• Control Environment;
• Risk Assessment;
• Control Activities:
• Common Categories of Control Activities;
• Control Activities Specific for Information Systems—General Control;
• Control Activities Specific for Information Systems—Application Control;
• Information and Communications; and
• Monitoring.

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. The agency has a formal code or codes of conduct in place that establishes an ethical culture throughout the organization. These policies establish the high ethical standards to which all employees must adhere and guide the actions of staff as they interact within and outside the agency.

Codes of conduct are comprehensive in nature and include such issues as appropriate use of resources, conflicts of interest, political activities of staff, acceptance of gifts or donations or foreign decorations, and use of due professional care.

The agency periodically reviews codes of conduct, obtains signatures from all staff members, and takes quick and appropriate action as soon as there are any signs that a problem may exist.

Staff members indicate that they know what kind of behavior is acceptable and unacceptable, what penalties unacceptable behavior may bring, and what to do if they become aware of unacceptable behavior.

Management emphasizes the importance of integrity and ethical values through oral communications in meetings, via one-on-one discussions, and by example in daily activities.

Management cooperates with auditors and other evaluators, discloses known problems to them, and values their comments and recommendations.

2. Management establishes internal controls and interventions, and takes appropriate disciplinary action in response to violations of the code of conduct.

Management takes action when there are intentional violations of policies, procedures, or the code(s) of conduct.

Management communicates the types of disciplinary actions taken throughout the agency and provides guidance for intervene.

Management fully documents the reasons for any intervention or overriding of internal control and specific actions taken and prohibits overriding of internal control by low-level management staff except in emergencies. Notification and documentation to upper-level management occurs immediately.

Commitment to Competence

1. Management has identified and defined the tasks required to accomplish particular jobs and provides training and counseling to help staff maintain and improve job competency.

Management analyzes the tasks and competencies needed for particular jobs; establishes formal job descriptions that identify the necessary knowledge, skills, and abilities needed for various jobs; and makes them known to staff.

Evidence exists that the agency makes every effort to assure that staff selected for various positions have the requisite knowledge, skills, and abilities.

The agency provides appropriate training program to meet the needs of staff, emphasizes the need for continuing training, and has a control mechanism to ensure that staff received appropriate training.

Supervisors have the necessary training and management skills to provide effective job performance counseling, and provide staff candid and constructive job performance counseling.

Management bases performance appraisals on an assessment of competencies and clearly identifies areas in which staff are performing well and areas that need improvement.

Management Philosophy and Operating Style

1. Management analyzes the risks of new ventures or operations and determines appropriate mitigation and minimization strategies.

Management conducts risk assessments for new ventures.

Management pursues strategies to minimize risk for major new ventures and operations.

2. Management analyzes agency staffing and endorses the use of performance-based management.

Management analyzes patterns of staff turnover, including loss of key staff or excessive turnover. Management develops transitions plans.

3. Management and operating/program management interact to carry out the mission.

Management monitors the coordination between operations and program to ensure that the agency mission is achieved.

Organizational Structure

1. Management defines and communicates key areas of authority and responsibility.

Staff members understand their areas of responsibility.

Staff members understand their internal control responsibilities.

2. Management establishes clear internal reporting relationships.

The organization structure facilitates the flow of information throughout the agency.

Management makes staff aware of the established reporting relationships.

3. Management evaluates the organizational structure and makes necessary changes to respond to changing conditions.

Management conducts periodic reviews of the organizational structure.

Management establishes a process for making organizational changes when conditions warrant.

4. Management supports appropriate staffing levels to carry out the mission of the agency.

Staff members have time to carry out their duties and responsibilities.

Staff members do not have to work excessive overtime or outside the ordinary workweek to complete assigned tasks.

Management and supervisors are not fulfilling more than one role.

Assignment of Authority and Responsibility

1. The agency appropriately assigns authority and delegates responsibility to the proper staff.

Management communicates the assigned authority and responsibility to staff.

Management holds individuals accountable for decisions and outcomes within their responsibility and authority.

Management has effective procedures to monitor results.

Management appropriately balances the delegation of authority between senior staff and staff at lower levels to get the job done.

Human Resource Policies and Practices

1. Policies and procedures are in place for hiring, orienting, training, evaluating, counseling, promoting, compensating, disciplining, and terminating staff.

Management participates in the hiring process.

Management ensures that position descriptions and qualifications meet State personnel rules and are standardized throughout the agency for similar jobs.

Management establishes a training program that includes orientation programs for new staff and continuing education for all staff.

Management supports promotion, compensation, or rotation of staff based upon periodic performance appraisals.

Management links performance appraisals to its goals and objectives.

Performance appraisal criteria reflect the importance of integrity and ethical values.

Staff receive appropriate feedback and counseling on their job performance.

Management responds to violations of policies or ethical standards with appropriate discipline or remedial action.

Oversight Groups

1. The agency has mechanisms in place to monitor and review operations and programs.

An independent entity audits and reviews agency activity.

An audit committee or senior management council reviews the internal audit work and coordinates closely with the independent entity and external auditors.

The Internal audit unit reports to the agency head.

The internal audit function reviews agency activities and systems and provides information, analyses, recommendations, and counsel to management.

2. The agency works closely with all executive and legislative branch oversight organizations.

The agency provides the Legislature with timely and accurate information to allow for monitoring of agency activities, including review of the agency’s mission and goals and provision of reports on agency performance, finances, and operating issues.

High-level agency officials meet regularly with staff from the Legislature and Governor’s Office to discuss major issues affecting operations, internal control, performance, and other issues affecting agency programs.

II. RISK ASSESSMENT

The second internal control standard is Risk Assessment. Clear, consistent agency goals and objectives at both the agency and program level are essential for agencies to operate efficiently and effectively. When an agency has established and articulated objectives, the agency may be able to identify actual or potential risks/problems—internal and external—that could impede the accomplishment of those objectives in an efficient manner. When an agency identifies potential risks/problems and their possible effect on the organization, they may be able to prevent those problems or reduce their impact. This section is designed to assist agencies in this process.

Once again, this is not an all-inclusive list. It is a starting point from which States can begin to build a dynamic assessment of actual or potential risks/ problems and mitigation strategies. Some of the elements and criteria are subjective in nature. It is important to examine each of the elements and criteria, as each is important.

Establishment of Entity-wide Objectives

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. Management establishes agency specific objectives and communicates them to all staff.

Management establishes a strategic plan that includes agency mission, goals, and objectives.

Management establishes objectives based on program requirements.

2. Management has an integrated management strategy, risk assessment, and control structure to address risks and operational strategies that support entity-wide objectives

Strategic plans address resource allocations and priorities.

Management designs strategic plans and budgets with an appropriate level of detail for various management levels.

Establishment of Activity

1. Management identifies and reviews mission critical program strategies, agency objectives, and outcome criteria and measures.

Management reviews program strategies periodically to assure that they have continued relevance.

Management reviews and monitors critical activity-level objectives regularly.

2. Management allocates sufficient resources to meet objectives.

Management provides the necessary resources to review and monitor the agency objectives and outcome measures on a regular basis.

Risk Identification

1. Management identifies risk using appropriate methodologies.

Management uses qualitative and quantitative methods to identify risk and quantify relative risk rankings on a scheduled and periodic basis.

Risk identification and discussion occur at all levels of the agency.

Risk identification includes, but is not limited to, findings from audits, evaluations, and other assessments.

2. Management considers all factors when identifying risk, including external, internal, and outside factors.

External factors include, but are not limited to:

• Technological advancements and developments;
• Changing needs or expectations of the Legislature, agency officials, and the public;
• New legislation or regulations;
• Natural catastrophes or criminal or terrorist actions;
• Business, political, and economic changes;
• Major suppliers and contractors; and
• Other entities.

Internal factors include, but are not limited to:

• Downsizing of agency operations and staff;
• Business process reengineering or redesign of operating processes;
• Disruption of information systems and disaster recovery plans;
• Decentralized program operations;
• Qualifications and training of staff;
• Reliance on contractors or other parties to perform critical agency operations;
• Major changes in managerial responsibilities;
• Unusual staff access to vulnerable assets;
• Succession planning and retention of key staff;
• Competitive compensation and benefit programs; and
• Availability and adequacy of funding.

Risk Analysis

1. Management develops a risk tolerance process.

Management sets specific tolerance levels and assigns specific acceptable levels of risk for the agency as well as each relevant program area.

Management expects programs to implement control activities and monitor the results.

Managing Risk During Change

1. Management has a mechanism for reacting to risks presented by changes that can have a dramatic and pervasive effect.

Management gives special consideration to:

• Staffing of key positions or staff turnover;
• Introduction and training of new or changed information systems;
• Rapid growth and expansion or rapid downsizing;
• New technological developments;
• New outputs or services; and
• Geographical realignment.

States use internal Control Activities to mitigate the risks identified during the risk assessment process. These activities are an integral part of agencies' planning, implementation, and review processes. Internal control activities are essential to holding programs accountable for effective and efficient program results.

Control includes a wide range of diverse activities, such as approvals, authorizations, verifications, reconciliations, performance reviews, security activities, and the production of records and documentation. Agencies' management directives guide controls on how to address the risks associated with program missions and objectives. Managers or evaluators will assess whether control activities are appropriate, adequate, and effectively and efficiently applied. This analysis would include controls for computerized information systems.

Control Activities may vary considerably from agency to agency. These differences may result from (1) variations in missions, goals, and objectives of the agencies; (2) differences in agency environments and how they operate; (3) differing degree of organizational complexity; (4) differences in agency histories and culture; and (5) variations in the risks each agency faces and is trying to mitigate. Even if two agencies have the same missions, goals, objectives, and organizational structures, they would probably use different control activities. Control Activities vary by individual judgment, implementation strategies, and management approaches.

This section pertains specifically to the child care program. These elements and criteria are in italics and child care staff will complete this section; however, even when the elements are specific to the child care program, there may overall elements that also refer to the agency as a whole. The overall agency elements should also be included during the review process because they may directly or indirectly affect the child care program. States are encouraged to use this Instrument for other programs as well, such as Food Stamps and TANF. If States do expand the use of this Instrument to these programs, they would revise the language to reflect the specifics of the additional programs. The elements and criteria in this section are a beginning point. They are not an all inclusive set of elements and criteria.

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. Management establishes appropriate policies, procedures, techniques, and mechanisms with respect to each of the child care program’s activities.

Management establishes objectives and associated risks, identifies the actions and control activities needed to address the risks, and directs their implementation.

2. For identified control activities, management evaluates the child care program’s overall activities.

Staff applies control activities properly and understands their purpose.

Staff review established control activities and provide input.

Management takes timely action on exceptions, implementation problems, or information that requires follow-up.

Common Categories of Control Activities

1. Management tracks major child care program achievements in relation to the ACF approved State Plan.

Management regularly reviews actual performance against budgets, forecasts, and prior period results and compliance with applicable Federal regulations and the current State Plan.

Management develops performance plans, measures and reports results, and takes follow-up action as necessary.

2. Management reviews specific performance measures with respect to each of the agency’s overall activities particularly those activities related to the child care program.

Managers at all levels review performance reports, analyze trends, and measure results and compliance with the ACF approved State plan.

Financial and program managers review and compare financial, budgetary, Federal financial compliance, and operational performance to planned or expected results.

Managers use appropriate control activities such as reconciling summary information to supporting detail and checking the accuracy of summaries.

3. The agency effectively manages the organization’s child care workforce to achieve results with respect to each of the agency’s overall activities.

The agency incorporates the overall agency mission, goals, and values in its strategic plan and other guiding documents and communicates this information to all staff.

The agency has a workforce planning strategy, which identifies current and future staffing needs.

The agency has a process in place to ensure performance management and compliance with applicable Federal regulations.

The agency has a formal recruiting, hiring, and retention process to ensure a competent workforce.

The agency provides orientation, training, and tools for staff to perform their duties and responsibilities, improve performance, enhance their capabilities, and meet the demands of changing organizational needs.

The compensation system is adequate to acquire, motivate, and retain staff. Staff receive incentives and rewards to encourage them to perform at maximum capability.

The agency provides workplace flexibility, services, and facilities (e.g., career counseling, flextime, casual-dress days, and child care) to help it compete for talent and enhance staff satisfaction and commitment.

The agency provides qualified and continuous supervision to ensure the achievement of internal control objectives.

Management provides timely, meaningful, honest, and constructive performance evaluations and feedback to help staff understand the connection between their performance and the achievement of the agency’s goals.

Management conducts succession planning to ensure continuity of needed skills and abilities.

4. The agency employs physical control to secure and safeguard vulnerable assets within the child care program.

The agency has physical safeguarding policies and procedures developed, implemented, and communicated to staff.

The agency regularly updates and communicates its disaster recovery plan to staff.

The agency secures and controls vulnerable assets such as cash, securities, supplies, inventories, and equipment.

The agency periodically counts assets and compares the count to control records and exceptions such as cash, securities, supplies, inventories, and equipment.

The agency maintains cash and negotiable securities under lock and key with access strictly controlled.

Forms such as blank checks and purchase orders are sequentially pre-numbered, physically secured, and access to them is strictly controlled.

Inventories, supplies, and finished items/goods are stored in physically secured areas and protected from damage.

The agency secures facilities from fire with fire alarms and sprinkler systems.

The agency controls access to premises and facilities.

The agency ensures that contractors employ physical control to secure and safeguard vulnerable assets.

5. Management divides key duties and responsibilities among different people to reduce the risk of error, waste, or fraud in the child care program.

The agency does not allow one individual to control all key aspects of a transaction or event.

Examples include:

• Separation of responsibilities and duties involving transactions and events among different staff with respect to authorization, approval, processing and recording, making payments or receiving funds, review and auditing, and the custodial functions and handling of related assets;
• Duties are assigned systematically to a number of individuals to ensure that effective checks and balances exist;
• No one individual can work alone with cash, negotiable securities, or other highly vulnerable assets without prior authorization or monitoring;
• Individuals responsible for opening mail cannot have responsibility for or access to files or documents pertaining to accounts receivable or cash accounts;
• Staff with responsibility for case receipts or disbursements cannot reconcile those accounts; and
• Management reduces the opportunity for collusion to occur.

6. Management authorizes appropriate staff to perform and document all transactions and other significant events within the child care program.

Management establishes appropriate controls.

Management ensures the terms of authorizations are in accordance with directives, within limitations established by law and regulation, and communicated to staff and contractors.

Management maintains written documentation that is readily available, complete, useful, properly managed, maintained, and periodically updated.

7. Management ensures the proper classification and timely recording of significant events in the child care program.

Proper classification and recording take place throughout the entire life cycle of each transaction or event, including authorization, initiation, processing, and final classification in summary records.

Proper classification of transactions and events includes appropriate organization and formatting of information on original documents (hardcopy or electronic) and summary records from which reports and statements are prepared.

The agency maintains accurate records to minimize adjustments.

8. Management limits access and assigns custody to resources and records within the child care program.

Managers review and maintain access restrictions, clearly assign custody, and communicate with those responsible.

Management compares resources with records.

9. Management ensures that policies and procedures are in place for adequate monitoring of sub-recipients, vendors, or providers for compliance with applicable Federal regulations.

Management establishes appropriate controls.

Management ensures the terms of authorizations are in accordance with directives, within limitations established by law and regulation, and communicated to the sub-recipients, vendor, or provider.

Management maintains written documentation that is readily available, complete, useful, properly managed, maintained, and periodically updated.

III . Control Activities Specific for Information Systems—General Control

Many State agencies use information systems. This section of the Instrument addresses two areas of information systems Control Activities--General Control and Application Control. Because internal controls within information technology affect any agency using those services, the elements and Criteria apply across the agency as a whole. However, States completing the Instrument need to pay particular attention to determine if controls are in place specifically for the child care system. The child care system includes any entity providing child care services under contract to the States.

The General Control subsection addresses the structure, policies, and procedures that govern agencies' computer operations. These elements and criteria apply to all aspects of the agency’s computer operations, ranging from mainframe, servers, and networks all the way to the end user environment of personal computers, laptops, and other devices.

The General Control section governs how States' computer functions operate. This section examines six areas of the information systems general control activities:

• Entity wide security management program;
• Access control;
• Application software development and change;
• System software control;
• Segregation of duties; and
• Service continuity.

As with the other sections of this Instrument, these elements and criteria are a beginning point, They are not an all inclusive set of elements and criteria.

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. The agency periodically performs a comprehensive, high-level assessment of risks to its information systems, including its child care system.

Management performs and documents risk assessments regularly and whenever systems, facilities, or other conditions change.

Risk assessments consider data sensitivity and integrity.

Management documents final risk determinations and managerial approvals and keeps them on file.

2. The agency has developed a plan that clearly describes its security program, policies, and procedures.

The agency security plan includes physical security of all hardware, software, and peripheral equipment, as well as e-mail and Internet access.

A comprehensive set of security software is in place and kept current.

3. Management establishes and communicates a clearly defined structure for implementing and managing the security program throughout the agency and its contractors and defines security responsibilities.

The agency has established policies and procedures for managing the security program.

The agency has a mechanism to examine the security procedures employed by child care contractors.

4. The agency implements effective security-related personnel policies.

The agency ensures that security-related personnel policies are in place both internally and with child care contractors.

5. The agency monitors the security program’s effectiveness and makes changes as needed.

The agency implements, tests, and monitors security policy, compliance, and corrective actions.

Access Control

1. The agency classifies critical and sensitive information resources.

The agency has a consistent policy in place to define critical and sensitive information.

2. The agency has established physical and logical controls to prevent or detect unauthorized access.

The agency has established policies and procedures to control and/or detect unauthorized access to agency-computerized resources.

3. The agency monitors information systems access, investigates apparent violations, and takes appropriate remedial and disciplinary action.

The agency has policies and procedures in place to monitor, detect, and investigate unauthorized access to agency-computerized resources.

The agency had established disciplinary procedures in place to address unauthorized access.

Application Software Development and Change Control

1. The agency authorizes information system processing features and program modifications.

2. The agency tests and approves new and revised software.

3. The agency has established procedures to ensure control of its software libraries, including labeling, access restrictions, and use of inventories and separate libraries.

1. The agency limits access to system and documents authorization to system software based on job responsibilities.

2. The agency controls changes made to the system software.

Segregation of Duties

1. The agency establishes access controls to enforce segregation of duties.

2. The agency exercises control over staff activities using formal operating procedures, supervision, and review.

Service Continuity

1. The agency identifies, assesses, and prioritizes computer operations and supportive resources

Management develops, documents, and tests a comprehensive contingency plan.

2. The agency takes steps to prevent and minimize potential damage and interruption.

The agency uses data and program backup procedures, including off-site storage of backup data, as well as environmental controls, staff training, and hardware maintenance and management.

III Control Activities Specific for Information Systems—Application Control

Information Systems Application Controls attempt to measure the completeness, accuracy, and validity of all transactions that take place within the State’s computer application. The controls include the computer programs themselves, as well as the policies and procedures that govern the operation of specific applications. States'

reviews of the elements need to include a review of all contractors that provide child care services to ensure the adequacy of their internal controls.

Some elements in this section are self-explanatory. Associated criteria are not necessary.

Four major factors make up the Information Systems Application Control activities. States need to consider the following:

• Authorization control;
• Completeness control;
• Accuracy control; and
• Control over integrity of processing and data files.

As in previous sections, the elements and criteria provided here serve as a beginning point for States.

Authorization Control

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. The agency requires and controls authorized access to source documents.

Agency restricts access to incomplete source documents.

The agency sequentially pre-numbers source documents.

The agency requires authorizing signatures to get key source documents.

The agency uses batch control sheets for batch application systems, such as date, control number, number of documents, and control totals for key fields.

Supervisory or independent review of data occurs before entry into the application system.

2. Data entry devices have restricted access.

Data entry devices include: Desktop PC’s, Laptops, PDA’s, Blackberries, Tablet PC’s, etc.

3. The agency uses master files and exception reports to ensure proper data processing authorization.

Completeness Control

1. The agency enters all authorized transactions into the computer for processing.

2. The agency performs timely reconciliation to verify data completeness.

Accuracy Control

1. Features of the agency’s data system contribute to data accuracy.

The agency data system includes:

• Data validation and editing to identify erroneous data;

• The ability to capture, report, investigate, and promptly corrects erroneous data; and

• Staff review of output reports to maintain data accuracy and validity.

Control Over Integrity of Processing and Data Files

1. The agency ensures that production programs and data files used during processing are current.

Computer routines include:

• Procedures to verify version control;

• Routines for checking internal file header labels before processing; and

• Protection against concurrent file updates.

IV. INFORMATION AND COMMUNICATIONS

States must have relevant, reliable information—financial and non-financial—on relevant external and internal activities. This is the basis for the fourth standard, Information and Communications. All of the communication tools and methods of processing information within the agency are part of this standard. Information and communication need to be broad based and accountable, whether the communication is done manually or automated. Communications must be reliable, continuous, appropriate, and secure. The elements and criteria contained in this standard are a way of measuring the degree to which States are providing these types of communications.

As with the other sections of this Instrument, the elements and criteria are a beginning point for States. They are not an all inclusive set of elements and criteria.

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. Management collects, reviews, and distributes internal and external performance information.

The agency obtains and reports to managers any relevant internal and external information that may affect the achievement of its missions, goal, and objectives, particularly those related to legislative or regulatory developments and political or economic changes.

Management ensures information that:

• Has been analyzed;
• Provides the appropriate level of detail;
• Is summarized and presented appropriately;
• Is timely;
• Is pertinent; and
• Contains operational, financial, and budgetary information.

Communications

1. Management ensures that effective internal communications occurs within the agency.

Senior management provides a clear message throughout the agency that internal control responsibilities are important and management takes them seriously.

Management clearly communicates specific duties to staff members, so they understand the relevant aspects of internal control. This includes how their roles fit the agency mission, and how their work relates to the work of others.

Staff are informed that, when the unexpected occurs in performing their duties, they must be not only assess the event, but also the underlying cause. Staff are informed that potential internal control weaknesses must be identified and corrected before they can do further harm to the agency.

Communication processes allow the easy flow of information down, across, and up the organization. Communication exists between functional activities, such as between procurement activities and production activities.

Staff understand that there will be no reprisals for reporting adverse information, improper conduct, or circumvention of internal control activities.

Staff have procedures for recommending improvements in operations and management acknowledges good staff suggestions with meaningful recognition.

Management communicates frequently with internal oversight groups, such as senior management councils. Management keeps these groups informed about performance, risks, major initiatives, and any other significant events.

2. Management ensures that effective external communications occur with groups that can have a serious impact on programs, projects, operations, and other activities, including budgeting and financing.

Management has open and effective communication channels with clients, suppliers, contractors, consultants, and others that can provide suggestions on quality and design of agency products and services.

Management clearly informs all outside parties dealing with the agency of the agency’s ethical standards and that the agency will not tolerate improper actions.

Management encourages communication from external parties, such as Federal agencies, State and local governments, and other related third parties, since these parties may be a source of information on how well internal controls are functioning.

Complaints or inquires are welcomed, since they can identify control problems.

Management makes certain that the advice and recommendations of auditors and evaluators are fully considered, and that the agency implements actions to correct any problems or weaknesses identified.

Forms and Means of Communications

1. Management uses effective methods to communicate with employees and others.

2. The agency manages its information, including its information systems, to ensure the usefulness and reliability of the information derived from the systems.

Agency integrates the IT strategic plan with the agency plan to assure:

• Identifying emerging information needs;
• Utilizing advances in IT;
• Monitoring the quality of data; and
• Committing sufficient resources to IT.

V. MONITORING

The last internal control standard is Monitoring. An integral part of the child care program is monitoring, which allows the States to examine and evaluate the performance of contract and non-contract providers who provide child care and other related services. This standard provides elements and criteria to gauge the effectiveness of the program. The standard also addresses the effectiveness of audits and other ongoing monitoring activities within the States.

States must undertake ongoing monitoring during normal operations as part of their normal business practice. These monitoring activities include regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties. Managers and supervisors must know their responsibilities for internal control and they need to make control monitoring an integral part of their regular operating processes. Separate evaluations are a way to take a fresh look at internal control by focusing directly on the control’s effectiveness at a specific time. These evaluations may take the form of self-assessment as well as review of control design and direct testing, and may include the use of this management and evaluation tool. In addition, monitoring includes policies and procedures for ensuring that any audit and review findings and recommendations are brought to the attention of management and are resolved promptly. Managers and evaluators should consider the appropriateness of the agency’s internal control monitoring and the degree to which it helps them accomplish their objectives. Listed below are factors a user might consider. The list is a beginning point. It is not all-inclusive, and every item might not apply to every agency or activity within the agency. Even though some of the functions and points may be subjective in nature and require the use of judgment, they are important in establishing and maintaining good internal control monitoring policies and procedures.

Ongoing Monitoring

Elements

Criteria

Documentation

(Provide all applicable documentation)

Findings/Results & Suggested Follow-up if Necessary

1. Management ensures effective monitoring and internal control.

The agency’s monitoring includes:

• Communication to managers regarding their responsibilities for internal control and regular monitoring; and
• Periodic evaluation of control activities for critical operational and mission support systems.

2. The agency produces reports used to monitor program activities and to identify inaccuracies or other issues requiring follow-up.

3. Management monitors communications from external partners.

Management investigates customer complaints for potential deficiencies.

Management uses communications and reports from external partners as control monitoring techniques.

Management uses information from oversight groups about compliance or internal control functions to identify problems requiring follow-up.

Management reassesses weak control activities.

4. Management uses the agency’s organizational structure to provide oversight of internal control functions.

Management uses automated edits and checks and other activities to determine control accuracy and completeness of transaction processing.

Management uses separation of duties and responsibilities to help deter fraud.

5. The agency’s internal audit department is available to research and recommend improvements within the internal control structure.

6. Management meets with staff to receive feedback on effectiveness of internal control.

Management uses information, and feedback concerning internal control from training and planning sessions and other meetings, to address problems or strengthen the internal control structure.

Management uses staff suggestions In evaluating the effectiveness of internal controls.

Management encourages staff to identify and report internal control weaknesses.

7. Management uses separate evaluations or audits to review risk assessment results, effectiveness of ongoing monitoring, and internal controls.

Management uses separate evaluations and audits to evaluate significant agency or program changes.

Management uses qualified staff or external providers to conduct separate evaluations or audits.

Management considers risk assessment results and the effectiveness of ongoing monitoring when determining the scope and frequency of evaluations.

8. Management ensures the effectiveness of evaluation techniques and methodologies used.

The agency’s methodologies may include:

• Self-assessment;
• Review of control design;
• Direct testing of internal control activities; and
• Computer-assisted audit techniques.

The agency’s evaluation plan is:

• Coordinated with appropriate parties;
• Managed and conducted by qualified staff; and
• Well documented.

9. If the agency’s internal audit department conducts evaluations, the agency has sufficient resources, ability, and independence.

The internal audit department or like entity has sufficient levels of competent and experienced staff.

The internal audit department or like entity is independent and reports to the highest levels within the agency.

10. Management promptly reports and resolves deficiencies found during evaluations.

Audit Resolution

1. Management ensures prompt resolution of findings from audits and other reviews.

Managers review and evaluate audit findings, assessments, and other reviews, including those showing deficiencies and those identifying opportunities for improvements.

Management determines the proper actions to take in response to findings and recommendations.

Management takes corrective action within established time frames to resolve the deficiencies.

Management uses consultations with internal and external auditors and other reviewers as appropriate.

2. Management responds to findings and recommendations of audits and other reviews and takes appropriate follow-up action.

Senior management evaluates findings and recommendations and determines the appropriate actions.

Management ensures implementation of changes to internal controls.

Senior management reviews periodic reports to ensure the quality and timeliness of resolution decisions.