established procedures to ensure control of its software libraries, including labeling, access restrictions, and use of inventories and separate libraries.
System Software Control (CAGC_4)
1. The agency limits access to system and documents authorization to system software based on job responsibilities.
2. The agency controls and monitors access to the use of system software.
3. The agency controls changes made to the system software.
Segregation of Duties (CAGC_5)
1. The agency identifies and segregates Incompatible duties.
2. The agency establishes access controls to enforce segregation of duties.
3. The agency exercises control over staff activities using formal operating procedures, supervision, and review.
Service Continuity (CAGC_6)
1. The agency identifies, assesses, and prioritizes computer operations and supportive resources	Management develops, documents, and tests a comprehensive contingency plan.
2. The agency takes steps to prevent and minimize potential damage and interruption.	The agency uses data and program backup procedures, including off-site storage of backup data, as well as environmental controls, staff training, and hardware maintenance and management.

III Control Activities Specific for Information Systems—Application Control

Information Systems Application Controls attempt to measure the completeness, accuracy, and validity of all transactions that take place within the State’s computer application. The controls include the computer programs themselves, as well as the policies and procedures that govern the operation of specific applications.

Four major factors make up the Information Systems Application Control activities. The State needs to consider the following:

Authorization control;
Completeness control;
Accuracy control; and
Control over integrity of processing and data files.

As in previous sections, the elements and criteria provided here serve as a beginning point for States.

Authorization Control (CAAC_1)
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. The agency controls and requires authorized access to source documents.	Agency restricts access to incomplete source documents. The agency sequentially pre-numbers source documents. The agency requires authorizing signatures to get key source documents. The agency uses batch control sheets for batch application systems, such as date, control number, number of documents, and control totals for key fields. Supervisory or independent review of data occurs before entry into the application system.
2. Data entry devices have restricted access.
3. The agency uses master files and exception reports to ensure proper data processing authorization.
Completeness Control (CAAC_2)
1. The agency enters all authorized transactions into the computer for processing.
2. The agency performs timely reconciliation to verify data completeness.
Accuracy Control (CAAC_3)
1. Features of the agency’s data system contribute to data accuracy.	The agency data system includes: The system performs data validation and editing to identify erroneous data; The systems captures, reports, investigates, and promptly corrects erroneous data; Staff reviews output reports to maintain data accuracy and validity; and The system captures, reports, investigates, and promptly corrects erroneous data.
Control Over Integrity of Processing and Data Files (CAAC_4)
1. The agency ensures that production programs and data files used during processing are current.	Computer routines include: Procedures to verify version control; Routines for checking internal file header labels before processing; and Protection against concurrent file updates.

IV. INFORMATION AND COMMUNICATIONS

A State must have relevant, reliable information—financial and non-financial—on relevant external and internal activities. This is the basis for the fourth standard, Information and Communications. All of the communication tools and methods of processing information within the agency are part of this standard. Information and communication need to be broad based and accountable, whether the communication is done manually or automated. Communications must be reliable, continuous, appropriate, and secure. The elements and criteria contained in this standard are a way of measuring the degree to which States are providing these types of communications.

As with the other sections of this Instrument, the elements and criteria are a beginning point for States. They are not an all inclusive set of elements and criteria.

Information (IC_1)
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. Management collects and reviews internal and external performance information.	The agency obtains and reports to managers any relevant internal and external information that may affect the achievement of its missions, goal, and objectives, particularly those related to legislative or regulatory developments and political or economic changes.
2. Agency management identifies and obtains pertinent information and captures, and distributes it appropriately.	Management provides information that: Has been analyzed; Provides the appropriate level of detail; Is summarized and presented appropriately; Is timely; Is pertinent; and Contains operational, financial, and budgetary information.
Communications (IC_2)
1. Management ensures that effective internal communications occurs within the agency.	Senior management provides a clear message throughout the agency that internal control responsibilities are important and management takes them seriously. Management clearly communicates specific duties to staff members, so they understand the relevant aspects of internal control. This includes how their roles fit the agency mission, and how their work relates to the work of others. Staff members are informed that when the unexpected occurs in performing their duties, they must be not only assess the event, but also the underlying cause. Staff are informed that potential internal control weaknesses must be identified and corrected before they can do further harm to the agency. Communication processes allow the easy flow of information down, across, and up the organization. Communications exist between functional activities, such as between procurement activities and production activities. Staff understands that there will be no reprisals for reporting adverse information, improper conduct, or circumvention of internal control activities. Staff have procedures for recommending improvements in operations and management acknowledges good staff suggestions with meaningful recognition. Management communicates frequently with internal oversight groups, such as senior management councils. Management keeps these groups informed about performance, risks, major initiatives, and any other significant events.
2. Management ensures that effective external communications occur with groups that can have a serious impact on programs, projects, operations, and other activities, including budgeting and financing.	Management has open and effective communication channels with clients, suppliers, contractors, consultants, and others that can provide significant suggestions on quality and design of agency products and services. Management clearly informs all outside parties dealing with the agency of the agency’s ethical standards and understands that the agency will not tolerate improper actions. Management encourages communication from external parties, such as Federal agencies, State and local governments, and other related third parties, since these parties may be a source of information on how well internal controls are functioning. Complaints or inquires are welcomed, since they can identify control problems. Management makes certain that the advice and recommendations of auditors and evaluators are fully considered, and that the agency implements actions to correct any problems or weaknesses identified.
Forms and Means of Communications (IC_3)
1. Management uses effective methods to communicate with employees and others.
2. The agency manages its information systems to ensure the usefulness and reliability of the information derived from the systems.	Agency integrates the IT strategic plan with the agency plan to assure: Identifying emerging information needs; Utilizing advances in IT; Monitoring the quality of data; and Committing sufficient resources to IT.

V. MONITORING
The last internal control standard is Monitoring. An integral part of the Child Care program is monitoring, which allows the State to examine and evaluate the performance of contract and non-contract providers who provide child care and other related services. This standard provides elements and criteria to gauge the effectiveness of the program. The standard also addresses the effectiveness of audits and other ongoing monitoring activities within the State. “Ongoing monitoring occurs during normal operations and includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties. It includes ensuring that managers and supervisors know their responsibilities for internal control and the need to make control and control monitoring part of their regular operating processes. Separate evaluations are a way to take a fresh look at internal control by focusing directly on the control’s effectiveness at a specific time. These evaluations may take the form of self-assessment as well as review of control design and direct testing, and may include the use of this Management and Evaluation Tool or some similar device. In addition, monitoring includes policies and procedures for ensuring that any audit and review findings and recommendations are brought to the attention of management and are resolved promptly. Managers and evaluators should consider the appropriateness of the agency’s internal control monitoring and the degree to which it helps them accomplish their objectives. Listed below are factors a user might consider. The list is a beginning point. It is not all-inclusive, and every item might not apply to every agency or activity within the agency. Even though some of the functions and points may be subjective in nature and require the use of judgment, they are important in establishing and maintaining good internal control monitoring policies and procedures.”² ² Government Accountability Office. (August 2001.) Internal Control Management and Evaluation Tool. (GAO Publication No. GAO–01–1008G). Washington, DC: U.S. Government Printing Office.

Ongoing Monitoring (M_1)
Elements	Criteria	Documentation (Provide all applicable documentation)	Findings/Results & Suggested Follow-up if Necessary
1. Management ensures effective monitoring and internal control.	The agency’s monitoring includes: Communication to managers regarding their responsibilities for internal control and regular monitoring; and Periodic evaluation of control activities for critical operational and mission support systems.
2. The agency produces reports used to monitor program activities and to identify inaccuracies or other issues requiring follow-up.
3. Management monitors communications from external partners.	Management investigates customer complaints for potential deficiencies. Management uses communications and reports from external partners as control monitoring techniques. Management uses information from oversight groups about compliance or internal control functions to identify problems requiring follow-up. Management reassesses weak control activities.
4. Management uses the agency’s organizational structure to provide oversight of internal control functions.	Management uses automated edits and checks and other activities for control accuracy and completeness of transaction processing. Management uses separation of duties and responsibilities to help deter fraud.
5. The agency’s internal audit department is available to research and recommend improvements within the internal control structure.
6. Management meets with staff to receive feedback on effectiveness of internal control.	Management uses information, and feedback concerning internal control from training and planning sessions, and other meetings to address problems or strengthen the internal control structure. Management uses staff suggestions In evaluating the effectiveness of internal controls. Management encourages staff to identify and report internal control weaknesses.
7. Management uses separate evaluations or audits to review risk assessment results, effectiveness of ongoing monitoring and internal controls.	Management uses separate evaluations and audits to evaluate significant agency or program changes. Management uses qualified staff or external providers to conduct separate evaluations or audits. Management considers risk assessment results and the effectiveness of ongoing monitoring when determining the scope and frequency of evaluations.
8. Management ensures the effectiveness of evaluation techniques and methodologies used.	The agency’s methodologies may include: Self-assessment; Review of control design; Direct testing of internal control activities; and Computer-assisted audit techniques. The agency’s evaluation plan is: Coordinated with appropriate parties; Managed and conducted by qualified staff; and Well documented.
9. If the agency’s internal audit department conducts evaluations, the agency should have sufficient resources, ability, and independence.	The internal audit department or like entity has sufficient levels of competent and experienced staff. The internal audit department or like entity is independent and reports to the highest levels within the agency.
10. Management promptly reports and resolves deficiencies found during evaluations.
Audit Resolution (M_2)
1. Management ensures prompt resolution of findings from audits and other reviews.	Managers review and evaluate audit findings, assessments, and other reviews, including those showing deficiencies and those identifying opportunities for improvements. Management determines the proper actions to take in response to findings and recommendations. Management takes corrective action within established time frames to resolve the deficiencies. Management uses consultations with internal and external auditors and other reviewers as appropriate.
2. Management responds to findings and recommendations of audits and other reviews and takes appropriate follow-up action.	Senior management evaluates findings and recommendations and determines the appropriate actions. Management ensures implementation of changes to internal controls. Senior management reviews periodic reports to ensure the quality and timeliness of resolution decisions.

Table of Contents >>

Posted January 31, 2008